Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit Number of Failed Login Attempts #2737

Closed
richardwlu opened this issue Apr 1, 2016 · 45 comments · Fixed by #17783
Closed

Limit Number of Failed Login Attempts #2737

richardwlu opened this issue Apr 1, 2016 · 45 comments · Fixed by #17783
Labels
sponsored subj: security Tasked Added to the internal issue tracking
Milestone

Comments

@richardwlu
Copy link

Your Rocket.Chat version: 0.24

Is there a way to limit the number of failed login attempts for a user account? How much security can be put into place from this end?

This should be helpful for those of us who run an instance that is available on the public internet.

@engelgabriel
Copy link
Member

I believe there is already. 5 per second, but we can change it.

@engelgabriel engelgabriel modified the milestones: Important, 0.26.0 Apr 1, 2016
@richardwlu
Copy link
Author

That sounds good. Is there a way to also block based on IP?

@richardwlu
Copy link
Author

I forgot to mention, does it still apply for LDAP users?

@engelgabriel
Copy link
Member

Applies to all method calls, so it still apply for LDAP users.

@richardwlu
Copy link
Author

And if there is a way to set how many attempts for how long til we lock it and possibly get a notification, that would be ideal.

@pa-de-solminihac
Copy link

👍

I intended to secure it with fail2ban but I did not find where these failed login attempts are logged. I am using https://github.com/RocketChat/Deploy.to.Cloud/tree/master/GenericLinux to deploy, with this docker-compose.yml:

db:
  image: mongo
  volumes:
    - ./data/runtime/db:/data/db
    - ./data/dump:/dump
  command: mongod --smallfiles
web:
  image: rocketchat/rocket.chat
  environment:
    - MONGO_URL=mongodb://db:27017/meteor
    - ROOT_URL=https://rocket.domain.com
    - MAIL_URL=smtp://user@domain.com:password@smtp.example.com:465
  links:
    - db:db
  volumes:
    - logs:/home/app/logs
  expose:
    - "3000"
  ports:
    - "3000:3000"

Anyway, 5 per second is a much too high limit for my needs (and it does not seem to work, maybe I missed something?).

@ghost
Copy link

ghost commented Jul 11, 2016

Hi I am also trying to reduce the chances of brute forcing our LDAP via Rocket Chat. Fail2Ban is useless until there is error reporting in the nginx log I cannot act upon the brute forcing.

Interestingly the api/login route will provide a 401 (HTTP/1.1 401 Unauthorized) response back and into the access log in nginx but normal users are not coming in via API calls.

Can you provide some timescales to add the standard user login fail 401 error output back to nginx? That would sort this problem out allowing me to use fail2ban.

p.s. fail2ban has worked to block /api/logon brute forcing :-)
Thanks for your help.

Mark

@engelgabriel
Copy link
Member

@mdearlove I am not sure how we would be able to do that. All the logins are done via a single open web-socket connection, so there is not 401. Maybe the only way would be to redirect the browser to a route that returns 401 so NGINX and pick that up. @rodrigok what do you think?

@rodrigok
Copy link
Member

@engelgabriel If the DDOS is scripted, redirect to another route probably will not work. Since the login requires a WebSocket connection, normal tools for DDOS does not work, so it's harder to do that on Rocket.Chat.

We can add the ability to ban IPs based on loggin or connection attempts.

@engelgabriel
Copy link
Member

@rodrigok one alternative is to get Rocket.Chat it self to record on the logs the failed login attempt, so @mdearlove can configure fail2ban to monitor our logs too and this would make it work. Makes sense?

@ghost
Copy link

ghost commented Jul 12, 2016

@rodrigok @engelgabriel I believe that would be do-able from a fail2ban pov as it uses a regex to spot the machine behaviour to identify the issue. The log entry would also need to identify the source IP of the request so that fail2ban can take action.

@engelgabriel
Copy link
Member

@rodrigogs wan we log failed login attempts with the IP? This would be very useful for everyone.

@ghost
Copy link

ghost commented Aug 11, 2016

@rodrigok @engelgabriel Hi guys Ive been away sunny my ar$e for several weeks :-). Have you made any progress on this issue? Thanks in advance.

@pa-de-solminihac
Copy link

@engelgabriel i'm afraid you notified @rodrigogs instead of @rodrigok

BTW, I believe this is still a much needed improvement for security

@mddvul22
Copy link

I agree with pa-de-solminihac that 5 per second is way too high. But regardless, @pa-de-solminihac you suggested earlier on this ticket that the block didn't seem to work. Is that still the case?

@juniorsemacento
Copy link

@engelgabriel @rodrigok would be great to have this feature enabled... so we can monitor the logs and use fail2ban.. any idea if it will be available any time soon? Thanks

@dmeier86
Copy link

+1
Push

@Marx1st
Copy link

Marx1st commented Jul 10, 2017

+1
Push

@mrsimpson
Copy link
Collaborator

+1

@Adirio
Copy link

Adirio commented Sep 1, 2017

Is the 5-attempts-per-second rule still aplying? If so, is it configurable? Gitlab, for example, offers a limit and period variables to be set, defaulting to 6 attempts per minute (source).

@ruKurz
Copy link
Contributor

ruKurz commented Feb 23, 2018

+1

1 similar comment
@secopsbot
Copy link

+1

@privacyintchat
Copy link

i would love some simple access-log like apache is creating, so fail2ban can be activated +1

@zzeesstt
Copy link

+1

@isdneuroimaging
Copy link

@engelgabriel This security-related issue is rather old. Is there a change implemented already? Still 5 per second limit for login attempts? 5 per minute would sound more reasonable to me!

@isdneuroimaging
Copy link

@engelgabriel @rodrigok Any update on this critical security issue? Thanks!

@akerkau
Copy link

akerkau commented Sep 27, 2018

+1 for enabling rocket.chat itself to record the failed login attempt on the logs, so I can configure fail2ban to monitor application logs

@mannp
Copy link

mannp commented Oct 14, 2018

+1 here too please.

@isdneuroimaging
Copy link

@engelgabriel @rodrigok I dont' understand why there is no comment regarding such a critical security issue? Many thanks!

@stardude900
Copy link

+1

@isdneuroimaging
Copy link

@engelgabriel @rodrigok Why no response?

@ruKurz
Copy link
Contributor

ruKurz commented Nov 22, 2018

Would be great to see a comment/solution for this issue.

@horstepipe
Copy link

horstepipe commented Jan 24, 2019

can anyone guide through a fail2ban implementation?

@dpunkturban
Copy link

a fail2ban implementation would be nice :)

@ruKurz
Copy link
Contributor

ruKurz commented May 23, 2019

What I do like about Issue #6152 is the title. It states out the actual motivation "protection against brute force attacks" in the foreground.

What I like about #13387 is the proximity to a task that is easy to implement and independent of third party solutions such as fail2ban.

@Tom5421
Copy link

Tom5421 commented Oct 11, 2019

+1

Really need this simple security feature.

@m-roshani
Copy link

+1

2 similar comments
@wellington1993
Copy link

+1

@ulit3
Copy link

ulit3 commented Oct 18, 2019

+1

@ankar84
Copy link

ankar84 commented Oct 31, 2019

@engelgabriel @rodrigok any updates about that security issue?

@arunoruto
Copy link

+1

@Tulkas59
Copy link

I really need this feature too. Just a log line with attacker's IP and fail2ban will do the rest :-)

@ruKurz
Copy link
Contributor

ruKurz commented Mar 22, 2020

IMHO limit failed login should be featured by the application itself.

I think logging failed logins would be a first step in the right direction (#13387). One could then install fail2ban to block sources from which attacks are made. But this issue here (#2737) aims to limit the number of failed logins. And this is what you really want: Block user accounts that are the target of an attack.

Besides the fact that Fail2Ban must be installed as a system component and is therefore not part of the application, login attempts per user should be stored in the database. This allows the locking of user accounts after a certain number of failed login attempts.

And then it would be very easy for any operator of Rocket.Chat (without installing additional log analysis tools) to take effective measures against brute force attacks.

EDIT: As discussed in issue #6152, better to lock of users is to delay the time until the next login attempt after several consecutive incorrect password entries. For example, if you make 5 failed attempts, your iPhone will lock for 1 minute, 6 attempts will lock it for 5 minutes, 7 will lock it for 15, and anything more than that will lock it for 1 hour.

@Tulkas59
Copy link

Thank you for mentioning issue #13387 !

Of course it would be better if it was featured by the application itself. I wanted to emphasize the fact that the log-based solution is quite easy to implement :-)

@zzeesstt
Copy link

+1 push

@rsjr rsjr added the sponsored label May 8, 2020
@rsjr rsjr added the Tasked Added to the internal issue tracking label Jun 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sponsored subj: security Tasked Added to the internal issue tracking
Projects
None yet
Development

Successfully merging a pull request may close this issue.