Page MenuHomePhabricator

Ability to alert when we get a sudden increase in bad passwords for privileged accounts
Open, Needs TriagePublic

Description

Login failures are stored in various places. We should be able to alert when the number of failures suddenly increases, as we would typically see for password brute forcing.

Failed password attempts for privileged accounts are logged in elastic search. Yelp uses elastic search and elastalert (https://github.com/yelp/elastalert) to detect brute forcing, we could do similar.

In response to the alert, we can start with alerting the security team / ops. If the alerts look reliable, we can add alerting for the account being brute forced. If that appears to reliably detect brute-forcing, we could in the future automatically block the IP from logging in for a short period of time.

Event Timeline

csteipp created this task.Jan 11 2016, 5:20 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Security-Team.
csteipp added a subscriber: csteipp.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 11 2016, 5:20 PM
ori added a subscriber: ori.Apr 24 2016, 6:00 PM

T193769 may be a good example

Change 464077 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Move auth logging to different channels for easier counting

https://gerrit.wikimedia.org/r/464077

Change 464077 merged by jenkins-bot:
[operations/mediawiki-config@master] Move auth logging to different channels for easier counting

https://gerrit.wikimedia.org/r/464077

Mentioned in SAL (#wikimedia-operations) [2018-11-01T00:05:47Z] <tgr@deploy1001> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:464077|Move auth logging to different channels for easier counting (T150300, T123243)]] (duration: 00m 53s)

Mentioned in SAL (#wikimedia-operations) [2018-11-01T00:07:13Z] <tgr@deploy1001> Synchronized wmf-config/CommonSettings.php: SWAT: [[gerrit:464077|Move auth logging to different channels for easier counting (T150300, T123243)]] (duration: 00m 53s)

chasemp renamed this task from Ability to alert when we get a sudden increase in bad passwords for privileged accounts, to possibly detect password brute-forcing to Ability to alert when we get a sudden increase in bad passwords for privileged accounts.Dec 20 2018, 8:46 PM
chasemp edited projects, added User-chasemp; removed Patch-For-Review.