Skip to content

log failed authentication attempts for audit trail? #6447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brainwane opened this issue Aug 15, 2019 · 3 comments
Open

log failed authentication attempts for audit trail? #6447

brainwane opened this issue Aug 15, 2019 · 3 comments
Labels
feature request needs discussion a product management/policy issue maintainers and users should discuss

Comments

@brainwane
Copy link
Contributor

Should we log and display failed authentication attempts? Especially with the new API tokens, it would likely be useful to see failed attempts (and reasons why they failed) in the user security log.

But the concern with logging failed authentication attempts is that an attacker could use them to spam the event log, drowning out legitimately malicious events with junk (or causing security fatigue for the target user). We could mitigate that somewhat by being choosy with which failures we log, e.g., correct password but failed 2FA.

(condensed from conversation between @di and @woodruffw ; followup to #5863)
@brainwane brainwane added feature request needs discussion a product management/policy issue maintainers and users should discuss labels Aug 15, 2019
@woodruffw
Copy link
Member

woodruffw commented Aug 15, 2019
edited
Loading

Thanks @brainwane!

To copy what I was about to put into a new issue (apologies for duplication):

The following events might be useful:

  • Failed user sign-on
  • Failed API token authentication (either completely wrong, or wrong scope)

Of concern: a malicious agent could spam a target user or project's event log by intentionally sending the wrong password or wrong API token repeatedly, causing the user to miss "legitimate" attempts to breach their account. This could be minimized by only logging failed partial authentication attempts, e.g. correct password with incorrect 2FA, or correct API token but incorrect scope. This would cause us to miss some events, but would also reduce the potential for spam-induced fatigue.

@cjerdonek
Copy link

cjerdonek commented Aug 24, 2019
edited
Loading

To address the spam issue for "uninteresting" failed attempts, what about the idea of displaying just a count of failed attempts (e.g. over the last N days). That way people would still see some indication of failed attempts (as well as the degree).

@woodruffw
Copy link
Member

To address the spam issue for "uninteresting" failed attempts, what about the idea of displaying just a count of failed attempts (e.g. over the last N days). That way people would still see some indication of failed attempts (as well as the degree).

This is a good solution for the client side, but we'd probably also need to do some deduplication on the server side to prevent an adversary from clogging up the DB.

OTOH, thinking about this a bit more, the existing rate-limiting framework should provide us with adequate cover for most failed authentication events. So maybe I was overthinking this and it isn't an issue at all 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request needs discussion a product management/policy issue maintainers and users should discuss
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cjerdonek @brainwane @woodruffw