[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17691577#comment-17691577 ] Andrew Luo commented on RANGER-2362: The patch for this creates a bug: [RANGER-4104] XXAuthSessionDao.getRecentAuthFailureCountByLoginId produces incorrect SQL code - ASF JIRA (apache.org) > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Assignee: kirby zhou >Priority: Major > Fix For: 3.0.0, 2.3.0 > > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17509573#comment-17509573 ] kirby zhou commented on RANGER-2362: Default Settings of patch: security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml {code:java} ranger.admin.login.autolock.enabled true ranger.admin.login.autolock.window.seconds 300 ranger.admin.login.autolock.maxfailure 5 {code} > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17504881#comment-17504881 ] kirby zhou commented on RANGER-2362: https://reviews.apache.org/r/73898/ A simple demo code for discussion > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502875#comment-17502875 ] kirby zhou commented on RANGER-2362: [https://mkyong.com/spring-security/spring-security-limit-login-attempts-example/] It is a in-database attempts-count resolution of lockout. But it requires to update our database schema. I think a in-memory attempts-count is enough in most case. > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502872#comment-17502872 ] kirby zhou commented on RANGER-2362: I think way 1 is unacceptable. Small clusters DO NOT want to link LDAP/AD just for authentication. In most cases, we only need few admin users to log in to ranger. > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502860#comment-17502860 ] Bhavik Patel commented on RANGER-2362: -- We have 2 approach: 1. We can move all the DB(internal) users to external user so LDAP/AD will handle the lockout mechanism - Required to check all the impacts 2. We have to implement the account lockout mechanise for Internal users(using spring security) - Required to check spring configuration and code level changes > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502823#comment-17502823 ] kirby zhou commented on RANGER-2362: Authentication backend such as ldapam has its own lockout mechanism, so just need to do somethings at JDBC branch. Which is DaoAuthenticationProvider, DaoAuthenticationProvider::retrieveUser call UserDetailsService::loadUsersByUsername to get user details. UserDetails have a Nonlocked property. The UserDetailsService object is actually a JdbcUserDetailsManager. Unfortunately JdbcUserDetailsManager|JdbcDaoImpl::loadUsersByUsername do not load "Nonlocked" from Database, although it loads "enabled" which used by admin to disable user by hand. {code:java} protected List loadUsersByUsername(String username) { // @formatter:off RowMapper mapper = (rs, rowNum) -> { String username1 = rs.getString(1); String password = rs.getString(2); boolean enabled = rs.getBoolean(3); return new User(username1, password, enabled, true, true, /* nonlocked: */ true, AuthorityUtils.NO_AUTHORITIES); }; // @formatter:on return getJdbcTemplate().query(this.usersByUsernameQuery, mapper, username); } {code} An Simple Way: subclass DaoAuthenticationProvider to provide a in-memory lock mech. override additionalAuthenticationChecks to lock user when many failures. override retrieveUser to set nonlocked attr into UserDetails. > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502751#comment-17502751 ] Bhavik Patel commented on RANGER-2362: -- [~madhan] [~pradeepagrawal8184] [~abhayk] [~kirbyzhou] any thoughts on this? > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)