Hi,
is there something for cbadmin like logging the last login, failed logins, brute force protection?
Best regards,
Gunnar
Not that I know of, but those would be great features. With the appropriate interception points, they could be added via a module, but Luis may think they deserve to be in the core. The logging would probably want to be optional. The last time I looked, my Linux server used to get roughly 7 quadrillion root login attempts per second. It got to the point where I knew automated attacks were going to happen so there was no use even bothering to look at the logs. To some extent I think just having a good password requirement is the best defence against it. A delay between bad logins can also slow down bots. Even soft-banning IPs after so many attempts might help, but sophisticated attackers have the ability to distribute the attempts all around the world so no two IPs try twice.
Now, what would be more work but might be interesting is like what my online banking website does. Any time I log in from a new location, they force me to answer some security questions to prove who I am. Then they put a cookie on my machine that flags it as good (unless I check the box that I’m on a public computer). This could be really annoying to the casual user, but possibly a feature some could enable if they wanted to really secure their setup.
To be honest though, the login is often the more secure part of an app, which is why hackers are more likely to find a back/side door and access the server via some other exploit like local file disclosure, session hijacking, XSS, etc.
Thanks!
~Brad
ColdBox Platform Evangelist
Ortus Solutions, Corp
E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
We have implemented a protection for our own app already, we could include it into Contentbox if you tell us where it should be implemented.
What we do is we write username and ID into a cache. If we have too many login attempts for an ID or from an IP we block it for some minutes.
The nice thing about the cache is that you don’t have to take care about the expiration.
It would be nice to see the last x logins on the dashboard, I have it with a few services I use and that gives me good feeling that the box/service is not under attack.
What your banking app does sounds like a two factor authentication which may companies have introduced. For my feeling it is a bit too much for now.
Best regards,
Gunnar
Gunnar, I think that’s a great start. Just send over a pull request and a Jira ticket, and I can modeled it into it
Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057
Direct: (909) 248-3408
ColdBox Platform: http://www.coldbox.org
ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox
I will ask Andy on Monday to prepare a pull request.
If you have a proposal where it would be placed best, let me know.
Best regards,
Gunnar
I think they way I would do this is the following:
Have an interceptor under contentbox.model.security.LoginTracker.cfc that listens to cbadmin_onBadLogin and cbadmin_preLogin with an injection of the SecurityService, which will hold the model calls.
- Add the logging into the cache like you mention via listening to the “cbadmin_onBadLogin” interception point. Also, maybe add to an auth logging table which can keep a history of the X amount of invalid logins with Ip addresses, etc. that X amount should be configurable via the settings, as well as how long to invalidate login and if to enable the entire feature as well. So the following settings:
cb_security_login_blocker = true // activates/deactivates this feature
cb_security_max_attemps = numeric = 5 // how many invalid logins from same IP to block login threshold
cb_security_blocktime = minutes = 5 // The number of minutes to block the user from that IP
cb_security_max_auth_logs = numeric = 500 // The number of invalid login history to keep in the invalid log table, before the data is truncated.
This interceptor should also check if the cb_security_max_auth_logs is reached and if so, truncate the table.
-
Listen to “cbadmin_preLogin". Here is where it would kick out with a custom message to the user about being blocked. That method should take the logging data from the cache, so when it expires, it can allow them to login again. This interception point relocates to the login with a message.
-
The dashboard handler should call the security service for this data and present it.
-
Under System I would create a new entry called “Auth Logs” and display the log table for invalid logins with whois links to the IP address. Also a capability to Truncate the table.
Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057
Direct: (909) 248-3408
ColdBox Platform: http://www.coldbox.org
ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox
Andy is working on it, it will be finished next week
I have finished it:
can you merge it into your branch?
Thanks, will start checking.
Wow. Guys it looks great. I will start merging and updating for this week.
Also, I am at a point that I want to close down the release 2.1.0 and focus on 3.0.0. Can you guys check jira or any features or issues that we need to resolve now in this 2.1 release.
Also as fyi. 3.00 will be all about migrating to the new skin and ColdBox 4. This will rework the internals to modularixed everything to be more manageable.
3.1.0 I want to focus on a migration of the UI to angularJS. Thoughts on this.
Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057
Direct: (909) 248-3408
ColdBox Platform: http://www.coldbox.org
ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox
Do you need the power of a JS MVC framework when the Application is already MVC?
The push is to make ContentBox’s API available via JSON via the RESTFul service we have already. This way we can have one internal API that can power the interface and our future mobile applications also in development. So trying to consolidate technologies an not reinvent the wheel on various areas.
Plus, we have had great success with our Angular JS applications.
Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057
Direct: (909) 248-3408
ColdBox Platform: http://www.coldbox.org
ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox
But how does AngularJS fit into the API, it is a front end tier. Unless you’re planning on this for the Administration / Dashboard side of ContentBox.
Yes, you got it. Just for the Admin
Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057
Direct: (909) 248-3408
ColdBox Platform: http://www.coldbox.org
ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox
Luis,
When you move to angularJS, I would highly recommend using the data attributes (i.e., data-ng-app) instead of ng-app. That way the HTML will validate per the W3C.
- Steve Beauvais
Gracias big daddy
Hi Luis,
I think it is a good idea to move to Angular.
Luis, do you have an estimated timeline to when you think 3.0 will be rolled out?
Our timeline is to have something by Into The Box (www.intothebox.org)
Luis Majano
CEO
Ortus Solutions, Corp
www.ortussolutions.com
P/F: 1-888-557-8057
Direct: (909) 248-3408
ColdBox Platform: http://www.coldbox.org
ContentBox Platform: http://www.gocontentbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Social: twitter.com/ortussolutions | twitter.com/coldbox | twitter.com/lmajano | twitter.com/gocontentbox
Great! Thanks, Luis!