Skip to content

[stable27] feat(security): Add a bruteforce protection backend base on memcache #39997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nickvergessen merged 8 commits into from
Aug 23, 2023
Merged

[stable27] feat(security): Add a bruteforce protection backend base on memcache #39997

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
befa2f6
feat(security): Add a bruteforce protection backend base on memcache
nickvergessen Aug 14, 2023
97548e7
feat(security): Add a "testing mode" for bruteforce protection that d…
nickvergessen Aug 14, 2023
5c07891
feat: Add a header which signals that the request was throttled
nickvergessen Aug 14, 2023
b55359b
feat: Expose if the own IP is allowed to bypass bruteforce protection
nickvergessen Aug 15, 2023
b5dbb4d
feat(OCC): Add a command to get the bruteforce state of an IP
nickvergessen Aug 15, 2023
759fc11
fix: Make bypass function public API
nickvergessen Aug 16, 2023
866a8a2
feat(admin): Show an error when the admin is throttled
nickvergessen Aug 17, 2023
26832ec
fix(middleware): Fix header injection for bruteforce middleware
nickvergessen Aug 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat(security): Add a "testing mode" for bruteforce protection that d… 
…oesn't sleep

Signed-off-by: Joas Schilling <[email protected]>
  • Loading branch information
@nickvergessen
nickvergessen committed Aug 23, 2023
commit 97548e789fd09685d79ad4bf28c59d7067ca55b4
13 changes: 13 additions & 0 deletions config/config.sample.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -352,6 +352,19 @@
*/
'auth.bruteforce.protection.enabled' => true,

/**
* Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
*
* In testing mode bruteforce attempts are still recorded, but the requests do
* not sleep/wait for the specified time. They will still abort with
* "429 Too Many Requests" when the maximum delay is reached.
* Enabling this is discouraged for security reasons
* and should only be done for debugging and on CI when running tests.
*
* Defaults to ``false``
*/
'auth.bruteforce.protection.testing' => false,

/**
* Whether the rate limit protection shipped with Nextcloud should be enabled or not.
*
Expand Down
8 changes: 6 additions & 2 deletions lib/private/Security/Bruteforce/Throttler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,9 @@ public function resetDelayForIP(string $ip): void {
*/
public function sleepDelay(string $ip, string $action = ''): int {
$delay = $this->getDelay($ip, $action);
usleep($delay * 1000);
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
usleep($delay * 1000);
}
return $delay;
}

Expand All @@ -304,7 +306,9 @@ public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int {
'delay' => $delay,
]);
}
usleep($delay * 1000);
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
usleep($delay * 1000);
}
return $delay;
}
}