Ability to alert when we get a sudden increase in bad passwords for privileged accounts, to possibly detect password brute-forcing
Open, Needs TriagePublic


Login failures are stored in various places. We should be able to alert when the number of failures suddenly increases, as we would typically see for password brute forcing.

Failed password attempts for privileged accounts are logged in elastic search. Yelp uses elastic search and elastalert (https://github.com/yelp/elastalert) to detect brute forcing, we could do similar.

In response to the alert, we can start with alerting the security team / ops. If the alerts look reliable, we can add alerting for the account being brute forced. If that appears to reliably detect brute-forcing, we could in the future automatically block the IP from logging in for a short period of time.

csteipp created this task.Jan 11 2016, 5:20 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Needs Triage.
csteipp added a project: Security-Team.
csteipp added a subscriber: csteipp.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 11 2016, 5:20 PM
ori added a subscriber: ori.Apr 24 2016, 6:00 PM

T193769 may be a good example

Change 464077 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Move auth logging to different channels for easier counting