Re: [cas-user] Failed Login Attempts

2021-05-18 Thread 'Richard Frovarp' via CAS Community 
Don't get me wrong, throttling is definitely good. The thing you want to watch 
out for is when unexpected attempts succeed. So one bit of strange behavior to 
be on the lookout for is an authentication that triggers MFA, but the MFA 
success never happens. It will depend on your MFA solution. However, for 
instance, Duo won't send a failure, only a success. So you would want to watch 
for the trigger on Duo, but never seeing any success. That either means your 
users have having trouble with MFA, or an attacker has found the creds, but 
hasn't triggered MFA by blocking the MFA scripts from even running. If they 
have blocked the scripts, you won't even see anything in Duo or your MFA 
solution of choice.

On Tue, 2021-05-18 at 12:42 -0700, Jeremiah Garmatter wrote:
Thanks for the clarification guys,

Failure and rate throttling are better than nothing. I'll use them and maybe 
set up another script to alert me if strange behavior rolls in.

On Tuesday, May 18, 2021 at 2:24:20 PM UTC-4 richard.frovarp wrote:
Adding user won't catch a spray over different usernames. I just use rate 
throttling as well.

And yeah, if they go down to 1 per second, you'll never catch them with the 
throttle. You also won't catch them if they come at you with hundreds of IPs.

On Mon, 2021-05-17 at 16:40 +, Ray Bon wrote:
Jeremiah,

There is also throttling based on usename and IP address, 
https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Throttling.html.
 I have not used this, just rate throttling.

Ray


On Mon, 2021-05-17 at 08:32 -0700, Jeremiah Garmatter wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm looking for a feature of CAS 6.3 that will allow me to lock or limit users 
after a few failed login attempts. I have tried the failure 
throttling
 module but find it confusing and not quite what I'm looking for.

The failure throttling module seems like it can only detect 2 auth failures if 
the second one comes in very quickly (fast enough to be caught by the defined 
threshold per secondRange rate). If someone slows down their authentication 
attempts so they occur once every second, they'll never be caught right? Also, 
3 failed attempts over 15 seconds has the same effect as 2 failed attempt over 
10 seconds, so if you only fail 2, you won't be allowed to try a third time.

Is there another feature that would let me define an actual amount of failed 
logins over a period of time instead of a rate?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d4ae5cd552bce43945a5b77073f2fac2c5f85ec.camel%40ndsu.edu.

Re: [cas-user] Failed Login Attempts

2021-05-18 Thread Jeremiah Garmatter 
Thanks for the clarification guys,

Failure and rate throttling are better than nothing. I'll use them and 
maybe set up another script to alert me if strange behavior rolls in.

On Tuesday, May 18, 2021 at 2:24:20 PM UTC-4 richard.frovarp wrote:

> Adding user won't catch a spray over different usernames. I just use rate 
> throttling as well. 
>
> And yeah, if they go down to 1 per second, you'll never catch them with 
> the throttle. You also won't catch them if they come at you with hundreds 
> of IPs.
>
> On Mon, 2021-05-17 at 16:40 +, Ray Bon wrote:
>
> Jeremiah,
>
> There is also throttling based on usename and IP address, 
> https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Throttling.html.
>  
> I have not used this, just rate throttling.
>
> Ray
>
>
> On Mon, 2021-05-17 at 08:32 -0700, Jeremiah Garmatter wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
> Hello,
>
> I'm looking for a feature of CAS 6.3 that will allow me to lock or limit 
> users after a few failed login attempts. I have tried the failure 
> throttling 
> 
>  
> module but find it confusing and not quite what I'm looking for.
>
> The failure throttling module seems like it can only detect 2 auth 
> failures if the second one comes in very quickly (fast enough to be caught 
> by the defined threshold per secondRange rate). If someone slows down their 
> authentication attempts so they occur once every second, they'll never be 
> caught right? Also, 3 failed attempts over 15 seconds has the same effect 
> as 2 failed attempt over 10 seconds, so if you only fail 2, you won't be 
> allowed to try a third time. 
>
> Is there another feature that would let me define an actual amount of 
> failed logins over a period of time instead of a rate? 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afca7da-35b4-4dfa-8642-bdd788493aadn%40apereo.org.

