Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66134

$CFG->notifyloginthreshold can bother admins unnecessarily if several users are behind NAT

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Waiting for peer review
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.7
    • Fix Version/s: None
    • Component/s: User management
    • Testing Instructions:
      Hide
      1. Test upgrade step
        1. Prepare a Moodle instance where this patch is not yet applied
        2. Login as admin
        3. Go to Site administration -> Security -> Notifications
        4. Set $CFG->notifyloginthreshold to 3 (which is different from the default)
        5. Apply this patch
        6. Run the DB upgrade wizard
        7. Notice that there are two new settings $CFG->notifyloginthresholduser and $CFG->notifyloginthresholdip announced
        8. Verify that both settings have the value 3 (and not 10 which is the default)
      2. Prerequisites for all following tests
        1. Make sure that your Moodle instance is able to send emails
        2. In /lib/classes/task/send_failed_login_notifications_task.php, you have to remove a small piece of code temporarily. Otherwise, you would have to wait 1 hour between each of the following tests. Change line https://github.com/abias/moodle/blob/3d6a5deca2bca0b8ca2bf32b027eafde3d576b54/lib/classes/task/send_failed_login_notifications_task.php#L63 which currently says

          if (((time() - HOURSECS) < $CFG->lastnotifyfailure) || !is_array($recip) || count($recip) <= 0) {
          

