-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decrease the $maxDelay variable in /lib/private/Security/Bruteforce/Throttler.php #9864
Labels
Milestone
Comments
I think that this issue may also relate to: |
Makes sense 👍 |
@wiyh12nf89x Do you mind to open a pull request with the change? |
Fine by me. 25 second for the max is still more than enough to make bruteforce effective :D |
There it is: #9875 |
MorrisJobke
added a commit
that referenced
this issue
Jun 15, 2018
…ix_maxDelay Fix #9864: Decrease $maxDelay in Throttler.php
backportbot-nextcloud bot
pushed a commit
that referenced
this issue
Feb 15, 2019
Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>
rullzer
added a commit
that referenced
this issue
Feb 15, 2019
[stable13] Fix #9864: Decrease $maxDelay in Throttler.php
Merged
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you have multiple failed login attempts to the Nextcloud Server, the
$firstDelay
variable in/lib/private/Security/Bruteforce/Throttler.php
file increases up to$maxDelay
variable, which is now 30. This intended delay together with the natural server delay makes the overall delay over 30 seconds. But all the apps I tested are designed to wait less then 30 seconds and then return a timeout error.The logs clearly show, that client gives up (HTTP 499 code on Proxy logs) just a few seconds before the server is ready to answer (HTTP 207 code on Nextcloud Server logs).
Bypassing the Proxy server (direct connection to Nextcloud Server) doesn't solve the issue.
So, my suggestion is to decrease the
$maxDelay
variable from 30 to 25 seconds. All the apps I tested worked fine with this value.Steps to reproduce
Make a fresh install of a Nexcloud Server
Emulate several unsuccessful logins, e. g.:
for ((i=0; i<10; i++)); do curl -u "wronguser:wrongpass" -X PROPFIND "https://example.com/remote.php/webdav" >/dev/null 2>&1 & done
Try to log in with proper credentials with one of the following apps:
Expected behaviour
Successful login and further operation with no timeouts.
Actual behaviour
All of the clients quit with a timeout.
Server configuration
Operating system:
Linux 3.10.0-862.3.2.el7.x86_64 (Docker centos:latest)
Web server:
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 20 2018 18:10:38
Database:
mysqld Ver 5.7.22 for Linux on x86_64 (MySQL Community Server (GPL))
PHP version:
PHP 7.1.18 (cli) (built: May 24 2018 07:59:58) ( NTS )
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.1.18, Copyright (c) 1999-2018, by Zend Technologies
Nextcloud version:
Nextcloud 13.0.4
Updated from an older Nextcloud/ownCloud or fresh install:
Fresh
Where did you install Nextcloud from:
https://github.com/nextcloud/server/archive/v13.0.4.zip
Signing status:
Signing status
http://example.com/index.php/settings/integrity/failed returned:"No errors have been found."
App list
Nextcloud configuration:
Config report
Are you using external storage, if yes which one:
no
Are you using encryption:
no
Are you using an external user-backend, if yes which one:
no
Client configuration
Browser:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Operating system:
Linux Mint 18.3 Cinnamon 64-bit
Logs
Web server error log
TotalCMD WebDAV "davplug.wfx64" plugin
Proxy Server Log
[14/Jun/2018:12:33:39 +0300] time=0.658 realIP=- IP=5.6.7.8 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=401 size=1075 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"[14/Jun/2018:12:34:10 +0300] time=29.914 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=499 size=0 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"
[14/Jun/2018:12:34:11 +0300] time=0.385 realIP=- IP=5.6.7.8 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=401 size=1075 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"
[14/Jun/2018:12:34:41 +0300] time=29.931 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.1] code=499 size=0 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [https] referer="-"
Nextcloud Server Log
[14/Jun/2018:12:33:33 +0300] time=25789u realIP=5.6.7.8 IP=172.17.0.1 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=401 size=414 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"[14/Jun/2018:12:33:34 +0300] time=30151510u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=207 size=9285 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:34:05 +0300] time=35286u realIP=5.6.7.8 IP=172.17.0.1 user=- [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=401 size=414 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:34:06 +0300] time=30154644u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav HTTP/1.0] code=207 size=9285 agent="ezdavplugin/2.9 TotalCommander/8.5 (Windows/7; en_EN)" [HTTP/1.0][https] referer="-"
