graylog2-server icon indicating copy to clipboard operation
graylog2-server copied to clipboard
verified publisher icon Graylog2

Lock user account after failed login attempts

Open damianharouff opened this issue 3 years ago • 1 comments

Graylog's implementation of users does not provide functionality to lock a user account on a number of failed login attempts. While we rely on an external auth provider (LDAP, Okta, etc) to handle such an action, this may not be available in an organization that does not use SSO, or uses an auth provider that Graylog does not support.

Source: HS-1032446263

damianharouff avatar Aug 04 '22 16:08 damianharouff

@boosty I guess the number of attempts should be configurable, would you want this configuration to be available for admins in the user overview page or should this be a server setting. Should the lock time be configurable too?

kodjo-anipah avatar Aug 11 '22 10:08 kodjo-anipah

Hi @kodjo-anipah, this just came in. I had not time to think about it yet.

boosty avatar Aug 11 '22 11:08 boosty

If we build this, we should take the source IP of the login attempt into account. Otherwise an attacker could easily abuse this feature to lock out another user.

boosty avatar Aug 19 '22 07:08 boosty

Stumbled across this issue, thought to add my Security specific viewpoint:

There should be definitely some protection measures against password brute-force/-guessing attacks. In my opinion, this should not consider the source IP as it seems easy for me that attackers prepare a sufficiently large pool of IP addresses (using Tor, a bunch of VPN providers, or simply some Cloud IaaS resources).

I would see the following basic approaches: a) Account lockout after a defined number of failed login attempts b) Tar Pit approach - enforcing a timeout between failed login attempts, whereas the timeout (drastically) increases on every failed login attempt.

Ad account lockout concerns) I‘m not sure if we can (and should) handle that within the protection approach (regardless of the approach) - we could automatically unlock (for a.) or reset the timeout (for b.) after some time (as fail2ban does), but I‘m not sure if this helps much; an admin might not be happy to wait for some hours until the account gets automatically unlocked to investigate some Security issue. Instead, I would suggest to make sure admins can unlock their accounts easily (and securely), and provide monitoring to warn for ongoing password brute-force/-guessing attacks.

ckristo avatar Jul 27 '23 12:07 ckristo

Another related topic to this is multi-step verification / MFA.

Missing protection measures against password brute-force/-guessing attacks and missing MFA are the reasons why I currently would not recommend to expose graylog to the Internet (without having additional Security measures in place.)

ckristo avatar Jul 27 '23 12:07 ckristo