          to

          if (!is_array($recip) || count($recip) <= 0) {
          

        3. Login as admin
        4. Verifiy that $CFG->notifyloginthresholduser and $CFG->notifyloginthresholdip is still set to 3
        5. Disable the scheduled task \core\task\send_failed_login_notifications_task (so that it is not run automatically by cron)
        6. Create 4 users
      3. Test failed login notification for one user only which does not exceed the threshold
        1. Open two browser tabs A and B
        2. Choose tab A
        3. Login as admin
        4. Choose tab B
        5. Try to login with one user 2 times, but use wrong credentials everytime
        6. Choose tab A
        7. Run the \core\task\send_failed_login_notifications_task task manually
        8. Verify that you did not receive a failed login notification mail to the admin's email adress
      4. Test failed login notification for one user only which does exceed the threshold
        1. Open two browser tabs A and B
        2. Choose tab A
        3. Login as admin
        4. Choose tab B
        5. Try to login with one user 4 times, but use wrong credentials everytime
        6. Choose tab A
        7. Run the \core\task\send_failed_login_notifications_task task manually
        8. Verify that you did receive a failed login notification mail to the admin's email adress which contains a report of 4 failed logins from one user
      5. Test failed login notification for one IP only which does not exceed the threshold
        1. Open two browser tabs A and B
        2. Choose tab A
        3. Login as admin
        4. Choose tab B
        5. Try to login with 2 different users with wrong credentials and with one user only per try
        6. Choose tab A
        7. Run the \core\task\send_failed_login_notifications_task task manually
        8. Verify that you did not receive a failed login notification mail to the admin's email adress
      6. Test failed login notification for one IP only which does exceed the threshold
        1. Open two browser tabs A and B
        2. Choose tab A
        3. Login as admin
        4. Choose tab B
        5. Try to login with 4 different users with wrong credentials and with one user only per try
        6. Choose tab A
        7. Run the \core\task\send_failed_login_notifications_task task manually
        8. Verify that you did receive a failed login notification mail to the admin's email adress which contains a report of 4 failed logins from 4 users
      7. Test failed login notification for a mixed set of IPs and users which does not exceed the individual thresholds
        1. Get two devices which are talking to Moodle with different IPs
        2. On the first device, open two browser tabs A and B
        3. Choose tab A
        4. Login as admin
        5. Choose tab B
        6. Try to login with one user 2 times, but use wrong credentials everytime
        7. On the second device, just open one tab
        8. Try to login with another user 2 times, but use wrong credentials everytime
        9. On the first device, choose tab A
        10. Run the \core\task\send_failed_login_notifications_task task manually
        11. Verify that you did not receive a failed login notification mail to the admin's email adress
      Show
      Test upgrade step Prepare a Moodle instance where this patch is not yet applied Login as admin Go to Site administration -> Security -> Notifications Set $CFG->notifyloginthreshold to 3 (which is different from the default) Apply this patch Run the DB upgrade wizard Notice that there are two new settings $CFG->notifyloginthresholduser and $CFG->notifyloginthresholdip announced Verify that both settings have the value 3 (and not 10 which is the default) Prerequisites for all following tests Make sure that your Moodle instance is able to send emails In /lib/classes/task/send_failed_login_notifications_task.php, you have to remove a small piece of code temporarily. Otherwise, you would have to wait 1 hour between each of the following tests. Change line https://github.com/abias/moodle/blob/3d6a5deca2bca0b8ca2bf32b027eafde3d576b54/lib/classes/task/send_failed_login_notifications_task.php#L63 which currently says if (((time() - HOURSECS) < $CFG->lastnotifyfailure) || !is_array($recip) || count($recip) <= 0) { to if (!is_array($recip) || count($recip) <= 0) { Login as admin Verifiy that $CFG->notifyloginthresholduser and $CFG->notifyloginthresholdip is still set to 3 Disable the scheduled task \core\task\send_failed_login_notifications_task (so that it is not run automatically by cron) Create 4 users Test failed login notification for one user only which does not exceed the threshold Open two browser tabs A and B Choose tab A Login as admin Choose tab B Try to login with one user 2 times, but use wrong credentials everytime Choose tab A Run the \core\task\send_failed_login_notifications_task task manually Verify that you did not receive a failed login notification mail to the admin's email adress Test failed login notification for one user only which does exceed the threshold Open two browser tabs A and B Choose tab A Login as admin Choose tab B Try to login with one user 4 times, but use wrong credentials everytime Choose tab A Run the \core\task\send_failed_login_notifications_task task manually Verify that you did receive a failed login notification mail to the admin's email adress which contains a report of 4 failed logins from one user Test failed login notification for one IP only which does not exceed the threshold Open two browser tabs A and B Choose tab A Login as admin Choose tab B Try to login with 2 different users with wrong credentials and with one user only per try Choose tab A Run the \core\task\send_failed_login_notifications_task task manually Verify that you did not receive a failed login notification mail to the admin's email adress Test failed login notification for one IP only which does exceed the threshold Open two browser tabs A and B Choose tab A Login as admin Choose tab B Try to login with 4 different users with wrong credentials and with one user only per try Choose tab A Run the \core\task\send_failed_login_notifications_task task manually Verify that you did receive a failed login notification mail to the admin's email adress which contains a report of 4 failed logins from 4 users Test failed login notification for a mixed set of IPs and users which does not exceed the individual thresholds Get two devices which are talking to Moodle with different IPs On the first device, open two browser tabs A and B Choose tab A Login as admin Choose tab B Try to login with one user 2 times, but use wrong credentials everytime On the second device, just open one tab Try to login with another user 2 times, but use wrong credentials everytime On the first device, choose tab A Run the \core\task\send_failed_login_notifications_task task manually Verify that you did not receive a failed login notification mail to the admin's email adress
    • Affected Branches:
      MOODLE_37_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-66134-master

      Description

      Steps to reproduce:

      • Login as admin
      • Set $CFG->notifyloginfailures to your admin account
      • Leave $CFG->notifyloginthreshold set to 10 which is the default
      • Create 11 user accounts in Moodle
      • Get 11 devices which are talking to Moodle through a NAT router
      • On each of these devices, do one login attempt with one of the user accounts with wrong credentials in a way that no user account is attempted twice.

      Expected result:

      • You will not be logged into Moodle with any of the user accounts
      • As admin, you will not be notified about these single login failures

      Actual result:

      • You will not be logged into Moodle with any of the user accounts
      • As admin, you will get an email about the fact that there were more than 10 login failures

      Interpretation:

      • As admin, I want to be informed if there is a high amount of login failures. Currently, Moole informs me if the configured login failure threshold is exceeded for the same user or the same source IP.
      • For login failures from the same user, 10 is a good value which should trigger a notice to the admin.
      • At the same time, for login failures from the same IP (as it is the case with users connecting over NAT), 10 is really low and will trigger too many false alarm emails. If one of the users behind the NAT router runs a brute force attack on more than one account, I want to be notified not before a larger number of login failures like 100.

        Attachments

          Activity

            People

            • Assignee:
              abias Alexander Bias
              Reporter:
              abias Alexander Bias
              Participants:
              Component watchers:
              Amaia Anabitarte, Bas Brands, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: