Server-tools: auth_brute_force doesn't consider xmlrpc/jsonrpc login attempts

Created on 10 Jan 2018  ·  3Comments  ·  Source: OCA/server-tools

It's possible to circumvent auth_brute_force security by trying logins via xmlrpc/jsonrpc. The login attempts done this way are not checked by the module and do not count towards the failed attempts limit towards the ban.

I would argue that the jsonrpc interface is the preferred one for bruteforcing tools, so IMO this limitation is non-negligible.

bug
Source
picture LeartS

Most helpful comment

Hi @lasley. I allowed myself to change the label you set. I think that "bug" is more appropriated because what @LeartS is talking make this module useless.

picture legalsylvain on 11 Jan 2018
👍2

All 3 comments

:+1: When I wrote this module, I just tested with Front UI attempts.
this could be a good addition to log tryes from xmlrpc. Do you think you could make a PR ?

regards.

legalsylvain picture legalsylvain on 10 Jan 2018

Hi @lasley. I allowed myself to change the label you set. I think that "bug" is more appropriated because what @LeartS is talking make this module useless.

legalsylvain picture legalsylvain on 11 Jan 2018
👍2

The fix is in https://github.com/OCA/server-tools/pull/1219, let's continue there.

Yajo picture Yajo on 27 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

naglis picture naglis  ·  3Comments
lasley picture lasley  ·  8Comments
lasley picture lasley  ·  20Comments
pedrobaeza picture pedrobaeza  ·  66Comments
MosabWadea picture MosabWadea  ·  5Comments