I just upgraded the vault server (with slight difficultly) from 2.0.1 to 2.0.6. Version 2.0.1 fired some exceptions when I'd start up the admin tool on the server (windows 2000). It also choked when I tried saving settings made on the "Server Options" tab. The new version seems to have resolved this, however I'm not convinced that a certain feature is working.
Although I've found documentation in a few places that discusses the "Login Delay Threshold" feature, my understanding is that it prevents repeated attempts with a single username and sets a time to lock out that username. If this is indeed the case, I can't seem to get vault to lock me out. I set the delay threshold to 3 attempts and 3600 seconds. Based on the limited documentation I have found, this says to me that I can try 1 username 3 times every hour.
First I attempted to log in with my regular username and an incorrect password three times. On the forth try, the vault client (2.0.6) just hung. I tried a couple times with the same result. I even looked at the sql table that holds login attempts and verified that records were being added for all 4 attempts. After restarting the client I attempted again with the same user name and correct password. This succeeded and I saw the records get cleared out in the login attempts table.
I then reallized that I was using a username that belongs to the admin group. Thinking that being in the admin group might override this delay threshold (though hoping that this wasn't the case) I tried with a limited access user name. Same results.
What's the story with this feature? Does it work? Am I understanding how to use it correctly?
Login delay threshold bug?
Moderator: SourceGear
geekdork:
This is feature is used to help slow down dictionary based attacks for any given login.
Basically, for every invalid login attempt (regardless of Admin account / Admin group membership) which is greater than vault.config's [DelayThreshold], the server will not return until [DelayDurationSeconds] have elapsed. In effect, this stalls any invalid logins after the threshold has been hit. The counter does not reset until the user gets in a valid login.
In your case, after the 3rd invalid login attempt, the server purposely introduces a 3600 second delay before it returns a value from the login attempt. The client isn't really hung, it is waiting for the server to return from the configured 1 hour delay.
HTH
This is feature is used to help slow down dictionary based attacks for any given login.
Basically, for every invalid login attempt (regardless of Admin account / Admin group membership) which is greater than vault.config's [DelayThreshold], the server will not return until [DelayDurationSeconds] have elapsed. In effect, this stalls any invalid logins after the threshold has been hit. The counter does not reset until the user gets in a valid login.
In your case, after the 3rd invalid login attempt, the server purposely introduces a 3600 second delay before it returns a value from the login attempt. The client isn't really hung, it is waiting for the server to return from the configured 1 hour delay.
HTH
Jeff Clausius
SourceGear
SourceGear
Fortress 1.1.2.18185
It nows seems to work with an iisreset; but as you can see in the logs there were plenty of failed connexions without delay. It was with the new values (even the default ones should fail after 3 logins).
I've also tried from different computers, may be this explains why this is not taken into account.
It nows seems to work with an iisreset; but as you can see in the logs there were plenty of failed connexions without delay. It was with the new values (even the default ones should fail after 3 logins).
I've also tried from different computers, may be this explains why this is not taken into account.
- Attachments
-
- sgvault.txt
- Vault log file, look for user Nadine
- (13.14 KiB) Downloaded 182 times