feat(security): Add a bruteforce protection backend base on memcache #39870

nickvergessen · 2023-08-14T17:19:58Z

TODO

Add memcache based bruteforce protection backend
Add a commend to read the state
Expose the throttle delay as a custom header
Add a testing mode to allow integration testing
Show admins when they are throttled

Checklist

Code is properly formatted
Sign-off message is added to all commits
Tests (unit, integration, api and/or acceptance) are included
Screenshots before/after for front-end changes
Documentation (manuals or wiki) has been updated or is not required
Backports requested where applicable (ex: critical bugfixes)

config/config.sample.php

lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php

core/Command/Security/BruteforceAttempts.php

+
+		$data = [
+			'allow-listed' => $this->throttler->isIPWhitelisted($ip),
+			'attempts' => $this->throttler->getAttempts(


core/Command/Security/BruteforceAttempts.php

+				$ip,
+				(string) $input->getArgument('action'),
+			),
+			'delay' => $this->throttler->getDelay(


core/Command/Security/BruteforceAttempts.php

icewind1991 · 2023-08-16T09:07:47Z

I've created a similar bruteforce stats command recently: #39580

nickvergessen · 2023-08-17T07:03:26Z

/backport to stable27

apps/settings/lib/Controller/CheckSetupController.php

@@ -920,6 +925,8 @@
 				'cronInfo' => $this->getLastCronInfo(),
 				'cronErrors' => $this->getCronErrors(),
 				'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(),
+				'isBruteforceThrottled' => $this->throttler->getAttempts($this->request->getRemoteAddress()) !== 0,


Similar to the ratelimit backend Signed-off-by: Joas Schilling <[email protected]>

…oesn't sleep Signed-off-by: Joas Schilling <[email protected]>

Signed-off-by: Joas Schilling <[email protected]>

backportbot-nextcloud · 2023-08-22T06:52:07Z

The backport to stable27 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable27
git pull origin stable27

# Create the new backport branch
git checkout -b fix/foo-stable27

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

nickvergessen added 2. developing Work in progress security performance 🚀 labels Aug 14, 2023

nickvergessen added this to the Nextcloud 28 milestone Aug 14, 2023

nickvergessen self-assigned this Aug 14, 2023

nickvergessen marked this pull request as draft August 14, 2023 17:20

solracsf reviewed Aug 14, 2023

View reviewed changes

config/config.sample.php Outdated Show resolved Hide resolved

solracsf reviewed Aug 14, 2023

View reviewed changes

lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php Show resolved Hide resolved

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch from 5f5132f to f583a3c Compare August 14, 2023 17:30

nickvergessen mentioned this pull request Aug 14, 2023

feat(security): Integration tests for bruteforce protection nextcloud/spreed#10190

Merged

6 tasks

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch from 9bf1975 to 8592c48 Compare August 15, 2023 06:28

github-advanced-security bot found potential problems Aug 15, 2023

View reviewed changes

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch 3 times, most recently from 9bae121 to 2a6e4be Compare August 16, 2023 07:21

github-advanced-security bot found potential problems Aug 16, 2023

View reviewed changes

core/Command/Security/BruteforceAttempts.php Fixed Show fixed Hide fixed

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch from 2a6e4be to 0c7bc29 Compare August 16, 2023 10:15

nickvergessen mentioned this pull request Aug 16, 2023

Show current user info nextcloud/bruteforcesettings#483

Merged

1 task

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch from e33b647 to 90bfa01 Compare August 17, 2023 07:01

backportbot-nextcloud bot added the backport-request label Aug 17, 2023

github-advanced-security bot found potential problems Aug 17, 2023

View reviewed changes

apps/settings/lib/Controller/CheckSetupController.php Fixed Show fixed Hide fixed

apps/settings/lib/Controller/CheckSetupController.php Fixed Show fixed Hide fixed

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch 2 times, most recently from 6816c17 to 3d9b2ad Compare August 18, 2023 11:02

nickvergessen added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Aug 18, 2023

nickvergessen marked this pull request as ready for review August 18, 2023 11:03

nickvergessen requested review from icewind1991 and st3iny August 18, 2023 11:04

nickvergessen requested a review from artonge August 18, 2023 11:04

github-advanced-security bot found potential problems Aug 18, 2023

View reviewed changes

st3iny approved these changes Aug 18, 2023

View reviewed changes

nickvergessen added 5 commits August 21, 2023 16:36

feat(security): Add a bruteforce protection backend base on memcache

a95800c

Similar to the ratelimit backend Signed-off-by: Joas Schilling <[email protected]>

feat(security): Add a "testing mode" for bruteforce protection that d…

abc98d3

…oesn't sleep Signed-off-by: Joas Schilling <[email protected]>

feat: Add a header which signals that the request was throttled

2f06f23

Signed-off-by: Joas Schilling <[email protected]>

feat: Expose if the own IP is allowed to bypass bruteforce protection

fd9b2d4

Signed-off-by: Joas Schilling <[email protected]>

feat(OCC): Add a command to get the bruteforce state of an IP

b2fd283

Signed-off-by: Joas Schilling <[email protected]>

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch from 3d9b2ad to 09cba0d Compare August 21, 2023 14:36

nickvergessen requested a review from Altahrim August 21, 2023 14:37

AndyScherzinger approved these changes Aug 21, 2023

View reviewed changes

nickvergessen added 2 commits August 21, 2023 16:40

fix: Make bypass function public API

124588d

Signed-off-by: Joas Schilling <[email protected]>

feat(admin): Show an error when the admin is throttled

bed3ffb

Signed-off-by: Joas Schilling <[email protected]>

nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch from 09cba0d to bed3ffb Compare August 21, 2023 14:40

nickvergessen merged commit 82835ea into master Aug 22, 2023

nickvergessen deleted the perf/noid/memcache-bfp-backend branch August 22, 2023 06:32

nickvergessen mentioned this pull request Aug 22, 2023

add command get get bruteforce stats #39580

Closed

nickvergessen mentioned this pull request Aug 22, 2023

[stable27] feat(security): Add a bruteforce protection backend base on memcache #39997

Merged

nickvergessen removed the backport-request label Dec 1, 2023

SystemKeeper mentioned this pull request Jan 29, 2024

Document 'occ security:bruteforce:attempts' nextcloud/documentation#11477

Merged

joshtrichards mentioned this pull request Feb 12, 2024

High load / memory use with lots of bruteforce attempt entries #43528

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(security): Add a bruteforce protection backend base on memcache #39870

feat(security): Add a bruteforce protection backend base on memcache #39870

nickvergessen commented Aug 14, 2023 •

edited

Loading

icewind1991 commented Aug 16, 2023

nickvergessen commented Aug 17, 2023

backportbot-nextcloud bot commented Aug 22, 2023

feat(security): Add a bruteforce protection backend base on memcache #39870

feat(security): Add a bruteforce protection backend base on memcache #39870

Conversation

nickvergessen commented Aug 14, 2023 • edited Loading

TODO

Checklist

icewind1991 commented Aug 16, 2023

nickvergessen commented Aug 17, 2023

backportbot-nextcloud bot commented Aug 22, 2023

nickvergessen commented Aug 14, 2023 •

edited

Loading