summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2020-01-07 01:14:12 -0500
committerGlenn Strauss <gstrauss@gluelogic.com>2020-01-26 00:41:05 -0500
commit8bddac9263aec30a214bc81b3f8f771944ede428 (patch)
tree525bf6fe7af19c2dc6e53356c33568af72d5b65a
parentfce489b806d82b7c8d59a44e7e394c4aeba8448a (diff)
downloadlighttpd-1.x-8bddac9263aec30a214bc81b3f8f771944ede428.tar.gz
lighttpd-1.x-8bddac9263aec30a214bc81b3f8f771944ede428.zip
[mod_auth] close connection after bad password
mitigation slows down brute force password attacks x-ref: "Possible feature: authentication brute force hardening" https://redmine.lighttpd.net/boards/3/topics/8885
-rw-r--r--src/mod_auth.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/mod_auth.c b/src/mod_auth.c
index 2a7bcea8..e9790538 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -601,6 +601,7 @@ static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, c
case HANDLER_ERROR:
default:
log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
+ con->keep_alive = 0; /*(disable keep-alive if bad password)*/
rc = HANDLER_UNSET;
break;
}
@@ -1122,6 +1123,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
return HANDLER_FINISHED;
case HANDLER_ERROR:
default:
+ con->keep_alive = 0; /*(disable keep-alive if unknown user)*/
buffer_free(b);
return mod_auth_send_401_unauthorized_digest(srv, con, require, 0);
}
@@ -1132,6 +1134,7 @@ static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d,
/* digest not ok */
log_error_write(srv, __FILE__, __LINE__, "sssB",
"digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf);
+ con->keep_alive = 0; /*(disable keep-alive if bad password)*/
buffer_free(b);
return mod_auth_send_401_unauthorized_digest(srv, con, require, 0);