incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Review Request: CS-10219 Add option to set login attempts to portal.
Date Wed, 05 Sep 2012 15:23:18 GMT
Just a note on this for the future - most of the penetration testing teams[1] out there now
will attempt a dictionary attack not by trying different passwords with the same username,
but by trying the same password across the 1000 most common usernames. Would be nice if we
could track failed logins across multiple usernames (maybe for 4.1 ;) )

John
1: Malicious users are doing it as well, but depending on the CS user, they may (unfortunately)
care more about the pen test report than the hacker…

On Sep 5, 2012, at 7:56 AM, saksham srivastava <saksham.srivastava@citrix.com<mailto:saksham.srivastava@citrix.com>>
 wrote:



On Sept. 3, 2012, 5:28 p.m., Nitin Mehta wrote:
server/src/com/cloud/user/AccountManagerImpl.java, line 427
<https://reviews.apache.org/r/6858/diff/3/?file=149072#file149072line427>

   The function signature should be something like this :-
   updateLoginAttempts(Long accountId, int failedLoginAttempts , boolean isDisableAllowed)

Changed the name of variables to attempts and toDisable.


On Sept. 3, 2012, 5:28 p.m., Nitin Mehta wrote:
server/src/com/cloud/user/AccountManagerImpl.java, line 1029
<https://reviews.apache.org/r/6858/diff/3/?file=149072#file149072line1029>

   Dont you have to do this for all the users belonging to this account ?

No, the aim is only to enable the login attempts of that particular user. All users have independent
login_attempts irrespective of their account.


On Sept. 3, 2012, 5:28 p.m., Nitin Mehta wrote:
server/src/com/cloud/user/AccountManagerImpl.java, line 1859
<https://reviews.apache.org/r/6858/diff/3/?file=149072#file149072line1859>

   The value can be 0 meaning for the 1st incorrect login u disable the account

0 means login in not allowed.1 means a single attempt is provided.


- saksham


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6858/#review10998
-----------------------------------------------------------


On Sept. 5, 2012, 2:56 p.m., saksham srivastava wrote:

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6858/
-----------------------------------------------------------

(Updated Sept. 5, 2012, 2:56 p.m.)


Review request for cloudstack, Devdeep Singh, Nitin Mehta, and Alena Prokharchyk.


Description
-------

Added global setting login.attempts.allowed which defines the maximum incorrect password attempts
allowed.
Also after the maximum attempts are reached the user account is disabled.


This addresses bug CS-10219.


Diffs
-----

 core/src/com/cloud/user/UserAccountVO.java 5e7c018
 server/src/com/cloud/configuration/Config.java ebcd070
 server/src/com/cloud/user/AccountManagerImpl.java 38153f3
 setup/db/create-schema.sql fa933e3
 setup/db/db/schema-302to40.sql aaf23e6

Diff: https://reviews.apache.org/r/6858/diff/


Testing
-------

Verified locally.


Thanks,

saksham srivastava




Stratosec<http://stratosec.co> - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message