New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Log failed login attempts #2359
Conversation
a8ac621
to
b159624
Compare
Pull Request Test Coverage Report for Build 3894439824
💛 - Coveralls |
This seems insecure. When we trust x-forwarded-for, we would have to have some sort of list of trusted proxies. Otherwise an attacker could blacklist arbitrary IPs by including them in the x-forwarded-for header, leading to a DoS situation. |
Thanks @tribut , wasn’t aware of that. Can you explain how one might do that (in a way that can’t also be spoofed)? |
Normally, you require a list of trusted proxies as a setting and then the code looks something like this terrible pseudocode (sorry, I'm on mobile rn): ip = remote_addr
if remote_addr in config['trusted_proxies']:
if 'x-forwarded-for' in headers:
ip = headers['x-forwarded-for'] This implies that when trusted proxies are not configured, the header is always ignored. |
Didn't think of this scenario either. You may consider to delegate the problem eg to https://github.com/un33k/django-ipware with trusted proxy IPs. Yet another dependency though. |
My own 2 cents on this is users should use a reverse proxy for integrating security related things like fail2ban or crowdsec. Tools like Traefik already handle access logs and integrate with other tools, while having handled the odd cases like trusted proxies, etc. |
I agree except that at the moment I dont think that works unless you have auth integrated with your RP and are passing that same auth to ngx. Django gives status 200 on failed logins so Im not sure theres an obvious way that those tools would 'know' there was a failed login attempt. Please someone correct me if Im wrong. django-ipware looks like a good solution to me but as evidenced by the above Im not an expert here. In general I'm happy to close this if others are not in favor. |
a872374
to
12d9bda
Compare
Ok I've updated this to use django-ipware which has support for trusted proxies, and a new (optional) setting |
@tribut any other thoughts? |
176b95b
to
72f58d5
Compare
Codecov Report
@@ Coverage Diff @@
## dev #2359 +/- ##
==========================================
+ Coverage 92.53% 92.79% +0.26%
==========================================
Files 145 147 +2
Lines 6306 6361 +55
==========================================
+ Hits 5835 5903 +68
+ Misses 471 458 -13
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
This comment was marked as off-topic.
This comment was marked as off-topic.
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion or issue for related concerns. |
Proposed change
I think from a security standpoint this is a good idea to work with e.g. fail2ban or crowdsec even though reverse proxies might make this a little less critical. I tested this locally / remotely with a RP, e.g.
Fixes #407
Fixes #1456
Type of change
Checklist:
pre-commit
hooks, see documentation.I have made corresponding changes to the documentation as needed.