rustdesk-server-pro
rustdesk-server-pro copied to clipboard
rustdesk
[BUG] - 2FA
Hey,
RUSTDESK PRO 1.1.9 : Personnal Licence
Since 2FA (SMTP with OVH) is enable, i have this message :
If wait 2-3 min, its same.. 👎🏻
If wait little bit more we have a message that we have a problem with the protocol version
And when user enter wrong pass, we have no alarm/alert and no log.
Config of user :
Config of SMTP :
Thanks for help !
@Apashh can you invite me? and let me try. [email protected]
Or create an account for me, send to above mail.
Just tested, worked for me
- logged in with the usernane and password
- turned on email verification
- log out
- enter in username and password again
- enter verficaition code
- logged in
And when user enter wrong pass, we have no alarm/alert and no log.
The alarm / alert is for RustDesk connection login.
https://github.com/rustdesk/rustdesk/blob/0020a370298130476fbde6996a13ddef7dbacaf0/src/server/connection.rs#L832
https://github.com/rustdesk/rustdesk/blob/0020a370298130476fbde6996a13ddef7dbacaf0/src/server/connection.rs#L1457
Yes, you are right, we should add this for web console login also. But we need to invesitgate first, I have never seen any website warn me via email after entering wrong password. Though alarm like loggin in different city is common. @21pages
Hm ok ! ;) But i have tested this and if i want to connect on device with multiple wrong password i have no log/alarm... What i'm doing wrong ?
It only alarms after reaching the time as below.
https://github.com/rustdesk/rustdesk/blob/0020a370298130476fbde6996a13ddef7dbacaf0/src/server/connection.rs#L1457
if failure.2 > 30 {
self.send_login_error("Too many wrong password attempts")
.await;
Self::post_alarm_audit(
AlarmAuditType::ManyWrongPassword,
json!({
"ip":self.ip,
}),
);
} else if time == failure.0 && failure.1 > 6 {
self.send_login_error("Please try 1 minute later").await;
Self::post_alarm_audit(
AlarmAuditType::FrequentAttempt,
json!({
"ip":self.ip,
}),
);
I have this messages :
But no log
And never this : self.send_login_error("Too many wrong password attempts")
And never this : self.send_login_error("Too many wrong password attempts")
You need to make sure this controlled machine can access API server. https://github.com/rustdesk/rustdesk-server-pro/issues/21#issuecomment-1637935750 Anyhow, @21pages will verify it. I did do not test this for long.
self.send_login_error("Too many wrong password attempts")
More than 30 times
And never this : self.send_login_error("Too many wrong password attempts")
You need to make sure this controlled machine can access API server. #21 (comment)
@Apashh can you confirm this? @21pages said he can get 3 alarms as above pic.
I have 2/3 message :
this first (no log but its ok) :
after multiple test (but no log here, bug ?) :
after +50 test, no message indicate "Your IP is blocked by the peer"
Hm i have the message :
But again no log... It will be interesting to block IP auto after multiple attempt.
For example in web console we can edit the number of attempt password and how long ip will be block
In this current release, client message box can pop up, but web console alarm log can't show, but it has been fixed, web console log will show in next release
I installed 1.1.10 version and I tryied on client side with 50 bad login attempt ... no entry into alarm log.
https://github.com/rustdesk/rustdesk-server-pro/issues/70#issuecomment-1732684183