Version: 7.x-35.0.0
Community

Preventing brute force attacks

In order to secure your cluster against brute force attacks, Search Guard can limit the number of login attempts by IP or by username.

After Search Guards detects more than n failed login attempts withing a specific timeframe on a node, no more login attempts are possible for the client IP or the username.

Limit login attempts by IP

To limit the number of allowed login attempts by client IP, configure rate limiting in sg_config.ymllike:

sg_config:
  dynamic:
    http:
      ...
    authc:
      ...
    authz:
      ...
    auth_failure_listeners:
      ip_rate_limiting:
        type: ip
        allowed_tries: 10
        time_window_seconds: 3600
        block_expiry_seconds: 600
        max_blocked_clients: 100000
        max_tracked_clients: 100000

These setting limit failed authentication requests by client IP. The limiting is independed of the used authentication backend.

Name Description
type ip, limit failed authentication requests by client IP
allowed_tries After the number of allowed tries within the time window specified by time_window_seconds, the client IP will be blocked for the time specified by block_expiry_seconds. Note that increasing this number increases heap usage.
time_window_seconds The time window to consider for allowed_tries.
block_expiry_second Blocks will be released again after this time.
max_blocked_clients Maximum number of blocked clients. Limits heap usage to avoid DOS.
max_tracked_clients Maximum number of tracked clients with login failures. Limits heap usage to avoid DOS.

Limit login attempts by username and authentication backend

To limit login attempts by username and authentication backend, configure rate limiting in sg_config.ymllike:

internal_authentication_backend_limiting:
  type: username
  authentication_backend: internal        
  allowed_tries: 10
  time_window_seconds: 3600
  block_expiry_seconds: 600
  max_blocked_clients: 100000
  max_tracked_clients: 100000

These setting limit failed authentication requests by username and authentication backend.

Name Description
type username, limit failed authentication requests by username and authentication backends
authentication_backend the authentication backend to apply limiting to.
allowed_tries After the number of allowed tries within the time window specified by time_window_seconds, the client IP will be blocked for the time specified by block_expiry_seconds. Note that increasing this number increases heap usage.
time_window_seconds The time window to consider for allowed_tries.
block_expiry_second Blocks will be released again after this time.
max_blocked_clients Maximum number of blocked clients. Limits heap usage to avoid DOS.
max_tracked_clients Maximum number of tracked clients with login failures. Limits heap usage to avoid DOS.

Supporte authentication backends

Backend Description
internal The internal user database
ldap LDAP / Active Directoy

Limitations

Failed login attempts are tracked on each node separately and are not synchronized across the cluster.


Not what you were looking for? Try the search.