Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect brute force login attempts from different ip addresses #17503

Merged
merged 9 commits into from May 11, 2021
Merged

detect brute force login attempts from different ip addresses #17503

merged 9 commits into from May 11, 2021

Conversation

diosmosis
Copy link
Member

Description:

Detects brute force login attempts from different ip addresses, and notifies the user at most once every two weeks that someone is trying to break into their account this way.

Review

  • Functional review done
  • Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
  • Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • Security review done see checklist
  • Code review done
  • Tests were added if useful/possible
  • Reviewed for breaking changes
  • Developer changelog updated if needed
  • Documentation added if needed
  • Existing documentation updated if needed

@diosmosis diosmosis added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Apr 26, 2021
@diosmosis diosmosis added this to the 4.3.0 milestone Apr 26, 2021
@diosmosis diosmosis marked this pull request as draft April 26, 2021 16:14
@diosmosis diosmosis marked this pull request as ready for review May 7, 2021 00:23
@diosmosis diosmosis added the Needs Review PRs that need a code review label May 7, 2021
@diosmosis
Copy link
Member Author

This should be ready for review now

tsteur
tsteur reviewed May 10, 2021
View reviewed changes
Copy link
Member

@tsteur tsteur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diosmosis had a quick look and looks good 👍 I didn't do a proper review though be good for @sgiehl or @flamisz to have a look too and test it works

@diosmosis
make sure brute force detection happens after ip allow/block lists ar…
b60a410 
…e put into effect. this allows us to do less work in that case, and not allow attackers to disable login capability if we have an allowlist.
@diosmosis
apply some review feedback
d56cc42
@diosmosis
add new test and rename some methods
590dcb5
@diosmosis
Merge branch '4.x-dev' into user-login-brute-force
20f09b2
flamisz
flamisz suggested changes May 10, 2021
View reviewed changes
Copy link
Contributor

@flamisz flamisz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It took some time to test it. The pr description was not enough for me as I didn't know how the brute force originally worked. But made it work in the end, but the sent email wasn't "templated" properly.

Screen Shot 2021-05-10 at 4 24 50 PM

plugins/Login/Security/BruteForceDetection.php Show resolved Hide resolved
@diosmosis
Copy link
Member Author

But made it work in the end, but the sent email wasn't "templated" properly.

Thanks for catching this. Fixed.

@flamisz
Copy link
Contributor

flamisz commented May 10, 2021

But made it work in the end, but the sent email wasn't "templated" properly.

Thanks for catching this. Fixed.

It looks good now 👍

@diosmosis diosmosis merged commit e033f44 into 4.x-dev May 11, 2021
@diosmosis diosmosis deleted the user-login-brute-force branch May 11, 2021 01:47
@diosmosis diosmosis mentioned this pull request May 11, 2021
Merged
10 tasks
@sgiehl sgiehl mentioned this pull request May 11, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

@flamisz flamisz flamisz approved these changes

@sgiehl sgiehl Awaiting requested review from sgiehl

Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs Review PRs that need a code review
Projects
None yet
Milestone
4.3.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@diosmosis @flamisz @tsteur