Re: [cas-user] Failed Login Attempts

2021-05-18 Thread 'Richard Frovarp' via CAS Community 
Adding user won't catch a spray over different usernames. I just use rate 
throttling as well.

And yeah, if they go down to 1 per second, you'll never catch them with the 
throttle. You also won't catch them if they come at you with hundreds of IPs.

On Mon, 2021-05-17 at 16:40 +, Ray Bon wrote:
Jeremiah,

There is also throttling based on usename and IP address, 
https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Throttling.html.
 I have not used this, just rate throttling.

Ray


On Mon, 2021-05-17 at 08:32 -0700, Jeremiah Garmatter wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm looking for a feature of CAS 6.3 that will allow me to lock or limit users 
after a few failed login attempts. I have tried the failure 
throttling
 module but find it confusing and not quite what I'm looking for.

The failure throttling module seems like it can only detect 2 auth failures if 
the second one comes in very quickly (fast enough to be caught by the defined 
threshold per secondRange rate). If someone slows down their authentication 
attempts so they occur once every second, they'll never be caught right? Also, 
3 failed attempts over 15 seconds has the same effect as 2 failed attempt over 
10 seconds, so if you only fail 2, you won't be allowed to try a third time.

Is there another feature that would let me define an actual amount of failed 
logins over a period of time instead of a rate?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6d2cdeec8a5f9c813db1a4fc87552f3822ee932.camel%40ndsu.edu.

Re: [cas-user] Client Apache Unauthorized after successfull login.

2021-05-18 Thread irvan suryadi 
Hi Guys,

In this problem,  I use this step to trust that self-sign certificate to my 
local web server.

Copy your certificate in PEM format (the format that has BEGIN 
CERTIFICATE in it) into /usr/local/share/ca-certificates and name it 
with a .crt file extension.
Then run sudo update-ca-certificates.   

Hope it helps you.
Cheers,
Irvan


Pada Sabtu, 16 Januari 2021 pukul 14.00.00 UTC+7 irvan suryadi menulis:

