Message 24660

Author
ced
Date
2016-03-08.23:01:52
Message id
24660

Content

Luis, we can not accept your patch because it reduces the security level of Tryton. With your patch there is no need for an attacker to wait more than a few millisecond (and certainly not the 3 seconds) for the login answer because he can get guess after few millisecond that the login was wrong. He will start a new query directly without waiting the 3 seconds.
So this means that the sleep of 3 seconds is useless and so there will be no more any protection against brute force attack against the login mechanism.

This was already explained in msg24650 and msg24615.

If you care about high availability, you must not rely on trytond only to be protected. You must add standard solutions that protect web services against DoS and monitor the healthiness of your services.

I will provide on a feature request, a patch that adds a task to clean the login attempt regularly.
History
Date User Action Args
2016-03-08 23:01:52cedsetmessageid: <1457474512.69.0.522097432312.issue5375@tryton.org>
2016-03-08 23:01:52cedsetrecipients: + bch, yangoon, nicoe, sharkcz, meanmicio, smarro, ajacoutot
2016-03-08 23:01:52cedlinkissue5375 messages
2016-03-08 23:01:52cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)