Skip to content

[FEATURE] - User-Level Blocking Support Complementing IP Blocking #200

New issue
New issue
Open
Open
[FEATURE] - User-Level Blocking Support Complementing IP Blocking#200
Labels
authfeatureNew feature or request
@cedricfrancoys

Description

@cedricfrancoys
cedricfrancoys
opened on Dec 2, 2024

Blocking Strategy

Failure Count Increment Process

  1. Incrementing the auth_fail_count field:
    On each failed login attempt, the auth_fail_count field associated with the user is incremented. This field is included in the user information (userinfo) sent to the system.

  2. Blocking after a defined threshold:
    If the failure count reaches a configurable threshold, access through the user interface (UI) is suspended.

    • Front-End Behavior:
      The front-end displays a message informing the user that the account is suspended and prevents further login attempts. No signin requests are sent.

    • API Submissions:
      Direct API submissions remain possible as long as the user account is marked as active. However, requests outside the official interface (e.g., via a modified front-end) are reasonably considered malicious.

Differentiating HTTP Codes: 401 Unauthorized vs. 403 Forbidden

HTTP codes are used to provide precise feedback on why a request was rejected. The following cases apply to authentication attempts:

Case HTTP Code Explanation
Unknown user 401 Indicates that the user does not exist in the system.
Known user, failure below the threshold 403 Authentication failed, but attempts remain. The front-end notifies the user without blocking.
Known user, failure at or above threshold 401 The failure count exceeds the threshold. Re-authentication is required.

Integration with fail2ban

The protection mechanism integrates with fail2ban as follows:

  • Monitoring 401 responses:
    fail2ban is configured to monitor HTTP responses with the 401 Unauthorized code.
  • IP Blocking After Threshold:
    If an IP address triggers more than 3 401 responses, fail2ban blocks the IP.

This strategy ensures dual-layer protection:

  • User-Level Blocking: Controlled via auth_fail_count.
  • IP-Level Blocking: Managed by fail2ban, limiting brute force attempts.

Configurable Parameters

  • Attempt Threshold (auth_fail_threshold): Defines the maximum number of failed attempts allowed before blocking the user.
  • fail2ban Configuration: Customizable threshold and blocking duration for IPs generating multiple 401 responses.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authfeatureNew feature or request

    Type

    No type

    Projects

    eQual

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions