Message 24669

Author
ced
Date
2016-03-09.09:28:06
Message id
24669

Content

I don't see how you can say we did not provide solid arguments when we provided many times them which were never countered.
Now, if you want us to name one good alternatives,I will say fail2ban [1]. It will be great if someone could provide a good set of rules for Tryton. We will be happy to publish them.
I will warn you a last time to not apply your patch on GNU Health because it will weaken the protection Tryton has against brute force attack (as explained many times).
Finally, I would like to say that trytond has by default a limitation on concurrent connections (inherited from PostgreSQL) and this limitation can easily be reached and provoke a DoS. It is not necessary linked to the login method but to any RPC calls. So I recommend to anyone to run trytond in a private network or to use external protection. It is not the goal of Tryton to write such security tools especially when good one exists and because this can not be correctly managed at the application level but only at the OS level.

Maybe we should add a paragraph in the documentation to recommend the usage of such protection.

[1] https://en.wikipedia.org/wiki/Fail2ban
History
Date User Action Args
2016-03-09 09:28:07cedsetmessageid: <1457512087.29.0.93477788798.issue5375@tryton.org>
2016-03-09 09:28:07cedsetrecipients: + bch, yangoon, nicoe, sharkcz, meanmicio, smarro, ajacoutot
2016-03-09 09:28:07cedlinkissue5375 messages
2016-03-09 09:28:06cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)