Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect possible attack and mitigate #2794

Closed
robocoder opened this issue Nov 23, 2011 · 2 comments
Closed

detect possible attack and mitigate #2794

robocoder opened this issue Nov 23, 2011 · 2 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.

Comments

@robocoder
Copy link
Contributor

As part of Piwik's multi-layered security approach, there are a number of areas which could detect possible attack and mitigate (e.g., block).

Scenarios:

  • n failed login attempts (e.g., brute force)
  • n failed lost password requests
  • n failed password reset attempts
  • password reset with invalid (e.g., expired) reset token (e.g., replay)
  • n feedback requests within m minutes
  • n API requests with invalid parameter
  • API request with invalid token
  • direct access to .php file
  • request for non-existent file
  • directory list attempt

Could optionally be extended to tracking requests with caveat that this would have some impact on performance.

Note: some of the above involves integration with the web server (e.g., Apache); I have no idea how doable some of this is with other servers (e.g., IIS, lighttpd, nginx, cherokee, jetty, tomcat, ...).
@mattab
Copy link
Member

mattab commented Feb 17, 2012

See also: #2888

@mattab
Copy link
Member

mattab commented Oct 5, 2012

I included the "do-able" checks (ie. username/email enumeration, brute force on login/reset password, and failed token in API requests) as part of the "Lockdown IP adress" ticket at: #2888

Closing this as the remaining items could possibly be done on a webserver level

See #2888

@robocoder robocoder added this to the Future releases milestone Jul 8, 2014
@robocoder robocoder mentioned this issue Jan 27, 2012
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattab @robocoder