[Geoserver-devel] [JIRA] (GEOS-8850) Brute force prevention delay triggered for all login attempts

GeoServer GeoServer Developer
1

Davlet Panech created an issue

GeoServer / BugGEOS-8850

Brute force prevention delay triggered for all login attempts

Issue Type:

BugBug

Affects Versions:

2.10.4, 2.13.1

Assignee:

Unassigned

Created:

17/Jul/18 5:20 PM

Priority:

MediumMedium

Reporter:

Davlet Panech

Attempting to login with any user/password other than admin/geoserver results in brute force attack prevention measures being activated, even with perfectly valid logins. I can clearly see (in a debugger) that the class BruteForceListener is always invoked twice – once for the actual user login sent from the login form, and then the second time with “admin/geoserver” credentials. I think this is because the home page is trying to check whether the default admin password has been changed in order to display a warning. Anyway, this results in log messages claiming there was a failed login attempt, as well as a few second delay being triggered.

I tested this in 2.10.4 and 2.13.1, it looks like this bug has been around for a while.

How to reproduce1. Start geoserver on top of the default data directory included with binary distributions

  1. Login as admin

  2. Change admin password; the change is accepted, but server log output contains this:

    [...]
16 Jul 12:10:30 INFO [security.xml] - Successful lock: security/usergroup/default/users.xml.lock
16 Jul 12:10:30 INFO [geoserver.security] - Start storing user/groups for service named default
16 Jul 12:10:30 INFO [geoserver.security] - Storing user/groups successful for service named default
16 Jul 12:10:30 INFO [geoserver.security] - Start reloading user/groups for service named default
16 Jul 12:10:30 INFO [geoserver.security] - Reloading user/groups successful for service named default
16 Jul 12:10:30 INFO [geoserver.security] - Adjusted last modified for file: security/usergroup/default/users.xml
16 Jul 12:10:30 INFO [security.xml] - Successful lock: security/role/default/roles.xml.lock
16 Jul 12:10:30 INFO [geoserver.security] - Storing unnecessary, no change for roles
16 Jul 12:10:30 WARN [geoserver.security] - Failed login, user admin from 0:0:0:0:0:0:0:1
16 Jul 12:10:30 INFO [geoserver.security] - Brute force attack prevention, delaying login for 4981ms
16 Jul 12:10:39 INFO [geoserver.security] - Start reloading user/groups for service named default
16 Jul 12:10:39 INFO [geoserver.security] - Reloading user/groups successful for service named default
16 Jul 12:10:39 INFO [geoserver.security] - Adjusted last modified for file: security/usergroup/default/users.xml
[...]

    Note the “Failed login… / Brute force attack prevention …” lines

  3. Log out and log in with the new password

  4. Credentials are accepted accepted, but response is delayed and this appears in server output:

    16 Jul 12:11:04 WARN [geoserver.security] - Failed login, user admin from 0:0:0:0:0:0:0:1
16 Jul 12:11:04 INFO [geoserver.security] - Brute force attack prevention, delaying login for 1357ms

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS

This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100089-sha1:2806cf0)

Atlassian logo