[core] delay response to http auth invalid creds

server.feature-flags += ("auth.delay-invalid-creds" => "enable")

The default is enabled.  This feature delays a response to bad http auth
(invalid username or password) to the next second, so up to 1 sec delay.
Delaying the response greatly reduces the efficiency of brute force
password attacks, limiting tries to one-per-second per connection.
Limiting the number of client connections allowed by lighttpd with
server.max-connections sets an upper bound on password tries per second,
but also makes it easier for an attacker to DoS (denial of service) the
server.  Therefore, while this mitigation is enabled by default, it can
be disabled with
  server.feature-flags += ("auth.delay-invalid-creds" => "disable")
master
Glenn Strauss 8 months ago
parent fbade1850f
commit c183b8875b
  1. 1
      src/connections.c
  2. 14
      src/response.c
  3. 3
      src/response.h

@ -1206,6 +1206,7 @@ connection_request_end_h2 (request_st * const h2r, connection * const con)
if (h2r->keep_alive >= 0) {
h2r->keep_alive = -1;
h2_send_goaway(con, H2_E_NO_ERROR);
http_response_delay(con);
}
else /*(abort connection upon second request to close h2 connection)*/
h2_send_goaway(con, H2_E_ENHANCE_YOUR_CALM);

@ -27,6 +27,18 @@
#include <string.h>
__attribute_cold__
void
http_response_delay (connection * const con)
{
if (config_feature_bool(con->srv, "auth.delay-invalid-creds", 1)){
/*(delay sending response)*/
con->is_writable = 0;
con->traffic_limit_reached = 1;
}
}
int
http_response_omit_header (request_st * const r, const data_string * const ds)
{
@ -97,6 +109,8 @@ http_response_write_header (request_st * const r)
&& r->http_version == HTTP_VERSION_1_1) {
http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("upgrade"));
} else if (r->keep_alive <= 0) {
if (r->keep_alive < 0)
http_response_delay(r->con);
http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("close"));
} else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive > 0)*/
http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("keep-alive"));

@ -58,6 +58,9 @@ void http_response_backend_error (request_st *r);
void http_response_upgrade_read_body_unknown(request_st *r);
int http_response_transfer_cqlen(request_st *r, struct chunkqueue *cq, size_t len);
__attribute_cold__
void http_response_delay(connection *con);
__attribute_cold__
int http_response_omit_header(request_st *r, const data_string *ds);

Loading…
Cancel
Save