Mathieu CARBONNEAUX commented on GUACAMOLE-991:

fail2ban are not abel to protect from distributed brut force....  because they 
use mutiple ip to brut force they are not abel to detect it...

MFA coupled with user/password can block distributed brut force...

and the two solution can be used at the same time (fail2+totp)....


TOTP rfc6238 and rfc4226 are not know brut forcable (to many possibility for 
one token in time frame) and coupled with user and password add so much 
time/power needed to found by brut force the user/pass/token than make virtualy 
impossible to brute force...

To only way to abel to brut force is to found/leak the totp secret...


You can use first form with user and password, and second form with otp, but to 
drasticly reduce chance of brute force you must check user+password with the 
check of the otp...

In that way the hacker cannot know if use + pass as worked or not and are 
oblige to search all possibility of the token (6 digit TOTP token has 1,000,000 
possibilities) for each user/pass in 30s time frame...

the need in power/time is so high for trying all this combinaison in this time 
frame while first block on server capacity, network capacity before to found 
the use/pass/token...

and probably while be blocked by fail2ban (if coupled with totp) before even if 
are distributed (the need of distributing the load of the brut force are so 
fare from simple user/password scenary because of the time frame of the 


> Pass and User Check before OTP Check make possible brute force...
> -----------------------------------------------------------------
>                 Key: GUACAMOLE-991
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-totp
>            Reporter: Mathieu CARBONNEAUX
>            Priority: Trivial
> Hi,
> Guacamole with otp module work like a charm...
> but the user and password are checked before redirect to the otp page...
> this make possible user/pass brut force, because the attacker can know if the 
> user + password is valid....
> ok they need the token to achive the complete connection... but they know the 
> password...
> why not redirect systematicly to the otp form, and check user + pass after 
> otp form post (do the token validation only if user/pass are ok) ? or to use 
> 3 fields form ?
> in that way the attaker canot know if the password is ok or if the token is 
> bad...

This message was sent by Atlassian Jira

Reply via email to