authentication-service icon indicating copy to clipboard operation
authentication-service copied to clipboard
verified publisher icon clevertech

Brute force attacks protection

Open gimenete opened this issue 8 years ago • 6 comments

There should be protection agains brute force attacks by slowing down the server:

  • Many failed logins from same IP
  • Many failed logins to the same email (even if they are from different IPs).
  • Many failed logins using the same password (even if they are from different IPs or to different accounts).

We need to store some counters either in memory (default) or redis (opt-in feature that would allow multiple server instances having the same counters).

gimenete avatar Mar 31 '17 14:03 gimenete

reCAPTCHA was added, but we might want to implement other mechanisms.

gimenete avatar Apr 28 '17 10:04 gimenete

You might want to increase the response time slightly with every incorrect attempt as well.

callaars avatar Apr 28 '17 10:04 callaars

Yeah, agreed.

I've looked to this module for in-memory rate limiting: https://github.com/jhurliman/node-rate-limiter for rate-limiting.

And these docs for using redis for rate limiting: https://redis.io/commands/incr#pattern-rate-limiter-1

gimenete avatar Apr 28 '17 14:04 gimenete

The first step would be to just add rate limiting in nginx through: limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; for example.

We could advice on that.

callaars avatar Apr 28 '17 14:04 callaars

We might not need to hit the actual app for this.

callaars avatar Apr 28 '17 14:04 callaars

It would also make sense to cache the JWTs in redis, and then a quick check can filter out most unauthorized requests without having to decode or verify any session IDs

chadfurman avatar Sep 24 '17 22:09 chadfurman