Page MenuHomePhabricator
Create Task
Maniphest T8392

Enable Captcha on LDAP
Open, Needs TriagePublic
Actions

Description

Background:
I have the latest version of Phabricator running on a Debian server with LDAP as authentication provider.

Problem:
I'd like to secure my server from brute force password guessing attempts through Phabricator, by using fail2ban and Phabricator's access log output.

However, Phabricator's access log has two major issues:

  1. There is no clear indication in the access log that a web-fronted log-in attempt failed. Phabricator does not send a clear HTTP status code such as 401 as a response for a failed log-in attempt. Right now it's always 200 OK.
  2. The date output format of %D and %e cannot be interpreted by fail2ban. Fail2ban would require a source code patch in order to support Phabricator's date format.

Related problem:
it is not possible to change log.access.format using bin/config. It gives the following error message:

Usage Exception: Config key "log.access.format" is of type "wild". Specify it in JSON.

I had to edit that value manually in the local JSON configuration file.

Suggested solutions:

  1. Add an authentication error response to the access log output. That could be done as HTTP status code 401 or maybe some additional log output for that purpose.
  2. Give an option for customizing the log output date format.
  3. ...or change the date format to something fail2ban understands.

Event Timeline

tiguchi created this task.Jun 2 2015, 8:47 PM
tiguchi raised the priority of this task from to Needs Triage.
tiguchi updated the task description. (Show Details)
tiguchi added a subscriber: tiguchi.
chad added a subscriber: chad.Jun 2 2015, 10:10 PM

What problem specifically are you having using Phabricator? See https://secure.phabricator.com/book/phabcontrib/article/feature_requests/ for more details.

eadler added a subscriber: eadler.Jun 2 2015, 10:30 PM
tiguchi added a comment.Jun 2 2015, 11:03 PM

Hi Chad, thanks for your reply.

In a nutshell: I don't know how to secure my server from brute force password guessing attacks performed on Phabricator's LDAP login form, since there does not seem to be any rate limiting or IP banning in place. The recaptcha module also does not seem to work with the LDAP authentication provider, which is the only provider I activated on my installation.

I'd like to use fail2ban in order to lock out repeat offenders from accessing my server. Unfortunately I cannot do that based on Phabricator's log output.

Phabricator produces access log output that cannot be interpreted by fail2ban because of the mentioned date format issue. Fail2ban understands only a limited set of hard-coded date formats. I know, that's not exactly your problem, because the author of fail2ban made a design mistake. I could fix that particular problem myself by patching fail2ban.

The biggest problem, however, is that Phabricator does not seem to log failed login attempts into any log file. Therefore I cannot reliably determine when to lock out a repeat offender using fail2ban.

chad added a comment.Jun 4 2015, 1:08 AM

Why don't we fix the Recaptcha module to work on LDAP?

epriestley added a subscriber: epriestley.Jun 4 2015, 1:40 AM
In T8392#118222, @chad wrote:

Why don't we fix the Recaptcha module to work on LDAP?

This also protects you from attackers who control a botnet and can evade IP-based bans by sending requests from multiple IPs.

tiguchi added a comment.Jun 4 2015, 2:32 AM

Sounds good to me, thanks for your replies! Should I file an extra bug ticket here for the LDAP + recaptcha problem?

chad renamed this task from Improved access log output for recognizing brute force login attempts with fail2ban to Enable Captcha on LDAP.Aug 9 2015, 4:33 AM
ioeric added a subscriber: ioeric.Apr 24 2017, 10:28 AM
hskiba added a subscriber: hskiba.Jun 14 2017, 6:24 AM
Phabricator · Built by Phacility