Commit 62ea0274 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Block Git HTTP Basic Auth after 10 failed attempts

parent 7512016d
v 7.7.0
- Block Git HTTP access after 10 failed authentication attempts
v 7.6.0 v 7.6.0
- Fork repository to groups - Fork repository to groups
- New rugged version - New rugged version
......
...@@ -298,6 +298,17 @@ production: &base ...@@ -298,6 +298,17 @@ production: &base
# ![Company Logo](http://www.companydomain.com/logo.png) # ![Company Logo](http://www.companydomain.com/logo.png)
# [Learn more about CompanyName](http://www.companydomain.com/) # [Learn more about CompanyName](http://www.companydomain.com/)
rack_attack:
git_basic_auth:
# Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10
#
# Reset the auth attempt counter per IP after 60 seconds
# findtime: 60
#
# Ban an IP for one hour (3600s) after too many auth attempts
# bantime: 3600
development: development:
<<: *base <<: *base
......
...@@ -171,6 +171,15 @@ Settings.satellites['timeout'] ||= 30 ...@@ -171,6 +171,15 @@ Settings.satellites['timeout'] ||= 30
# #
Settings['extra'] ||= Settingslogic.new({}) Settings['extra'] ||= Settingslogic.new({})
#
# Rack::Attack settings
#
Settings['rack_attack'] ||= Settingslogic.new({})
Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute
Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour
# #
# Testing settings # Testing settings
# #
......
unless Rails.env.test?
Rack::Attack.blacklist('Git HTTP Basic Auth') do |req|
Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
# This block only gets run if the IP was not already banned.
# Return false, meaning that we do not see anything wrong with the
# request at this time
false
end
end
end
# Monkey-patch Redis::Store to make 'setex' and 'expire' work with namespacing
module Gitlab
class Redis
class Store
module Namespace
def setex(key, expires_in, value, options=nil)
namespace(key) { |key| super(key, expires_in, value) }
end
def expire(key, expires_in)
namespace(key) { |key| super(key, expires_in) }
end
end
end
end
end
Redis::Store.class_eval do
include Gitlab::Redis::Store::Namespace
end
...@@ -72,8 +72,18 @@ module Grack ...@@ -72,8 +72,18 @@ module Grack
end end
def authenticate_user(login, password) def authenticate_user(login, password)
auth = Gitlab::Auth.new user = Gitlab::Auth.new.find(login, password)
auth.find(login, password) return user if user.present?
# At this point, we know the credentials were wrong. We let Rack::Attack
# know there was a failed authentication attempt from this IP
Rack::Attack::Allow2Ban.filter(@request.ip, Gitlab.config.rack_attack.git_basic_auth) do
# Return true, so that Allow2Ban increments the counter (stored in
# Rails.cache) for the IP
true
end
nil # No user was found
end end
def authorized_request? def authorized_request?
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment