[jira] [Commented] (RANGER-2362) [security] Admin webui - Lack of account lockout

Sun, 20 Mar 2022 20:16:05 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17509573#comment-17509573
 ] 

kirby zhou commented on RANGER-2362:
------------------------------------

Default Settings of patch:

security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml

 
{code:java}

<!-- #auto lock when too many failed logon attempts -->
   <property>
      <name>ranger.admin.login.autolock.enabled</name>
      <value>true</value>
   </property>
   <property>
      <name>ranger.admin.login.autolock.window.seconds</name>
      <value>300</value>
   </property>
   <property>
      <name>ranger.admin.login.autolock.maxfailure</name>
      <value>5</value>
   </property>
 {code}

> [security] Admin webui - Lack of account lockout
> ------------------------------------------------
>
>                 Key: RANGER-2362
>                 URL: https://issues.apache.org/jira/browse/RANGER-2362
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, Ranger
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Priority: Major
>
> |Account lockout is a mechanism used to stop non-valid users from guessing 
> for the right password. It is also a protection against brute force attacks 
> wherein an automated system can use common/dictionary passwords or even build 
> passwords based on set of characters just to try to guess the valid one.|
> |The application does not implement an account lockout mechanism, leaving it 
> susceptible to brute force attacks. These login pages were susceptible to 
> this condition.|
> |It is possible for an attacker to use dictionary or brute force attacks and 
> set it to attempt sending the requests on a particular amount of time to 
> bypass the validation. Once a username has been correctly guessed, the 
> attacker may then be able to gain access to the application. Since it is 
> vulnerable to Form Auto Complete Active vulnerability (LINK) which makes the 
> email addresses easier to guess, it will make brute force attack to more 
> likely possible.
> |Enforce account lockout conditions to prevent intrusions and improve 
> password requirements and complexities to avoid the chances of brute force 
> and dictionary attacks from working.|
> |



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to