> Hi Ray,
>
> I finally did it.
> Thanks ray for your recomendation.
>
> Cheers,
> Irvan
>
> Pada Selasa, 12 Januari 2021 pukul 05.26.40 UTC+7 Ray Bon menulis:
>
>> Irvan,
>>
>> It looks like mod_auth_cas is unable to find the cert at that location 
>> (/etc/ssl/certs), or it is not an x509 cert, or it is not readable.
>>
>> Ray
>>
>> On Mon, 2021-01-11 at 12:08 -0800, irvan suryadi wrote:
>>
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Ray,
>>
>> I have done your recommendation above,
>> I think a little more might work.
>>
>> Now I find the following error message:
>> MOD_AUTH_CAS: curl_easy_perform() failed (error setting certificate 
>> verify locations:\n  CAfile: /etc/ssl/certs/cas.cer\n  CApath: 
>> /etc/ssl/certs).
>>
>> What can I do? (I have imported cas.cer to cacert in jvm ... / security / 
>> cacerts).
>>
>> Thanks,
>> Irvan
>>
>>
>> Pada Selasa, 12 Januari 2021 pukul 02.24.08 UTC+7 Ray Bon menulis:
>>
>> Irvan,
>>
>> Try moving the certificate from /etc/cas/ to the system cert store, 
>> somewhere like, /etc/ssl/certs/, so that the host Curl can find it. (And 
>> update mod auth cas confg to point there.)
>>
>> Ray
>>
>> On Mon, 2021-01-11 at 11:09 -0800, irvan suryadi wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Hai ray,  
>>
>> I've been tried what you recommended before. 
>> But I still get the same error. After I check the error log in the 
>> apache2 log.
>>
>> I find this error message :
>> [client 127.0.0.1:51490] MOD_AUTH_CAS: curl_easy_perform() failed (SSL 
>> certificate problem: self signed certificate)
>>
>> I think this because I use the self-signed Keystore and certificate using 
>> "./gradlew createKeystore in the cas-server files.
>>
>> Can I use the self-signed or turn off the self-signed certificate checker 
>> on apache?
>>
>> Thanks,
>> Irvan
>> Pada Kamis, 07 Januari 2021 pukul 04.31.07 UTC+7 Ray Bon menulis:
>>
>> Irvan,
>>
>> The embedded container properties might be for tomcat.
>> You may have to add the cert to the java keystore, usually in 
>>  /jre/lib/security/cacerts.
>>
>> Ray
>>
>> On Wed, 2021-01-06 at 12:06 -0800, irvan suryadi wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information. 
>>
>> Hello Ray,
>>
>> I have done several experiments based on your suggestions. Previously, 
>> I'd like to answer about cas.example.org and localhost. Yes, it is true 
>> that they are the same domain on ip (127.0.0.1).
>>
>> I have added the certificate to "auth_cas.conf" using the command 
>> "CasCertificatePath" But the problem is still the same.
>>
>> is there anything i missed?
>>
>> Thanks,
>> Irvan
>>
>> auth_cas.conf :
>>
>> 
>> 
>> AuthType CAS
>> CASAuthNHeader On
>> 
>> Require valid-user
>> 
>>
>> 
>> CASLoginUrl https://cas.example.org:8443/cas/login
>> CASValidateUrl https://cas.example.org:8443/cas/serviceValidate
>> CASCookiePath / var / cache / apache2 / mod_auth_cas /
>> CASSSOEnabled On
>> CASDebug On
>> Debug logLevel
>> CASCertificatePath /etc/cas/cas.crt
>> 
>>
>> -
>>
>> Based on your directions here is what my apache server "access.log" looks 
>> like when I try to run cas:
>> :: 1 - - [07 / Jan / 2021: 02: 20: 30 +0700] "GET / secured-by-cas HTTP / 
>> 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 
>> (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 "
>> :: 1 - - [07 / Jan / 2021: 02: 21: 22 +0700] "-" 408 0 "-" "-"
>> :: 1 - - [07 / Jan / 2021: 02: 30: 41 +0700] "GET / secured-by-cas HTTP / 
>> 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 
>> (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 "
>> :: 1 - - [07 / Jan / 2021: 02: 38: 18 +0700] "GET / secured-by-cas HTTP / 
>> 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 
>> (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 "
>> :: 1 - - [07 / Jan / 2021: 02: 39: 10 +0700] "-" 408 0 "-" "-"
>> 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET / secured-by-cas? 
>> Ticket = ST-1 - sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan HTTP / 1.1" 401 682 "-" 
>> "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) 
>> Chrome / 87.0.4280.88 Safari / 537.36"
>> 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET

[cas-user] Re: CAS Subs: New mailing list details

2021-05-18 Thread Misagh Moayyed 
(Quarterly reminder)

Hello, 

The CAS project management committee has availed a new mailing list 
for Apereo CAS subscribers. This new forum will be used as a 
trusted-contacts list to share security release updates, vulnerability 
details, etc early on, should a security patch release become 
available. The new group will not be a special support channel in any 
other way and existing community support channels (lists, chatrooms, 
etc) will remain and function as they do today. 

If you and/or your institution are a member of the Apereo Foundation 
*and* a subscriber to the CAS project, you can join the list by 
contacting me (I am at mm1844 [at] gmail dot com) from your 
institutional email account with the subject "CAS Sub: list membership 
request". To keep list maintenance and management overhead to a 
minimum, please nominate one account per organization. It's best for 
the nominee to be either involved in day-to-day CAS Ops or be a member 
of your organization's security team, so please choose your contact 
carefully. 

This new list should be (we hope) fairly low traffic and, needless to 
say, membership is entirely optional. I will be sending this message 
periodically as a reminder for anyone who might have missed it, so 
apologies for the noise beforehand. If you have any other questions or 
concerns, please feel free to contact me all the same. 

Thank you, 
Misagh Moayyed, on behalf of CAS PMC 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1072e106-8b2d-4514-b64e-79e05599698cn%40apereo.org.