mike-jumper opened a new pull request, #758: URL: https://github.com/apache/guacamole-client/pull/758
This change adds a new extension, "guacamole-auth-ban", which automatically tracks failed authentication attempts. After a specified limit has been reached, the IP address that is failing to authenticate is temporarily banned. This includes failures to provide valid MFA codes, etc., if Guacamole is configured to require them. By default, addresses that repeatedly fail authentication are banned for 5 minutes (300 seconds) after 5 failed attempts, and these values can be overridden with the `ban-address-duration` and `ban-max-invalid-attempts` properties respectively. The maximum number of addresses tracked is ~10 million by default (10485760), and this can be overridden with the `ban-max-addresses` property. It is intentionally not possible to remove the limit entirely, though it can be set as high as desired. If too many authentication failures have occurred, the user failing to authenticate will see a message like: >  In addition to implementing the extension itself, this change involved: * Modifying the firing of auth events such that they are always fired only after authentication has entirely succeeded or entirely failed. * Modifying handling of auth failures such that past auth tokens are removed from client-side storage after they have been determined to be invalid (they will otherwise be pointlessly resubmitted and will count toward auth failures). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
