Limit login attempts

Request new functionality here
jan1a
Bear Rating Trainee
Bear Rating Trainee
Posts: 3
Joined: 18 Jan 2014, 22:39

Limit login attempts

Postby jan1a » 18 Jan 2014, 22:46

Hello

My server got hit with more than 500 (failed) login attempts to tiny tiny rss. I could not find a way to ban or limit the login attempts/IP addresses.

Would it be possible to build in a login limit (IP ban/403 for 5 minutes if an account has more than 5 failed attemts)? And if an IP has more that x failed attempts on more usernames (enumeration) it will be banned longer?

If Tiny Tiny RSS could log the failed attempts in a format fail2ban could parse I can build something myself, but is does not do that either.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Limit login attempts

Postby fox » 18 Jan 2014, 23:21

You should be able to easily make an auth plugin for this kinda thing.

AngryChris
Bear Rating Master
Bear Rating Master
Posts: 135
Joined: 08 Apr 2013, 02:42

Re: Limit login attempts

Postby AngryChris » 18 Jan 2014, 23:45

If you're using Linux, you might also look into fail2ban and creating a jail for apache that will enforce this using iptables. fail2ban will run at the operating system level and can be used to provide security for other services, as well.

EDIT: I see you've already considered that and apparently have found that login failures aren't logged as expected. My bad!

jan1a
Bear Rating Trainee
Bear Rating Trainee
Posts: 3
Joined: 18 Jan 2014, 22:39

Re: Limit login attempts

Postby jan1a » 19 Jan 2014, 14:48

fox wrote:You should be able to easily make an auth plugin for this kinda thing.


I see here: https://github.com/gothfox/Tiny-Tiny-RS ... c.php#L578 that an error message is logged. If you can add the username to it, like so:

user_error("Failed login attempt from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);

user_error("Failed login attempt for {$login} from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);

I could write a fail2ban rule for it.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Limit login attempts

Postby fox » 19 Jan 2014, 15:14

Sure, might as well.

e: done

jan1a
Bear Rating Trainee
Bear Rating Trainee
Posts: 3
Joined: 18 Jan 2014, 22:39

Re: Limit login attempts

Postby jan1a » 19 Jan 2014, 15:41

fox wrote:Sure, might as well.

e: done


Thank you! Will start on a fail2ban rule now.

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: Limit login attempts

Postby JustAMacUser » 19 Jan 2014, 21:20

Please share your filter when it's done. I'll be rolling out fail2ban on a few servers shortly and not having to write my own would be lazy of me, err, convenient.

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: Limit login attempts

Postby JustAMacUser » 25 Jan 2014, 04:25

fox wrote:Sure, might as well.

e: done


Just occurred to me that someone might attempt to circumvent this by using the API to login. I've replicated the code you did in the API::login() method in this commit: https://github.com/dzaikos/Tiny-Tiny-RSS/commit/a2108ee96d308e2359ebd132417d8c042c8b0a58

A pull request has been made.

JackyOhh
Bear Rating Trainee
Bear Rating Trainee
Posts: 1
Joined: 13 Sep 2014, 03:05

Re: Limit login attempts

Postby JackyOhh » 13 Sep 2014, 03:35

sry for reactivating this old post but i got it working and i think it could be usefull for someone.
First you have to force tt-rss to write its logs in syslog. So edit config.php (e.g /usr/share/tt-rss/www/config.php) and change a line to

Code: Select all

define('LOG_DESTINATION', 'syslog');


then you create a filter for fail2ban (e.g. /etc/fail2ban/filter.d/tt-rss.conf) and add these lines

Code: Select all

[Definition]
failregex= server apache2: \[tt-rss\] E_USER_WARNING \(512\) \(classes/handler/public.php:584\) Failed login attempt for .* from <HOST>

ignoreregex =


now add a fail2ban rule in /etc/fail2ban/jail.local with these lines

Code: Select all

[tt-rss]
enabled = true
filter  =  tt-rss
port    = http,https
logpath = /var/log/syslog
maxretry = 6


Restart fail2ban (Debian) and smile ;)

Code: Select all

service fail2ban restart


*make sure between http, and https is no whitespace


Return to “Feature requests”

Who is online

Users browsing this forum: No registered users and 0 guests