Just a note on this for the future - most of the penetration testing teams[1] out there now will attempt a dictionary attack not by trying different passwords with the same username, but by trying the same password across the 1000 most common usernames. Would be nice if we could track failed logins across multiple usernames (maybe for 4.1 ;) )
John 1: Malicious users are doing it as well, but depending on the CS user, they may (unfortunately) care more about the pen test report than the hacker… On Sep 5, 2012, at 7:56 AM, saksham srivastava <[email protected]<mailto:[email protected]>> wrote: On Sept. 3, 2012, 5:28 p.m., Nitin Mehta wrote: server/src/com/cloud/user/AccountManagerImpl.java, line 427 <https://reviews.apache.org/r/6858/diff/3/?file=149072#file149072line427> The function signature should be something like this :- updateLoginAttempts(Long accountId, int failedLoginAttempts , boolean isDisableAllowed) Changed the name of variables to attempts and toDisable. On Sept. 3, 2012, 5:28 p.m., Nitin Mehta wrote: server/src/com/cloud/user/AccountManagerImpl.java, line 1029 <https://reviews.apache.org/r/6858/diff/3/?file=149072#file149072line1029> Dont you have to do this for all the users belonging to this account ? No, the aim is only to enable the login attempts of that particular user. All users have independent login_attempts irrespective of their account. On Sept. 3, 2012, 5:28 p.m., Nitin Mehta wrote: server/src/com/cloud/user/AccountManagerImpl.java, line 1859 <https://reviews.apache.org/r/6858/diff/3/?file=149072#file149072line1859> The value can be 0 meaning for the 1st incorrect login u disable the account 0 means login in not allowed.1 means a single attempt is provided. - saksham ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/6858/#review10998 ----------------------------------------------------------- On Sept. 5, 2012, 2:56 p.m., saksham srivastava wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/6858/ ----------------------------------------------------------- (Updated Sept. 5, 2012, 2:56 p.m.) Review request for cloudstack, Devdeep Singh, Nitin Mehta, and Alena Prokharchyk. Description ------- Added global setting login.attempts.allowed which defines the maximum incorrect password attempts allowed. Also after the maximum attempts are reached the user account is disabled. This addresses bug CS-10219. Diffs ----- core/src/com/cloud/user/UserAccountVO.java 5e7c018 server/src/com/cloud/configuration/Config.java ebcd070 server/src/com/cloud/user/AccountManagerImpl.java 38153f3 setup/db/create-schema.sql fa933e3 setup/db/db/schema-302to40.sql aaf23e6 Diff: https://reviews.apache.org/r/6858/diff/ Testing ------- Verified locally. Thanks, saksham srivastava Stratosec<http://stratosec.co> - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
