Investigate brute-force attacks against all exozyme services #104

New issue

Closed

opened 2022-01-28 16:58:56 +00:00 by a · 2 comments

a commented

2022-01-28 16:58:56 +00:00

Owner

Copy link

SSH: We now require SSH keys
pam: We use unmodified security settings so accounts are locked out after 3 attempts for 10 minutes. Disabling su might be a good idea too.
LDAP: Vulnerable
exodesk: Uses pam
exocloud: Uses LDAP and has built-in brute-force prevention
exochat: Uses LDAP
exogit: Uses LDAP
exomedia: Uses LDAP
exocial: Uses LDAP and 2FA via email
exotube: Uses LDAP and has built-in brute-force prevention
exohub: Uses pam
exoportal: Uses pam
exoci: Uses OAuth2 via exogit

This is a generalized version of #61. Basically, we need to check all of our services for their resistance to brute-force attacks, and possibly implement more mitigations. (exoffice, exopages, and exovpn are excluded) - [x] SSH: We now require SSH keys - [x] pam: We use unmodified security settings so accounts are locked out after 3 attempts for 10 minutes. Disabling `su` might be a good idea too. - [ ] LDAP: Vulnerable - [x] exodesk: Uses pam - [x] exocloud: Uses LDAP and has built-in brute-force prevention - [ ] exochat: Uses LDAP - [ ] exogit: Uses LDAP - [ ] exomedia: Uses LDAP - [x] exocial: Uses LDAP and 2FA via email - [x] exotube: Uses LDAP and has built-in brute-force prevention - [x] exohub: Uses pam - [x] exoportal: Uses pam - [x] exoci: Uses OAuth2 via exogit

a added the

labels 2022-01-28 16:58:56 +00:00

a added this to the (deleted) project 2022-01-28 16:58:56 +00:00

a commented

2022-01-28 17:14:57 +00:00

Author

Owner

Copy link

OpenLDAP seems very vulnerable to brute-force attacks. 👀

Attackers can brute-force about one password every 5 ms. OpenLDAP has a ppolicy module for configuring password policies, but it seems very difficult to use. (just like every other OpenLDAP feature)

OpenLDAP seems very vulnerable to brute-force attacks. 👀 Attackers can brute-force about one password every 5 ms. OpenLDAP has a `ppolicy` module for configuring password policies, but it seems very difficult to use. (just like every other OpenLDAP feature)

a started working 2022-01-28 22:14:01 +00:00

a self-assigned this 2022-01-28 22:14:22 +00:00

a commented

2022-01-28 22:45:38 +00:00

Author

Owner

Copy link

OpenLDAP is too freaking complicated. Labelling as wontfix so we don't waste more time. Strong passwords should partially prevent brute-force attacks, and if someone is really trying thousands of passwords in a brute-force manner, it'll be pretty clear in the system logs.

a closed this issue

2022-01-28 22:45:38 +00:00

a stopped working 2022-01-28 22:45:38 +00:00

31min 37s

a added the

wontfix

label 2022-01-28 22:45:50 +00:00

No Branch/Tag specified

Branches Tags

main

v9.0

v8.8

v8.7

v8.6

v8.5

v8.4

v8.3

v8.2

v8.1

v8.0

v7.10

v7.9

v7.8

v7.7

v7.6

v7.5

v7.4

v7.3

v7.2

v7.1

v7.0

v6.1

v6.0

v5.1

v5.0

v4.2

v4.1

v4.0

v3.0

v2.5

v2.4

v2.3

v2.2

v2.1

v2.0

v1.3

v1.2

v1.1

v1.0

v0.3-beta

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

More information is needed

security

Security vulnerability

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Total time spent: 31 minutes 37 seconds

31 minutes 37 seconds

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#104

Reference in a new issue

Repository

exozyme/exozyme

Title

Body

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?