ogulman
November 22, 2019, 2:34pm
1
There is no documentation that describes how to configure auth_failure_listeners, with demo configuration it didn’t work:
auth_failure_listeners:
ip_rate_limiting:
type: ip
allowed_tries: 10
time_window_seconds: 3600
block_expiry_seconds: 600
max_blocked_clients: 100000
max_tracked_clients: 100000
internal_authentication_backend_limiting:
type: username
authentication_backend: intern
allowed_tries: 10
time_window_seconds: 3600
block_expiry_seconds: 600
max_blocked_clients: 100000
max_tracked_clients: 100000
pls, share knowledge about it, thanks
@ogulman Did you get this resolved? If not which version of odfe are you using?
@Anthony No, I’ve not. odfe 1.7
@ogulman I just tested it with this version and it works as expected.
authz:
....
auth_failure_listeners:
ip_rate_limiting:
type: ip
allowed_tries: 3
time_window_seconds: 3600
block_expiry_seconds: 20
max_blocked_clients: 100000
max_tracked_clients: 100000
internal_authentication_backend_limiting:
type: username
authentication_backend: internal
allowed_tries: 3
time_window_seconds: 3600
block_expiry_seconds: 20
max_blocked_clients: 100000
max_tracked_clients: 100000
Try to use the above in config.yml, don’t forget to upload new configuration using securityadmin.sh script, then enter wrong password for admin user 5 times, then enter correct password - it should fail until block_expiry_seconds is reached.
If that doesn’t work, can describe the behaviour you are seeing?
Starting from 1.0.* odfe save settings into an index, and If I run securityadmin.sh , it will overwrite all my settings that were done from UI.
Currently, I don’t know how to deal with it.
@ogulman You can extract/backup the current settings in the index using -r (–retrieve) option with securityadmin.sh script:
./securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -icl -nhnv -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/kirk.pem -key /usr/share/elasticsearch/config/kirk-key.pem -h localhost -r
You can then update the config with necessary details and upload it using same command without “-r” option.
Ensure to try this on dev environment first