[Feature request] Implement bruteforce protection for http basic auth

[Nantris]

This may be a plausible solution: https://serverfault.com/a/421050

Or is something like this already implemented and I've overlooked it?

[tersor]

Already implemented. Unauthorized requests returns 403 forbidden, which is handled by rate limiting in Nginx and fail2ban.

[Nantris]

Thanks for your reply @tersor!

Can you possibly share some details about the implementation? Or link to the relevant part of the code? I'd like to have a better understanding for risk analysis.

[Ethical-Cronos]

Obrigado pela sua resposta@tersor!

Você pode compartilhar alguns detalhes sobre a implementação? Ou link para a parte relevante do código? Eu gostaria de ter um melhor entendimento para análise de risco.

Hello, you can also use instead of fail2ban, use CrowdSec faster and smarter than Fail2ban

[Nantris]

CrowdSec does sound better than fail2ban, which has been using way too much memory.

I hope the WordOps team might take a look into it, but I'm not planning to introduce that level of complexity into our own system by reconfiguring WordOps internals.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[Nantris]

Currently if fail2ban crashes, eg oom, I assume this would leave the server open to attack - so not stale.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[Nantris]

Not stale.

[Ethical-Cronos]

Not stale.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[Nantris]

Not stale.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[Nantris]

Not stale.

[janiosarmento]

Crowdsec is a paid solution and not a direct substitute for Fail2Ban.

If F2B crashes, the sysadmin is responsible for detecting and resolving the issue. However, it’s important to remember that any service can crash; there’s no such thing as a “perfect” firewall.

Therefore, this issue is somewhat irrelevant. Also, fighting the bot with "not stale" every time is not going to lead you anywhere.

[Nantris]

Fail2Ban shouldn't be configured in a way that leads to ever increasing memory usage over time until it crashes. This could seemingly be avoided by rotating the logs more efficiently.

I wouldn't say that typing 9 characters is much of an effort.

[janiosarmento]

One of the most beautiful aspects of open source is that anyone can contribute improvements and submit them to the repository. I’ve contributed to WordOps a few times myself, even learning some Python to add value instead of just complaining that things aren’t the way I want them to be. Just saying.

[Nantris]

Not stale.

Oh no, complaining!

[Ethical-Cronos]

Not stale.

Oh no, complaining!

To be more direct, test Crowdsec, I introduced it a while ago to Wordops, which is studying how to integrate with the Wordops eco system, to replace Fail2ban. Uninstall Fail2ban from your machine and test Crowdsec, I guarantee you won't regret it, plus it's super easy to install and proves to be very efficient. It is clear to address precisely this problem that you opened in the repository.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.