An official Nextcloud Client
Proxy Server Log
[14/Jun/2018:12:51:33 +0300] time=1.837 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1631 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"[14/Jun/2018:12:51:34 +0300] time=0.201 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1091 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:02 +0300] time=27.624 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.1] code=499 size=0 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:05 +0300] time=1.443 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1091 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:33 +0300] time=27.320 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.1] code=499 size=0 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:39 +0300] time=2.627 realIP=- IP=5.6.7.8 user=user1 [example.com][GET /status.php HTTP/1.1] code=200 size=1091 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
[14/Jun/2018:12:52:44 +0300] time=4.732 realIP=- IP=5.6.7.8 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.1] code=499 size=0 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [https] referer="-"
Nextcloud Server Log
[14/Jun/2018:12:51:27 +0300] time=26409u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"[14/Jun/2018:12:51:28 +0300] time=17776u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:51:58 +0300] time=1309333u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:51:29 +0300] time=30154114u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.0] code=207 size=377 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:52:30 +0300] time=2438521u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][GET /status.php HTTP/1.0] code=200 size=146 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
[14/Jun/2018:12:52:03 +0300] time=30154960u realIP=5.6.7.8 IP=172.17.0.1 user=user1 [example.com][PROPFIND /remote.php/webdav/ HTTP/1.0] code=207 size=377 agent="Mozilla/5.0 (Linux) mirall/2.3.3 (Nextcloud)" [HTTP/1.0][https] referer="-"
Nextcloud log (data/nextcloud.log)
Nextcloud log
06-14 12:51:34:791 1627 OCC::AbstractNetworkJob::start: !!! OCC::PropfindJob created for "https://example.com" + "/" "OCC::ConnectionValidator"06-14 12:51:35:100 1627 OCC::PassiveUpdateNotifier::versionInfoArrived: Client is on latest version!
06-14 12:52:02:225 1627 OCC::AbstractNetworkJob::slotTimeout: virtual void OCC::AbstractNetworkJob::slotTimeout() OCC::PropfindJob(0x1908ee0) Timeout QUrl("https://example.com/remote.php/webdav/")
06-14 12:52:02:225 1627 OCC::AbstractNetworkJob::slotFinished: void OCC::AbstractNetworkJob::slotFinished() QNetworkReply::NetworkError(OperationCanceledError) "Operation canceled" QVariant(Invalid)
06-14 12:52:02:226 1627 OCC::PropfindJob::finished: PROPFIND request *not* successful, http result code is 0 ""
06-14 12:52:02:226 1627 unknown: QIODevice::read (QNetworkReplyHttpImpl): device not open
06-14 12:52:02:226 1627 OCC::AccountState::slotConnectionValidatorResult: AccountState connection status change: "Credentials Wrong" -> "Timeout"
06-14 12:52:02:226 1627 OCC::AccountState::setState: AccountState state change: "Configuration error" -> "Network error"
06-14 12:52:02:227 1627 OCC::AccountSettings::showConnectionLabel: "No connection to Nextcloud at https://example.com.\nOperation canceled"
06-14 12:52:02:227 1627 OCC::FolderMan::slotAccountStateChanged: Account "user1@example.com" disconnected or paused, terminating or descheduling sync folders
06-14 12:52:03:225 1627 OCC::Account::resetNetworkAccessManager: Resetting QNAM
06-14 12:52:03:225 1627 OCC::ConnectionValidator::checkServerAndAuth: Checking server and authentication
06-14 12:52:03:227 1627 OCC::AbstractNetworkJob::start: !!! OCC::CheckServerJob created for "https://example.com" + "status.php" "OCC::ConnectionValidator"
06-14 12:52:05:999 1627 OCC::CheckServerJob::finished: status.php returns: QMap(("edition", QVariant(QString, ""))("installed", QVariant(bool, true))("maintenance", QVariant(bool, false))("needsDbUpgrade", QVariant(bool, false))("productname", QVariant(QString, "Nextcloud"))("version", QVariant(QString, "13.0.4.0"))("versionstring", QVariant(QString, "13.0.4"))) QNetworkReply::NetworkError(NoError) Reply: QNetworkReplyHttpImpl(0x19064a0)
06-14 12:52:05:999 1627 OCC::ConnectionValidator::slotStatusFound: ** Application: ownCloud found: QUrl("https://example.com/status.php") with version "13.0.4" ( "13.0.4.0" )
06-14 12:52:05:999 1627 OCC::ConnectionValidator::setAndCheckServerVersion: QUrl("https://example.com") has server version "13.0.4.0"
The text was updated successfully, but these errors were encountered: