View Issue Details

IDProjectCategoryView StatusLast Update
0002850SOGoBackend Generalpublic2017-01-09 20:49
ReporterChristian Mack Assigned Toludovic  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformLinuxOSCentOSOS Version5.6
Product Version2.2.4 
Target Version2.3.7Fixed in Version3.2.5 
Summary0002850: Regression: Blocking after too much failed login attempts does not work anymore
Description

In order to enhance security by preventing brute force password checks, we have set the maximum allowed number of consecutive wrong tries to a low value.
This has worked well.
But at least since SOGo version 2.2.4 this seems to no longer work!

Steps To Reproduce

1) set the following values in /etc/sogo/sogo.conf:
SOGoCacheCleanupInterval = 900;
SOGoMaximumFailedLoginCount = 1;
SOGoMaximumFailedLoginInterval = 120;
SOGoFailedLoginBlockInterval = 300;
2) restart sogod
3) restart memcached
4) Try to log in as user1 with a wrong password.
5) Try to log in as user1 with a wrong password within 2 minutes.
6) Try within 5 Minutes to log in as user1.
=> You should get now an error popup that you are currently blocked.
But this does not happen anymore.

Additional Information

I have tested this with 2.2.4, 2.2.5 and the nightlies on CentOS 5.

No changes in configuration since it worked.

TagsNo tags attached.

Activities

ludovic

ludovic

2014-07-16 18:26

administrator   ~0007331

It's actually AFTER the 5th minute you'll be blocked.

Say I use:

SOGoMaximumFailedLoginCount = 2;
SOGoMaximumFailedLoginInterval = 10;

I do a failed attempt at second 0. One more at second 1 and one more and second 2.

The fail count will be 3. But we check this:

  if ([[failedCount objectForKey: @"FailedCount"] intValue] >= [dd maximumFailedLoginCount] &&
      delta >= [dd maximumFailedLoginInterval] &&
      delta <= block_time )

delta would be equal to 2 ( current_time - start_time );

If I try at second 12th, I'll get blocked because delta >= 12 and the fail count > 2.

This hasn't changed since June 6th 2013 - so more than a year ago.

Christian Mack

Christian Mack

2014-07-17 13:57

developer   ~0007332

Hmmm..., my preceding tests were not accurate then.

In my opinion it should block immediately after surpassing the maximumFailedLoginCount within the maximumFailedLoginInterval.

Else you could use the maximumFailedLoginInterval for unlimited password brute force cracking attempts.

Christian Mack

Christian Mack

2016-08-03 15:46

developer   ~0010563

Any news?

Related Changesets

sogo: master f0085ef4

2016-12-14 21:20

ludovic


Details Diff
(fix) correctly block if fail count is within interval (fixes 0002850) Affected Issues
0002850
mod - SoObjects/SOGo/SOGoCache.m Diff File
mod - SoObjects/SOGo/SOGoUserManager.m Diff File

sogo: v2 b0c355a3

2016-12-14 21:20

ludovic


Details Diff
(fix) correctly block if fail count is within interval (fixes 0002850) Affected Issues
0002850
mod - SoObjects/SOGo/SOGoCache.m Diff File
mod - SoObjects/SOGo/SOGoUserManager.m Diff File

sogo: maint 60819d82

2016-12-14 21:20

ludovic

Committer: francis


Details Diff
(fix) correctly block if fail count is within interval (fixes 0002850) Affected Issues
0002850
mod - SoObjects/SOGo/SOGoCache.m Diff File
mod - SoObjects/SOGo/SOGoUserManager.m Diff File

Issue History

Date Modified Username Field Change
2014-07-10 08:38 Christian Mack New Issue
2014-07-12 11:51 ludovic Target Version => 2.2.7
2014-07-16 18:26 ludovic Note Added: 0007331
2014-07-17 13:57 Christian Mack Note Added: 0007332
2015-03-18 17:46 ludovic Target Version 2.2.7 => 2.2.17
2015-03-24 18:25 francis Target Version 2.2.17 => 2.3.0
2015-05-12 19:51 ludovic Target Version 2.3.0 => 2.3.1
2015-07-23 17:44 ludovic Target Version 2.3.1 => 2.3.2
2015-09-16 19:20 ludovic Target Version 2.3.2 => 2.3.3
2015-11-11 14:23 ludovic Target Version 2.3.3 => 2.3.4
2015-12-16 16:08 ludovic Target Version 2.3.4 => 2.3.5
2016-01-07 14:56 ludovic Target Version 2.3.5 => 2.3.6
2016-01-18 18:20 ludovic Target Version 2.3.6 => 2.3.7
2016-08-03 15:46 Christian Mack Note Added: 0010563
2016-12-15 02:21 ludovic Changeset attached => sogo master f0085ef4
2016-12-15 02:21 ludovic Assigned To => ludovic
2016-12-15 02:21 ludovic Resolution open => fixed
2016-12-15 02:21 ludovic Changeset attached => sogo v2 b0c355a3
2016-12-15 13:31 ludovic Status new => resolved
2016-12-15 13:31 ludovic Fixed in Version => 3.2.5
2017-01-09 20:49 francis Changeset attached => sogo maint 60819d82