Page 1 of 1

Limit login attempts

Posted: 18 Jan 2014, 22:46
by jan1a
Hello

My server got hit with more than 500 (failed) login attempts to tiny tiny rss. I could not find a way to ban or limit the login attempts/IP addresses.

Would it be possible to build in a login limit (IP ban/403 for 5 minutes if an account has more than 5 failed attemts)? And if an IP has more that x failed attempts on more usernames (enumeration) it will be banned longer?

If Tiny Tiny RSS could log the failed attempts in a format fail2ban could parse I can build something myself, but is does not do that either.

Re: Limit login attempts

Posted: 18 Jan 2014, 23:21
by fox
You should be able to easily make an auth plugin for this kinda thing.

Re: Limit login attempts

Posted: 18 Jan 2014, 23:45
by AngryChris
If you're using Linux, you might also look into fail2ban and creating a jail for apache that will enforce this using iptables. fail2ban will run at the operating system level and can be used to provide security for other services, as well.

EDIT: I see you've already considered that and apparently have found that login failures aren't logged as expected. My bad!

Re: Limit login attempts

Posted: 19 Jan 2014, 14:48
by jan1a
fox wrote:You should be able to easily make an auth plugin for this kinda thing.


I see here: https://github.com/gothfox/Tiny-Tiny-RS ... c.php#L578 that an error message is logged. If you can add the username to it, like so:

user_error("Failed login attempt from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);

user_error("Failed login attempt for {$login} from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);

I could write a fail2ban rule for it.

Re: Limit login attempts

Posted: 19 Jan 2014, 15:14
by fox
Sure, might as well.

e: done

Re: Limit login attempts

Posted: 19 Jan 2014, 15:41
by jan1a
fox wrote:Sure, might as well.

e: done


Thank you! Will start on a fail2ban rule now.

Re: Limit login attempts

Posted: 19 Jan 2014, 21:20
by JustAMacUser
Please share your filter when it's done. I'll be rolling out fail2ban on a few servers shortly and not having to write my own would be lazy of me, err, convenient.

Re: Limit login attempts

Posted: 25 Jan 2014, 04:25
by JustAMacUser
fox wrote:Sure, might as well.

e: done


Just occurred to me that someone might attempt to circumvent this by using the API to login. I've replicated the code you did in the API::login() method in this commit: https://github.com/dzaikos/Tiny-Tiny-RSS/commit/a2108ee96d308e2359ebd132417d8c042c8b0a58

A pull request has been made.

Re: Limit login attempts

Posted: 13 Sep 2014, 03:35
by JackyOhh
sry for reactivating this old post but i got it working and i think it could be usefull for someone.
First you have to force tt-rss to write its logs in syslog. So edit config.php (e.g /usr/share/tt-rss/www/config.php) and change a line to

Code: Select all

define('LOG_DESTINATION', 'syslog');


then you create a filter for fail2ban (e.g. /etc/fail2ban/filter.d/tt-rss.conf) and add these lines

Code: Select all

[Definition]
failregex= server apache2: \[tt-rss\] E_USER_WARNING \(512\) \(classes/handler/public.php:584\) Failed login attempt for .* from <HOST>

ignoreregex =


now add a fail2ban rule in /etc/fail2ban/jail.local with these lines

Code: Select all

[tt-rss]
enabled = true
filter  =  tt-rss
port    = http,https
logpath = /var/log/syslog
maxretry = 6


Restart fail2ban (Debian) and smile ;)

Code: Select all

service fail2ban restart


*make sure between http, and https is no whitespace