[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17691577#comment-17691577 ] Andrew Luo commented on RANGER-2362: The patch for this creates a bug: [RANGER-4104] XXAuthSessionDao.getRecentAuthFailureCountByLoginId produces incorrect SQL code - ASF JIRA (apache.org) > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Assignee: kirby zhou >Priority: Major > Fix For: 3.0.0, 2.3.0 > > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[
https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17509573#comment-17509573
]
kirby zhou commented on RANGER-2362:
Default Settings of patch:
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
{code:java}
ranger.admin.login.autolock.enabled
true
ranger.admin.login.autolock.window.seconds
300
ranger.admin.login.autolock.maxfailure
5
{code}
> [security] Admin webui - Lack of account lockout
>
>
> Key: RANGER-2362
> URL: https://issues.apache.org/jira/browse/RANGER-2362
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: 1.0.0
>Reporter: t oo
>Priority: Major
>
> |Account lockout is a mechanism used to stop non-valid users from guessing
> for the right password. It is also a protection against brute force attacks
> wherein an automated system can use common/dictionary passwords or even build
> passwords based on set of characters just to try to guess the valid one.|
> |The application does not implement an account lockout mechanism, leaving it
> susceptible to brute force attacks. These login pages were susceptible to
> this condition.|
> |It is possible for an attacker to use dictionary or brute force attacks and
> set it to attempt sending the requests on a particular amount of time to
> bypass the validation. Once a username has been correctly guessed, the
> attacker may then be able to gain access to the application. Since it is
> vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the
> email addresses easier to guess, it will make brute force attack to more
> likely possible.
> |Enforce account lockout conditions to prevent intrusions and improve
> password requirements and complexities to avoid the chances of brute force
> and dictionary attacks from working.|
> |
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17504881#comment-17504881 ] kirby zhou commented on RANGER-2362: https://reviews.apache.org/r/73898/ A simple demo code for discussion > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502875#comment-17502875 ] kirby zhou commented on RANGER-2362: [https://mkyong.com/spring-security/spring-security-limit-login-attempts-example/] It is a in-database attempts-count resolution of lockout. But it requires to update our database schema. I think a in-memory attempts-count is enough in most case. > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502872#comment-17502872 ] kirby zhou commented on RANGER-2362: I think way 1 is unacceptable. Small clusters DO NOT want to link LDAP/AD just for authentication. In most cases, we only need few admin users to log in to ranger. > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502860#comment-17502860 ] Bhavik Patel commented on RANGER-2362: -- We have 2 approach: 1. We can move all the DB(internal) users to external user so LDAP/AD will handle the lockout mechanism - Required to check all the impacts 2. We have to implement the account lockout mechanise for Internal users(using spring security) - Required to check spring configuration and code level changes > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[
https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502823#comment-17502823
]
kirby zhou commented on RANGER-2362:
Authentication backend such as ldapam has its own lockout mechanism, so just
need to do somethings at JDBC branch. Which is DaoAuthenticationProvider,
DaoAuthenticationProvider::retrieveUser call
UserDetailsService::loadUsersByUsername to get user details. UserDetails have a
Nonlocked property.
The UserDetailsService object is actually a JdbcUserDetailsManager.
Unfortunately JdbcUserDetailsManager|JdbcDaoImpl::loadUsersByUsername do not
load "Nonlocked" from Database, although it loads "enabled" which used by
admin to disable user by hand.
{code:java}
protected List loadUsersByUsername(String username) {
// @formatter:off
RowMapper mapper = (rs, rowNum) -> {
String username1 = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username1, password, enabled, true, true, /* nonlocked:
*/ true, AuthorityUtils.NO_AUTHORITIES);
};
// @formatter:on
return getJdbcTemplate().query(this.usersByUsernameQuery, mapper, username);
} {code}
An Simple Way:
subclass DaoAuthenticationProvider to provide a in-memory lock mech.
override additionalAuthenticationChecks to lock user when many failures.
override retrieveUser to set nonlocked attr into UserDetails.
> [security] Admin webui - Lack of account lockout
>
>
> Key: RANGER-2362
> URL: https://issues.apache.org/jira/browse/RANGER-2362
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: 1.0.0
>Reporter: t oo
>Priority: Major
>
> |Account lockout is a mechanism used to stop non-valid users from guessing
> for the right password. It is also a protection against brute force attacks
> wherein an automated system can use common/dictionary passwords or even build
> passwords based on set of characters just to try to guess the valid one.|
> |The application does not implement an account lockout mechanism, leaving it
> susceptible to brute force attacks. These login pages were susceptible to
> this condition.|
> |It is possible for an attacker to use dictionary or brute force attacks and
> set it to attempt sending the requests on a particular amount of time to
> bypass the validation. Once a username has been correctly guessed, the
> attacker may then be able to gain access to the application. Since it is
> vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the
> email addresses easier to guess, it will make brute force attack to more
> likely possible.
> |Enforce account lockout conditions to prevent intrusions and improve
> password requirements and complexities to avoid the chances of brute force
> and dictionary attacks from working.|
> |
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout
[ https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17502751#comment-17502751 ] Bhavik Patel commented on RANGER-2362: -- [~madhan] [~pradeepagrawal8184] [~abhayk] [~kirbyzhou] any thoughts on this? > [security] Admin webui - Lack of account lockout > > > Key: RANGER-2362 > URL: https://issues.apache.org/jira/browse/RANGER-2362 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: 1.0.0 >Reporter: t oo >Priority: Major > > |Account lockout is a mechanism used to stop non-valid users from guessing > for the right password. It is also a protection against brute force attacks > wherein an automated system can use common/dictionary passwords or even build > passwords based on set of characters just to try to guess the valid one.| > |The application does not implement an account lockout mechanism, leaving it > susceptible to brute force attacks. These login pages were susceptible to > this condition.| > |It is possible for an attacker to use dictionary or brute force attacks and > set it to attempt sending the requests on a particular amount of time to > bypass the validation. Once a username has been correctly guessed, the > attacker may then be able to gain access to the application. Since it is > vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the > email addresses easier to guess, it will make brute force attack to more > likely possible. > |Enforce account lockout conditions to prevent intrusions and improve > password requirements and complexities to avoid the chances of brute force > and dictionary attacks from working.| > | -- This message was sent by Atlassian Jira (v8.20.1#820001)
