diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-04-20 14:52:52 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-05-05 13:35:18 -0400 |
commit | c183b8875b4b0daa7cbc4b7dbf91cb46b1e87e69 (patch) | |
tree | d666ff0713fa1f925f0289a8f0a65a9ffb7f80b7 /src/connections.c | |
parent | fbade1850f5ceffdb2cf4c561fa44f73093a484d (diff) | |
download | lighttpd-git-c183b8875b4b0daa7cbc4b7dbf91cb46b1e87e69.tar.gz |
[core] delay response to http auth invalid creds
server.feature-flags += ("auth.delay-invalid-creds" => "enable")
The default is enabled. This feature delays a response to bad http auth
(invalid username or password) to the next second, so up to 1 sec delay.
Delaying the response greatly reduces the efficiency of brute force
password attacks, limiting tries to one-per-second per connection.
Limiting the number of client connections allowed by lighttpd with
server.max-connections sets an upper bound on password tries per second,
but also makes it easier for an attacker to DoS (denial of service) the
server. Therefore, while this mitigation is enabled by default, it can
be disabled with
server.feature-flags += ("auth.delay-invalid-creds" => "disable")
Diffstat (limited to 'src/connections.c')
-rw-r--r-- | src/connections.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/connections.c b/src/connections.c index 8cd2054c..f5d7a1e2 100644 --- a/src/connections.c +++ b/src/connections.c @@ -1206,6 +1206,7 @@ connection_request_end_h2 (request_st * const h2r, connection * const con) if (h2r->keep_alive >= 0) { h2r->keep_alive = -1; h2_send_goaway(con, H2_E_NO_ERROR); + http_response_delay(con); } else /*(abort connection upon second request to close h2 connection)*/ h2_send_goaway(con, H2_E_ENHANCE_YOUR_CALM); |