[
https://issues.apache.org/jira/browse/AIRFLOW-4182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17055034#comment-17055034
]
Ashish George commented on AIRFLOW-4182:
----------------------------------------
[~ash] Hi, So do we have any kind of mechanism to prevent DDoS attacks from the
apache side?
> Rate limit log in attempts
> --------------------------
>
> Key: AIRFLOW-4182
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4182
> Project: Apache Airflow
> Issue Type: Improvement
> Components: security, ui
> Reporter: t oo
> Priority: Minor
>
> The Airflow application does not lock a user's account after a reasonable
> number of failed login attempts. Account lockout is a mechanism used to stop
> non-valid users from guessing for the right password. It is also a protection
> against brute force attacks wherein an automated system can use
> common/dictionary passwords or even build passwords based on set of
> characters just to try to guess the valid one. The user is still able to
> login after 10 failed login attempts.
> Business Impact/Attack Scenario
> It is possible for an attacker to use dictionary or brute force attacks and
> set it to attempt sending the requests on a particular amount of time to
> bypass the validation. Once a username has been correctly guessed, the
> attacker may then be able to gain access to the application.
> Recommendation
> Enforce account lockout conditions to temporary lock a user out after a
> number of unsuccessful attempts. Typically, account lock out is set to 3-5
> failed login attempts.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
