Message 24693

Author
meanmicio
Date
2016-03-09.15:27:59
Message id
24693

Content

Hello Sergi
On Wed, 09 Mar 2016 13:45:59 +0100
Sergi Almacellas Abellana <issue_tracker@tryton.org> wrote:

> Sergi Almacellas Abellana <sergi@koolpi.com> added the comment:
> 
> Hi All, 
> 
> After carefully reading all the issue, here is my opinion. 
> 
> I don't think it's the scope of trytond to fight against DDoS attack,
> so for me no issue at all. I want to propose Reverse nginx proxy [1]
> as another option to fight against DDoS attacks.
> 
I agree with you, but this is another topic. As I said, I am the
first that suggests *complementary* tools to harden the security, but
that does not mean to take care of our own server internal security
methods.

> About the proposed patch it does not solve the DDoS attack 
It solves *this* vulnerability, because it eliminates the problem on
allowing anonymous, unprotected writing the invalid login
information at DB level, not being able to deleting those records,
doing a search on that table at each login... that takes a lot of
resources (CPU, DB, IO, ...). 

> as it give an easier way to brute force some user password>which will
> ease the attacker the possibility to obtain a valid user/password. 

We should discuss authentication methods in another thread. It's
not related to this vulnerability. I already made some comments /
suggestions on hardening the server authentication on
https://bugs.tryton.org/msg24678

Thanks
History
Date User Action Args
2016-03-09 15:28:01meanmiciosetrecipients: + pokoli
2016-03-09 15:28:00meanmiciolinkissue5375 messages
2016-03-09 15:27:59meanmiciocreate

Showing 10 items. Show all history (warning: this could be VERY long)