Server: Clear bruteforce protection from user upon successful login

Created on 19 Jan 2017  路  6Comments  路  Source: nextcloud/server

Steps to reproduce

  1. Get throttled via via request (keep logging in with wrong pw)
  2. Login with correct pw

Expected behaviour

  1. Requests should not be throttled anymore

Actual behaviour

  1. Requests to endpoints are still throttled

Extra points for the following:
When a user is already in the blacklist, and auth.bruteforce.protection.enabled is set to false, the requests are still throttled.

enhancement authentication good first issue
Source
picture brantje

Most helpful comment

Solution provided at https://help.nextcloud.com/t/solved-bruteforce-detection-blocking-my-ip-but-theres-no-oc-bruteforce-attempts-database/7652 (extend solution by clicking [v]). I purged all with DELETE FROM oc_bruteforce_attempts;

picture Spiritdude on 29 Apr 2017
👍2

All 6 comments

The config surly sounds like an issue.

However keeping the throttling sounds okay to me. It will expire after some hours if no further login attempts come in. But since we are using this more and more it should not really immediately forget all those...

nickvergessen picture nickvergessen on 19 Jan 2017

Same issue here, a big problem is nated trafic, all my clients are affected because the cloud domain has the public ISP-modem IP.
(so the modem forwards 443 trafic from the public ip to the internal cloudserver )

All requests from my public IP are slowed down, so all external clients are not able to use the service.
Anny ideas to fix that ?
edit:
The app is not able to connect

homecloudvie picture homecloudvie on 19 Jan 2017
👍1

Solution provided at https://help.nextcloud.com/t/solved-bruteforce-detection-blocking-my-ip-but-theres-no-oc-bruteforce-attempts-database/7652 (extend solution by clicking [v]). I purged all with DELETE FROM oc_bruteforce_attempts;

Spiritdude picture Spiritdude on 29 Apr 2017
👍2

cc @LukasReschke The middleware doesn't log the user in the brute force table. Should we add a hack there or for now ignore this one and only focus on the session this which properly logs the user ID?

MorrisJobke picture MorrisJobke on 9 May 2017

The middleware doesn't log the user in the brute force table. Should we add a hack there or for now ignore this one and only focus on the session this which properly logs the user ID?

This was fixed recently and can be implemented now.

MorrisJobke picture MorrisJobke on 15 Aug 2017

Fix is in #7263

MorrisJobke picture MorrisJobke on 23 Nov 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jancborchardt picture jancborchardt  路  3Comments
blackcrack picture blackcrack  路  3Comments
ThomasLeister picture ThomasLeister  路  3Comments
georgehrke picture georgehrke  路  3Comments
georgehrke picture georgehrke  路  3Comments