Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include a login management functionality in order to avoid brute force attacks #72

Open
TheRedTrainer opened this issue Nov 14, 2017 · 1 comment

Comments

@TheRedTrainer
Copy link

Currently, if a rdap-server has shino configuration in order to allow credentials and roles management, there isn't a mechanism to protect the server from a brute force attack to gain credentials for a rdap user.

Could it be possible to create a functionality to manage failed login tries in order to avoid a brute force attack for rdap users?

@pcarana
Copy link
Contributor

pcarana commented Nov 17, 2017

The closest functionality provided by the server is the Rate Limit Filter, but just as stated in the docs:

{...} this problem would be handled by means of firewall rules, load balancing and/or rate-limits within reverse proxies (mod-qos and limitipconn2, for example) {...}

Why does the server lack of this protection? Because of REST. REST is supposed to be stateless, so the server shouldn't be remembering who did this or that (at least in terms of requests). The recommendation is to place "something" protecting the server, just as mentioned in the docs (firewall, balancer, etc.).

So, the login management will be avoided by the server for now. It's a fact that the server itself can be attacked by brute force, but we trust that whoever uses this RDAP implementation will use something to protect the server.

@pcarana pcarana added the Solved label Nov 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants