Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brute-force whitelisted IP are ineffective for password resetting #325

Open
m4dz opened this issue Jan 19, 2021 · 2 comments
Open

Brute-force whitelisted IP are ineffective for password resetting #325

m4dz opened this issue Jan 19, 2021 · 2 comments
Labels
bug needs info

Comments

@m4dz
Copy link

m4dz commented Jan 19, 2021

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Steps to reproduce

  1. Block IP with too many login attempts (brute-force blacklisting)
  2. Whitelist IP in the Brute-force settings app
  3. Try to reset the password from the regarding IP

Expected behaviour

Once whitelisted, the login operations (both login or reset password) should be allowed from the regarding IP.

Actual behaviour

User can login from the IP, but reset password action still returns a HTTP 412 error.

Server configuration

Operating system: Debian Buster

Web server: Apache / PHP-FPM

Database: MySQL 10.4.13

PHP version: 7.4.4

Nextcloud version: 20.0.5

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded

Where did you install Nextcloud from: Official download page

Signing status:

Signing status 
No errors have been found.

List of activated apps:

App list 
Enabled:
  - accessibility: 1.6.0
  - activity: 2.13.4
  - bruteforcesettings: 2.0.1
  - calendar: 2.1.3
  - cloud_federation_api: 1.3.0
  - comments: 1.10.0
  - contacts: 3.4.3
  - contactsinteraction: 1.1.0
  - dashboard: 7.0.0
  - dav: 1.16.2
  - documentserver_community: 0.1.8
  - federatedfilesharing: 1.10.2
  - federation: 1.10.1
  - files: 1.15.0
  - files_markdown: 2.3.1
  - files_pdfviewer: 2.0.1
  - files_rightclick: 0.17.0
  - files_sharing: 1.12.2
  - files_trashbin: 1.10.1
  - files_versions: 1.13.0
  - files_videoplayer: 1.9.0
  - firstrunwizard: 2.9.0
  - groupfolders: 8.2.0
  - logreader: 2.5.0
  - lookup_server_connector: 1.8.0
  - mail: 1.7.2
  - nextcloud_announcements: 1.9.0
  - notifications: 2.8.0
  - oauth2: 1.8.0
  - onlyoffice: 6.2.0
  - password_policy: 1.10.1
  - photos: 1.2.3
  - privacy: 1.4.0
  - provisioning_api: 1.10.0
  - recommendations: 0.8.0
  - serverinfo: 1.10.0
  - settings: 1.2.0
  - sharebymail: 1.10.0
  - support: 1.3.0
  - survey_client: 1.8.0
  - systemtags: 1.10.0
  - text: 3.1.0
  - theming: 1.11.0
  - twofactor_admin: 3.0.0
  - twofactor_backupcodes: 1.9.0
  - twofactor_totp: 5.0.0
  - updatenotification: 1.10.0
  - user_status: 1.0.1
  - viewer: 1.4.0
  - weather_status: 1.0.0
  - workflowengine: 2.2.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_ldap

Nextcloud configuration:

Config report 
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.alwaysdata.org",
            "ad-nextcloud.alwaysdata.net"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/ad-nextcloud.alwaysdata.net",
        "dbtype": "mysql",
        "version": "20.0.5.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpport": "465",
        "app_install_overwrite": [
            "calendar"
        ],
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Memcached",
        "memcached_servers": [
            [
                "localhost",
                11211
            ]
        ],
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_sendmailmode": "smtp"
    },
    "apps": {
        "accessibility": {
            "enabled": "yes",
            "installed_version": "1.6.0",
            "types": ""
        },
        "activity": {
            "enabled": "yes",
            "installed_version": "2.13.4",
            "types": "filesystem"
        },
        "backgroundjob": {
            "lastjob": "254"
        },
        "bruteForce": {
            "whitelist_1": "81.28.201.184\/0"
        },
        "bruteforcesettings": {
            "enabled": "yes",
            "installed_version": "2.0.1",
            "types": ""
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "2.1.3",
            "types": ""
        },
        "cloud_federation_api": {
            "enabled": "yes",
            "installed_version": "1.3.0",
            "types": "filesystem"
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "3.4.3",
            "types": "dav"
        },
        "contactsinteraction": {
            "enabled": "yes",
            "installed_version": "1.1.0",
            "types": "dav"
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "enterpriseLogoChecked": "yes",
            "installedat": "1534865793.7312",
            "lastcron": "1611058213",
            "lastupdateResult": "[]",
            "lastupdatedat": "1611058181",
            "moveavatarsdone": "yes",
            "oc.integritycheck.checker": "[]",
            "previewsCleanedUp": "1",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "scss.variables": "acf04738bafad3d2d16346746aeff1ba",
            "theming.variables": "c96da5636ef759cb25916c25b9288e2a",
            "updater.secret.created": "1603350162",
            "vendor": "nextcloud"
        },
        "dashboard": {
            "enabled": "yes",
            "installed_version": "7.0.0",
            "types": ""
        },
        "dav": {
            "buildCalendarReminderIndex": "yes",
            "buildCalendarSearchIndex": "yes",
            "chunks_migrated": "1",
            "enabled": "yes",
            "installed_version": "1.16.2",
            "regeneratedBirthdayCalendarsForYearFix": "yes",
            "types": "filesystem"
        },
        "documentserver_community": {
            "enabled": "yes",
            "installed_version": "0.1.8",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.10.2",
            "types": ""
        },
        "federation": {
            "autoAddServers": "1",
            "enabled": "yes",
            "installed_version": "1.10.1",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "enabled": "yes",
            "installed_version": "1.15.0",
            "types": "filesystem"
        },
        "files_fulltextsearch": {
            "enabled": "no",
            "installed_version": "1.4.3",
            "types": "filesystem"
        },
        "files_markdown": {
            "enabled": "yes",
            "installed_version": "2.3.1",
            "types": ""
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "2.0.1",
            "types": ""
        },
        "files_rightclick": {
            "enabled": "yes",
            "installed_version": "0.17.0",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.12.2",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "no",
            "installed_version": "2.8.0",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "1.10.1",
            "types": "filesystem,dav"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.13.0",
            "types": "filesystem,dav"
        },
        "files_videoplayer": {
            "enabled": "yes",
            "installed_version": "1.9.0",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "2.9.0",
            "types": "logging"
        },
        "fulltextsearch": {
            "enabled": "no",
            "installed_version": "1.4.2",
            "types": ""
        },
        "gallery": {
            "enabled": "no",
            "installed_version": "18.4.0",
            "types": ""
        },
        "groupfolders": {
            "enabled": "yes",
            "installed_version": "8.2.0",
            "types": "filesystem,dav"
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "2.5.0",
            "levels": "11111",
            "types": ""
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.8.0",
            "types": "authentication"
        },
        "mail": {
            "enabled": "yes",
            "installed_version": "1.7.2",
            "types": ""
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "1.9.0",
            "pub_date": "Thu, 24 Oct 2019 00:00:00 +0200",
            "types": "logging"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "2.8.0",
            "types": "logging"
        },
        "oauth2": {
            "enabled": "yes",
            "installed_version": "1.8.0",
            "types": "authentication"
        },
        "onlyoffice": {
            "DocumentServerUrl": "https:\/\/nextcloud.alwaysdata.org\/index.php\/apps\/documentserver_community\/",
            "defFormats": "{\"docx\":true,\"pptx\":true,\"xlsx\":true,\"odp\":true,\"ods\":true,\"odt\":true,\"doc\":true,\"ppt\":true,\"xls\":true}",
            "editFormats": "{\"csv\":true,\"docx\":true,\"pptx\":true,\"txt\":true,\"xlsx\":true,\"odp\":true,\"ods\":true,\"odt\":true,\"rtf\":true}",
            "enabled": "yes",
            "installed_version": "6.2.0",
            "sameTab": "true",
            "types": "filesystem"
        },
        "ownpad": {
            "enabled": "no",
            "installed_version": "0.6.14",
            "ocsid": "174679",
            "ownpad_ethercalc_enable": "yes",
            "ownpad_ethercalc_host": "https:\/\/ethercalc.alwaysdata.org",
            "ownpad_etherpad_enable": "yes",
            "ownpad_etherpad_host": "https:\/\/etherpad.alwaysdata.org",
            "ownpad_etherpad_useapi": "no",
            "types": ""
        },
        "password_policy": {
            "enabled": "yes",
            "installed_version": "1.10.1",
            "types": "authentication"
        },
        "photos": {
            "enabled": "yes",
            "installed_version": "1.2.3",
            "types": ""
        },
        "privacy": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "types": ""
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "prevent_group_restriction"
        },
        "recommendations": {
            "enabled": "yes",
            "installed_version": "0.8.0",
            "types": ""
        },
        "serverinfo": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": ""
        },
        "settings": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "sharebymail": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "filesystem"
        },
        "support": {
            "SwitchUpdaterServerHasRun": "yes",
            "enabled": "yes",
            "installed_version": "1.3.0",
            "types": "session"
        },
        "survey_client": {
            "enabled": "yes",
            "installed_version": "1.8.0",
            "last_report": "{\"id\":\"ocuv4tp55nnj\",\"items\":[[\"server\",\"version\",\"20.0.5.2\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"\\\\OC\\\\Memcache\\\\APCu\"],[\"server\",\"memcache.distributed\",\"\\\\OC\\\\Memcache\\\\Memcached\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"\\\\OC\\\\Memcache\\\\Redis\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"cron\"],[\"php\",\"version\",\"7.4.4\"],[\"php\",\"memory_limit\",536870912],[\"php\",\"max_execution_time\",0],[\"php\",\"upload_max_filesize\",268435456],[\"database\",\"type\",\"mysql\"],[\"database\",\"version\",\"10.4.13\"],[\"database\",\"size\",64233472],[\"apps\",\"accessibility\",\"1.6.0\"],[\"apps\",\"activity\",\"2.13.4\"],[\"apps\",\"calendar\",\"2.1.3\"],[\"apps\",\"cloud_federation_api\",\"1.3.0\"],[\"apps\",\"comments\",\"1.10.0\"],[\"apps\",\"contacts\",\"3.4.3\"],[\"apps\",\"contactsinteraction\",\"1.1.0\"],[\"apps\",\"dashboard\",\"7.0.0\"],[\"apps\",\"dav\",\"1.16.2\"],[\"apps\",\"documentserver_community\",\"0.1.8\"],[\"apps\",\"federatedfilesharing\",\"1.10.2\"],[\"apps\",\"federation\",\"1.10.1\"],[\"apps\",\"files\",\"1.15.0\"],[\"apps\",\"files_fulltextsearch\",\"disabled\"],[\"apps\",\"files_markdown\",\"2.3.1\"],[\"apps\",\"files_pdfviewer\",\"2.0.1\"],[\"apps\",\"files_rightclick\",\"0.17.0\"],[\"apps\",\"files_sharing\",\"1.12.2\"],[\"apps\",\"files_texteditor\",\"disabled\"],[\"apps\",\"files_trashbin\",\"1.10.1\"],[\"apps\",\"files_versions\",\"1.13.0\"],[\"apps\",\"files_videoplayer\",\"1.9.0\"],[\"apps\",\"firstrunwizard\",\"2.9.0\"],[\"apps\",\"fulltextsearch\",\"disabled\"],[\"apps\",\"gallery\",\"disabled\"],[\"apps\",\"groupfolders\",\"8.2.0\"],[\"apps\",\"logreader\",\"2.5.0\"],[\"apps\",\"lookup_server_connector\",\"1.8.0\"],[\"apps\",\"mail\",\"1.7.2\"],[\"apps\",\"nextcloud_announcements\",\"1.9.0\"],[\"apps\",\"notifications\",\"2.8.0\"],[\"apps\",\"oauth2\",\"1.8.0\"],[\"apps\",\"onlyoffice\",\"6.2.0\"],[\"apps\",\"ownpad\",\"disabled\"],[\"apps\",\"password_policy\",\"1.10.1\"],[\"apps\",\"photos\",\"1.2.3\"],[\"apps\",\"privacy\",\"1.4.0\"],[\"apps\",\"provisioning_api\",\"1.10.0\"],[\"apps\",\"recommendations\",\"0.8.0\"],[\"apps\",\"serverinfo\",\"1.10.0\"],[\"apps\",\"settings\",\"1.2.0\"],[\"apps\",\"sharebymail\",\"1.10.0\"],[\"apps\",\"support\",\"1.3.0\"],[\"apps\",\"survey_client\",\"1.8.0\"],[\"apps\",\"systemtags\",\"1.10.0\"],[\"apps\",\"text\",\"3.1.0\"],[\"apps\",\"theming\",\"1.11.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.9.0\"],[\"apps\",\"twofactor_totp\",\"5.0.0\"],[\"apps\",\"updatenotification\",\"1.10.0\"],[\"apps\",\"user_status\",\"1.0.1\"],[\"apps\",\"viewer\",\"1.4.0\"],[\"apps\",\"weather_status\",\"1.0.0\"],[\"apps\",\"workflowengine\",\"2.2.0\"],[\"stats\",\"num_files\",122900],[\"stats\",\"num_users\",9],[\"stats\",\"num_storages\",10],[\"stats\",\"num_storages_local\",1],[\"stats\",\"num_storages_home\",9],[\"stats\",\"num_storages_other\",0],[\"stats\",\"num_comments\",2],[\"stats\",\"num_comment_markers\",2],[\"stats\",\"num_systemtags\",0],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",472],[\"files_sharing\",\"num_shares_user\",163],[\"files_sharing\",\"num_shares_groups\",48],[\"files_sharing\",\"num_shares_link\",115],[\"files_sharing\",\"num_shares_link_no_password\",115],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",0],[\"files_sharing\",\"permissions_2_0\",\"1\"],[\"files_sharing\",\"permissions_1_1\",\"1\"],[\"files_sharing\",\"permissions_2_1\",\"3\"],[\"files_sharing\",\"permissions_3_1\",\"65\"],[\"files_sharing\",\"permissions_1_3\",\"2\"],[\"files_sharing\",\"permissions_2_3\",\"6\"],[\"files_sharing\",\"permissions_1_15\",\"1\"],[\"files_sharing\",\"permissions_2_15\",\"3\"],[\"files_sharing\",\"permissions_0_17\",\"6\"],[\"files_sharing\",\"permissions_1_17\",\"6\"],[\"files_sharing\",\"permissions_2_17\",\"20\"],[\"files_sharing\",\"permissions_3_17\",\"50\"],[\"files_sharing\",\"permissions_0_19\",\"154\"],[\"files_sharing\",\"permissions_1_19\",\"16\"],[\"files_sharing\",\"permissions_2_19\",\"73\"],[\"files_sharing\",\"permissions_0_31\",\"3\"],[\"files_sharing\",\"permissions_1_31\",\"22\"],[\"files_sharing\",\"permissions_2_31\",\"39\"],[\"files_sharing\",\"permissions_4_31\",\"1\"],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}",
            "last_sent": "1611050114",
            "types": ""
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "logging"
        },
        "text": {
            "enabled": "yes",
            "installed_version": "3.1.0",
            "types": "dav"
        },
        "theming": {
            "cachebuster": "17",
            "color": "#464646",
            "enabled": "yes",
            "installed_version": "1.11.0",
            "logoMime": "image\/png",
            "name": "Cloud alwaysdata",
            "slogan": "***REMOVED SENSITIVE VALUE***",
            "types": "logging",
            "url": "***REMOVED SENSITIVE VALUE***"
        },
        "twofactor_admin": {
            "enabled": "yes",
            "installed_version": "3.0.0",
            "types": ""
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.9.0",
            "types": ""
        },
        "twofactor_totp": {
            "enabled": "yes",
            "installed_version": "5.0.0",
            "types": ""
        },
        "updatenotification": {
            "calendar": "2.1.3",
            "contacts": "3.4.3",
            "core": "20.0.5.2",
            "documentserver_community": "0.1.8",
            "enabled": "yes",
            "files_markdown": "2.3.1",
            "files_rightclick": "0.15.1",
            "groupfolders": "8.2.0",
            "installed_version": "1.10.0",
            "mail": "1.7.2",
            "onlyoffice": "6.2.0",
            "twofactor_totp": "5.0.0",
            "types": "",
            "update_check_errors": "0"
        },
        "user_status": {
            "enabled": "yes",
            "installed_version": "1.0.1",
            "types": ""
        },
        "viewer": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "types": ""
        },
        "weather_status": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": ""
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "2.2.0",
            "types": "filesystem"
        }
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 84.0.2

Operating system: Ubuntu 20.10
@szaimen szaimen transferred this issue from nextcloud/server Jun 22, 2021
@joshtrichards
Copy link
Member

I suspect this was the Rate Limiter being hit on the lost password controller rather than BFP:

https://github.com/nextcloud/server/blob/1bc8129623d15b369a7b6bf7ac65931b0e83455e/core/Controller/LostController.php#L172-L173

That'll still trigger after BFP is reset (I just confirmed it as well in testing).

@joshtrichards
Copy link
Member

But I can only trigger if in addition to triggering BFP then whitelisting BFP, I also hit the Reset Password button a bunch of times in a short window (10 within 300s will do it per current code). And it'll come back to life within 300s.

That's expected behavior.

I can see how if a user couldn't access the password reset function, after the admin clears them from BFP, that would be a problem.

But I can't see how this would happen under normal circumstances since just using the password reset function a handful of times won't trigger (much) rate limiting. I actively had to go out of my way to trigger like 10 attempts reset my password. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m4dz @joshtrichards