Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): Add a bruteforce protection backend base on memcache #39870

Merged
merged 7 commits into from
Aug 22, 2023
Merged

feat(security): Add a bruteforce protection backend base on memcache #39870

merged 7 commits into from
Aug 22, 2023

Conversation

nickvergessen
Copy link
Member

@nickvergessen nickvergessen commented Aug 14, 2023
edited
Loading

TODO

  • Add memcache based bruteforce protection backend
  • Add a commend to read the state
  • Expose the throttle delay as a custom header
  • Add a testing mode to allow integration testing
  • Show admins when they are throttled
    Bildschirmfoto vom 2023-08-17 08-56-15

Checklist

@nickvergessen nickvergessen added this to the Nextcloud 28 milestone Aug 14, 2023
@nickvergessen nickvergessen self-assigned this Aug 14, 2023
@nickvergessen nickvergessen marked this pull request as draft August 14, 2023 17:20
solracsf
solracsf reviewed Aug 14, 2023
View reviewed changes
config/config.sample.php Outdated Show resolved Hide resolved
@nickvergessen nickvergessen mentioned this pull request Aug 14, 2023
Merged
6 tasks
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 15, 2023
View reviewed changes
core/Command/Security/BruteforceAttempts.php Fixed Show fixed Hide fixed
core/Command/Security/BruteforceAttempts.php

$data = [
'allow-listed' => $this->throttler->isIPWhitelisted($ip),
'attempts' => $this->throttler->getAttempts(

Check notice

Code scanning / Psalm

DeprecatedMethod Note

The method OCP\Security\Bruteforce\IThrottler::getAttempts has been marked as deprecated
core/Command/Security/BruteforceAttempts.php
$ip,
(string) $input->getArgument('action'),
),
'delay' => $this->throttler->getDelay(

Check notice

Code scanning / Psalm

DeprecatedMethod Note

The method OCP\Security\Bruteforce\IThrottler::getDelay has been marked as deprecated
@nickvergessen nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch 3 times, most recently from 9bae121 to 2a6e4be Compare August 16, 2023 07:21
@icewind1991
Copy link
Member

I've created a similar bruteforce stats command recently: #39580

@nickvergessen nickvergessen mentioned this pull request Aug 16, 2023
Merged
1 task
@nickvergessen
Copy link
Member Author

/backport to stable27

@nickvergessen nickvergessen force-pushed the perf/noid/memcache-bfp-backend branch 2 times, most recently from 6816c17 to 3d9b2ad Compare August 18, 2023 11:02
@nickvergessen nickvergessen added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Aug 18, 2023
@nickvergessen nickvergessen marked this pull request as ready for review August 18, 2023 11:03
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2023
View reviewed changes
apps/settings/lib/Controller/CheckSetupController.php
@@ -920,6 +925,8 @@
'cronInfo' => $this->getLastCronInfo(),
'cronErrors' => $this->getCronErrors(),
'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(),
'isBruteforceThrottled' => $this->throttler->getAttempts($this->request->getRemoteAddress()) !== 0,

Check notice

Code scanning / Psalm

DeprecatedMethod Note

The method OCP\Security\Bruteforce\IThrottler::getAttempts has been marked as deprecated
@nickvergessen nickvergessen merged commit 82835ea into master Aug 22, 2023
38 checks passed
@nickvergessen nickvergessen deleted the perf/noid/memcache-bfp-backend branch August 22, 2023 06:32
@nickvergessen nickvergessen mentioned this pull request Aug 22, 2023
Closed
@backportbot-nextcloud
Copy link

The backport to stable27 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable27
git pull origin stable27

# Create the new backport branch
git checkout -b fix/foo-stable27

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@nickvergessen nickvergessen mentioned this pull request Aug 22, 2023
Merged
@SystemKeeper SystemKeeper mentioned this pull request Jan 29, 2024
Merged
@joshtrichards joshtrichards mentioned this pull request Feb 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@solracsf solracsf solracsf left review comments

@st3iny st3iny st3iny approved these changes

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@artonge artonge Awaiting requested review from artonge

@Altahrim Altahrim Awaiting requested review from Altahrim

Assignees

@nickvergessen nickvergessen

Labels
3. to review Waiting for reviews performance 🚀 security
Projects
None yet
Milestone
Nextcloud 28
Development

Successfully merging this pull request may close these issues.
5 participants
@nickvergessen @icewind1991 @AndyScherzinger @st3iny @solracsf