davift opened a new issue, #13343: URL: https://github.com/apache/cloudstack/issues/13343
### The required feature described as a wish **Description:** CloudStack does not monitor or restrict API authentication attempts based on the source IP address. A single client can submit unlimited failed authentication attempts across any number of accounts without being identified or blocked. **Affected Components:** Management API **Impact:** An attacker operating from a single source address can systematically target multiple user accounts with repeated failed login attempts, deliberately triggering lockouts across all accounts, preventing legitimate users and administrators from accessing the platform. **Steps to Reproduce:** - Using a custom script or a brute-forcing tool (e.g., `hydra`), send a high volume of failed authentication attempts targeting multiple user accounts. - Observe that the requests are processed without any source IP tracking, flagging, or blocking. - Confirm that targeted accounts transition to a disabled state while the source IP remains unrestricted. **Recommended Remediation:** Log all authentication attempts and source IPs to `/var/log/cloudstack/management/auth.log` so tools like Fail2Ban can automatically detect brute-force attacks and block malicious traffic (via `iptables` or `nftables`). For even faster protection, a system administrator can craft a custom script using `inotify` to trigger real-time blocks via network edge appliances, stopping attackers' traffic before they ever reach CloudStack. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
