[jira] [Commented] (CASSANDRA-19734) Rate limiting per-node on failed log-in attempts

Mon, 01 Jul 2024 07:08:20 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17861176#comment-17861176
 ] 

Bernardo Botella commented on CASSANDRA-19734:
----------------------------------------------

Should the database operator/administrator be able to reset the time window as 
well? I'm thinking about the legitimate user being locked out (typing the 
password wrong happens... :P) and contacting the administrator to reset the 
window (or the password for that matter).

Another concern for IP based without taking the username into account is the 
typical scenario in which large organizations are hitting the DB from a single 
IP. There, one person being locked down could lead to the whole organization 
being locked out (in which case, I know, the rate limiting should have never 
been turned on in the first place). Having the username would definitely make 
this useful for those scenarios.

> Rate limiting per-node on failed log-in attempts
> ------------------------------------------------
>
>                 Key: CASSANDRA-19734
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19734
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Stefan Miklosovic
>            Assignee: Stefan Miklosovic
>            Priority: Normal
>
> If there is a malicious attacker who is brute-forcing passwords / usernames, 
> we should just ban such user for some time. On the other hand, we should 
> enable logging in for genuine users who just happened to provide invalid 
> passwords for multiple times, we do not want to ban these completely. 
> A rate limit might be something like "5 times per a minute".
> This should be based on IP address of a client to identify the attacker. If 
> we based this on invalid passwords only, an attacker might just change the 
> usernames to bypass that.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to