Brute force login protection / mitigation

[trinode]

In order to protect against brute force attacks of the API / admin front-end, would it be possible to implement some mechanism that after repeated login attempts prevented you from authenticating from that IP address for either configurable period of time, or an exponential time.

For example:
5 failed attempts = 10 mins, 5 more another 10 minute period (which could be configured).
or:
After 3 failed logins, you can't log in for 1 minute, 3 more and it's 5 minutes etc.

Obviously those don't need to be the exact numbers, just something to make unauthorised parties efforts to get in be not worthwhile.

[G07cha]

I wasn't able to find much of existing solutions for Go because it's usually handled on balancer's level, the only package that I've found called defender, it's really small and supports only ban for a fixed time. If we need something more complex, I'd like to work on it.

[deviantony]

Thinking about it, I'm not sure that this should be part of Portainer. You could have a reverse-proxy in front of your Portainer instance that could limite request rate for example... or use another specialized software to do so.

cc @ncresswell

[trinode]

I wouldn't mind how simple it was but knowing that a default install of portainer was a little more secure would be very reassuring.

In my case I'd be concerned about having to run multiple instances of a proxy for this purpose. I'm using swarm and have no need for a proxy as it (swarm) routes all the traffic for me, so this would be extra instance(s) on small VMs only for that purpose.

in the simplest case:

Login request -> failed -> log attempt to db

Login request ->
check count(*) from login_failures where failure_timepoint > now() - 5 minutes ->
if > n don't even check password, deny (show message telling user to wait)
otherwise check_password

(and also delete old login failures to keep things clean)

Basically my reason for selecting portainer was low resource use and simplicity of installation / configuration, requiring a proxy would somewhat negate that

[ncresswell]

Agree. Any enterprise product should have an account lockout function. We should add this. Rgds, Neil Cresswell On 19/10/2017, at 9:26 PM, Anthony Graham <notifications@github.com<mailto:notifications@github.com>> wrote: I wouldn't mind how simple it was but knowing that a default install of portainer was a little more secure would be very reassuring. In my case I'd be concerned about having to run multiple instances of a proxy for this purpose. I'm using swarm and have no need for a proxy as it (swarm) routes all the traffic for me, so this would be extra instance(s) on small VMs only for that purpose. in the simplest case: Login request -> failed -> log attempt to db Login request -> check count(*) from login_failures where failure_timepoint > now() - 5 minutes -> if > n don't even check password, deny (show message telling user to wait) otherwise check_password (and also delete old login failures to keep things clean) Basically my reason for selecting portainer was low resource use and simplicity of installation / configuration, requiring a proxy would somewhat negate that — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_portainer_portainer_issues_1256-23issuecomment-2D337836166&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=9HizqQ8pnw4nt24pLnDeYSVzgNv2nhKbG1t2OWk0Vjw&s=BYeIkyGdOTLEkBcrqOHPh6Eu9ls29pMSHtw1eGpeupQ&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AWGrlTlV-5FHenc92QyCZVdkl2wr9RnDfqks5stweagaJpZM4PqAPM&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=0fx0h4vB56iTLpw2McH1ZD6TqG_QGpbggVOB-PfMJpM&m=9HizqQ8pnw4nt24pLnDeYSVzgNv2nhKbG1t2OWk0Vjw&s=REdszNjnYv5dHSTs6p4IOH9TlDGa3cEMVzuPX2nexHM&e=>.

[G07cha]

Should we start with something basic as @trinode proposed or try to come up with more advanced behavior?

[deviantony]

@G07cha what about starting with a simple implementation using defender?

[G07cha]

@deviantony, sure, just wanted to confirm that

[julio-matarranz]

👍 Any updates please ?

[deviantony]

No ETA on this yet.