• Created by Unknown User (dimas), last modified by Unknown User (nas) on 2017-07-11

Add Captcha for Web UI & API blocking in case brute force attack

 

Ticket Number

TT#439048

Target BuildMR50-0
Affected ComponentsPortaAdmin, PortaSelfCare

 

 

Captcha Web UI Protection

This feature enables additional protection for Web Log-in form. If someone tries to log-in and enter wrong password more than 3 times ($LOGIN_ATTEMPTS_COUNT = 4; Please look at the example)  during 1 hour ($ATTEMPT_EXPIRATION_TIME => 3600;)  we enables captcha and these users are to enter captcha code for each log-in request. Without correct captcha code we will not check login-password.

How we detect suspicious users:

  1. Count wrong log-in attempts for some user by login.
  2. Count unsuccessful attempts for IP addr +Port
  3. Sum these values. if the result value > $LOGIN_ATTEMPTS_COUNT, so capthca is  mandatory.

Example:

  1. First login attempt with incorrect login-password
       is_captcha_needed 
         > key_attempt_count  : 1
         > login_attempt_count: 1
                      (1 + 1) = 2
         > is needed ?        : N
    so, there is 1+1 = 2
    2 < $LOGIN_ATTEMPTS_COUNT => captcha is not needed

  2. Next login attempt
    is_captcha_needed > key_attempt_count  : 2
                      > login_attempt_count: 2
                                   (2 + 2) = 4
                      > is needed ? : N

              4 = $LOGIN_ATTEMPTS_COUNT =>  captcha is not needed

  3. Next login attempt
    is_captcha_needed > key_attempt_count  : 3
                      > login_attempt_count: 3
                                   (3 + 3) = 6
                      > is needed ?        : Y

          so, there is 2+2 = 6
          6 > $LOGIN_ATTEMPTS_COUNT => now captcha is needed.

For the next requests captcha is mandatory, we will include it for the next login page.


The captcha code is valid during 3 min time frame ($CAPTCHA_EXPIRATION_TIME => 180; ) . After, in any cases, the captcha will be invalid, and user have to enter new one.

The captcha code length is 4 ($CAPTCHA_LENGTH => 4)

 

 

Blocking API Protection

NOTE: This feature is not for requests with session id, we do not analyse requests with session id at all.

This feature enables API (SOAP/REST/Direct) protection for password enumeration. The API  analyses log-in requests in the similar way - if some one enter more than 3 times incorrect password for some user (login+$ENV{Porta_Realm}) we will block the user for 5 sec ($API_BLOCKING_TIME_INC => 5;) and respond with "Incorrect login-password" response.

If the user tries log-in while blocking time we move blocking period starting from last attempt and add 5 sec ($API_BLOCKING_TIME_INC => 5) to   the blocking time frame. The maximum blocking period is 2 min ($MAX_API_BLOCKING_TIME => 120;).

While the blocking period all requests from the user (login+IP+Port) will be skipped with "Incorrect login-password" response. 

When blocking period ends up we start accept user's request and will allow to user log-in.

In case user enter wrong login again we will add 5 sec to the delay from the previous blocking period.

We clean up all history in 1 hour ( $ATTEMPT_EXPIRATION_TIME => 3600) after the last unsuccessful attempt. 

Specifications

Create "Test Plan"