diff options
| author | Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> | 2024-12-06 11:20:58 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-12-06 11:20:58 +0100 |
| commit | 9f0c1131359099f21d57a13d62a348eaec1e2ef8 (patch) | |
| tree | 4bc11ed9ed00590aa3dc2c077f13727d78d67ba8 | |
| parent | 9684c3d2d3522ccff33b18795722bf1be79e88a0 (diff) | |
| parent | 1fd19685f1e39a19b8cb6129a96ab43ec717e01b (diff) | |
| download | nextcloud-server-9f0c1131359099f21d57a13d62a348eaec1e2ef8.tar.gz nextcloud-server-9f0c1131359099f21d57a13d62a348eaec1e2ef8.zip | |
Merge pull request #49599 from nextcloud/feat/bruteforce-max-attempts
| -rw-r--r-- | config/config.sample.php | 11 | ||||
| -rw-r--r-- | lib/private/Security/Bruteforce/Throttler.php | 4 |
2 files changed, 13 insertions, 2 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index f9dd9210336..eeaa9a7ef3d 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -432,6 +432,17 @@ $CONFIG = [ 'auth.bruteforce.protection.testing' => false, /** + * Brute force protection: maximum number of attempts before blocking + * + * When more than max-attempts login requests are sent to Nextcloud, requests + * will abort with "429 Too Many Requests". + * For security reasons, change it only if you know what you are doing. + * + * Defaults to ``10`` + */ +'auth.bruteforce.max-attempts' => 10, + +/** * Whether the rate limit protection shipped with Nextcloud should be enabled or not. * * Disabling this is discouraged for security reasons. diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php index 596fcf408fa..924ae3685f3 100644 --- a/lib/private/Security/Bruteforce/Throttler.php +++ b/lib/private/Security/Bruteforce/Throttler.php @@ -195,7 +195,7 @@ class Throttler implements IThrottler { } $firstDelay = 0.1; - if ($attempts > self::MAX_ATTEMPTS) { + if ($attempts > $this->config->getSystemValueInt('auth.bruteforce.max-attempts', self::MAX_ATTEMPTS)) { // Don't ever overflow. Just assume the maxDelay time:s return self::MAX_DELAY_MS; } @@ -263,7 +263,7 @@ class Throttler implements IThrottler { */ public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int { $delay = $this->getDelay($ip, $action); - if (($delay === self::MAX_DELAY_MS) && $this->getAttempts($ip, $action, 0.5) > self::MAX_ATTEMPTS) { + if (($delay === self::MAX_DELAY_MS) && $this->getAttempts($ip, $action, 0.5) > $this->config->getSystemValueInt('auth.bruteforce.max-attempts', self::MAX_ATTEMPTS)) { $this->logger->info('IP address blocked because it reached the maximum failed attempts in the last 30 minutes [action: {action}, ip: {ip}]', [ 'action' => $action, 'ip' => $ip, |