web2py Safety discussion

[BlueShadow]

Hi,
Overall web2py is pretty save as far as I know. https://scanmyserver.com/ shows for my web2py app 6 "low priority" risks. As far as I'm concerned they are very low priority but since I startet to record all errors (code 400 404 500) in an database table I get a little concerned since my very small site gets on some days 20 attacks. They are pretty premitive as far as I can tell. Trying to call admin page or /wp-login ... trying to add code after the url...
So my concern is not the site itself but the appadmin. It is only protected by a password and as far as I can tell there is no brute force protection like a timeout after 3 or five misspelled passwords.
I don't know if I'm just paranoid but I can't record if there are attemps to access appadmin and there is no timeout for the password.
I would welcome your thoughts on this issue.

[Massimo Di Pierro]

These are serious concerns.

The safest option is to block admin+appdamin simply by not providing a password.

Another open option is to configure the web server to only accept admin connections from localhost and require an ssh tunnel otherwise.

The problem with adding timeout after 3 misspelled passwords is that it does not solve the problem and creates more. In order to know that repeated failures come from the same client we need to store the IP of attempted logins. This opens the door to DoS attacks. 

We could add a 5 sec delay to all failed logins but attempts are not sequential and may be carried by different threads.

We double add a 5 sec delay to all failed logins and force the server to serialize all login attempts. This may also open the door to DoS.

There is no solution which is obviously better than others. What would you suggest?

Massimo

[Kevin Bethke]

How the ssh tunnel is probably the best and only real secure option. If anyone can point me towards a tutorial for this would be awesome.
Thinking about another solution: how about adding a username. This would make bruteforce even harder. As far as my novice knowlege goes server like apache and nginx... record all requests. Writing a script catching all requests to appadmin login shouldn t be to hard to write. Now one could use a cronjob to check that list every 5 min for example. If the login page is called more than 5 times: block access to appadmin for 20 min.
Those are just my thoughts i havent tested any of this. And Im not sure if it would work.

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/1hnFerQ0FJo/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Anthony]

I think we're already limiting admin to 5 failed logins per IP address per hour: https://code.google.com/p/web2py/source/browse/applications/admin/models/access.py#62

Anthony

[Massimo Di Pierro]

oops. Had forgotten about that. Thanks Anthony.

Looking at the code again. That stores login attempts in a file, not in DB:

deny_file = os.path.join(request.folder, 'private', 'hosts.deny')

[LightDot]

Fail2ban is a popular python program that monitors log files for failed login attempts and blocks "visitors", no need to write a new one from scratch. Assuming you use a linux server, it should be available as a package. It's quite versatile.

Regards,
Ales

[Kevin Bethke]

Having this file is awesome I will write a few lines of code to add this to my security report.

just one question: I tested a failed login myself because my file was fortunatly empty.

The file format looks like this:

ip 1 1370164406

I asume the one is number of attemps and the long number is a timestamp.

[BlueShadow]

I wrote just a simple few lines to display the contents of that file to my personal Admin report^^

<h2>Failed logins to Adminpanel:</h2>
{{deny=os.path.join('applications', 'admin', 'private', 'hosts.deny')}}
{{file=open(deny,'r')}}
{{lines=file.readlines()}}
{{file.close()}}
{{for l in lines:}}
{{=l}}
{{pass}}

Since I had something to eat before I wrote that over an hour passed from the time of my deliberate failed login.
And the file is empty.

In my opinion this should be stored somewhere. Because only with the knowlege is power :)
And based apon data one can decide if it is necessary to increase security.

[Limedrop]

I have often wondered if changing the names "admin" and "appadmin" would be an easy and simple way to add another layer of security?  In other words, add these as command-line arguments that can be set on startup?  In this way www.mysite.com/admin could be changed to something like www.mysite.com/secretadmin123.  After that access attempts to www.mysite.com/admin could either be handled using the normal "invalid request" methods or treated as a breach attempt.

I see that "admin" and "appadmin" are pretty much hard-coded into web2py, so I'm not sure if it would be worth the effort?