Logging of failed login attempts

Development & Technical discussion about Timekoin.
Forum rules
Bug Collecting Database is Click Here
GitHub Account is Click Here
Post Reply
User avatar
PoisonWolf
Posts: 186
Joined: Fri Apr 12, 2013 10:39 am

Logging of failed login attempts

Post by PoisonWolf »

One thing that has always been a concern to me is the fact that Timekoin keeps a log, in clear text of failed login attempts, including both username and password that was attempted. What do you guys think about this particular feature?

On one hand, one advantage of doing this is the fact that you can see if someone is trying to bruteforce your node. On the other hand, I'm wondering if this is safe if you're checking your node in a public place and someone could see this in place sight?

Speaking of which, does the timekoin software have some sort of anti-bruteforce attempt if someone is trying to guess your username/password?
User avatar
KnightMB
Site Admin
Posts: 1019
Joined: Thu Feb 23, 2012 5:03 pm

Re: Logging of failed login attempts

Post by KnightMB »

PoisonWolf wrote:One thing that has always been a concern to me is the fact that Timekoin keeps a log, in clear text of failed login attempts, including both username and password that was attempted. What do you guys think about this particular feature?
As you said, it shows if someone is trying to guess your password. I notice bots hitting timekoin.com for example, trying the default username/password (for install) to login, so I know someone has already written some script to try and find all the unsecured Timekoin servers out there. An admin plugin to basically blank the passwords logged could be created if needed.
On one hand, one advantage of doing this is the fact that you can see if someone is trying to bruteforce your node. On the other hand, I'm wondering if this is safe if you're checking your node in a public place and someone could see this in place sight?
If you are accessing your TK server without using SSL, your password is already being sent in clear text over the Internet. If you are accessing it over your own network or right off your own machine, then the issue becomes much less short of keyloggers and network sniffers, by that if you have those on your machine, SSL wouldn't help anyway. Any servers you have to access over the Internet (VPS, Owned Hosting, etc.) I always encourage people to use even just a self-signed SSL certificate so that your data communication will be encrypted. If you worried that your own login attempts with your own password (maybe it was for a different machine) being in the log file; I make the same mistake sometimes and try to login with a password belonging elsewhere. You can always clear the logs and that way no one could come back later and find it should they take over your server somehow.
Speaking of which, does the timekoin software have some sort of anti-bruteforce attempt if someone is trying to guess your username/password?
A couple of layers, Timekoin adds a 1 second delay to failed login attempts per session. This helps to slow down any attacker using random guessing to 1 per second instead of 100,000 per second or however much the server can handle. Now if someone is clever and they create a "new" session for every attack to bypass this to fire out thousands of attempts per second, then they would be banned after first few seconds of attacks. If someone tries to flood load the login screen, they get banned even faster. If the attacker was already at an IP that was banned earlier that day (say, rogue server), then they are already banned at the login screen.

It's difficult to simulate this in a browser if you want to get yourself banned to see what happens (because of that 1 second delay) but if you really want to test it for giggles, go to the "system" tab and change "Max Peer Query" from the default 500 to like 5 and then you could get yourself banned rather quickly after only a few login failures. Not recommended to try on a live server because you'll be banned for 24 hours if you succeed, not to mention all the peers would get banned also for any traffic. :?
User avatar
PoisonWolf
Posts: 186
Joined: Fri Apr 12, 2013 10:39 am

Re: Logging of failed login attempts

Post by PoisonWolf »

This is awesome Knight. You really sure do brainstorm all the various contingencies regarding the possible security breaches. I think I'll get into the habit of just clearing my logs regularly if I've made a username/password mistake.

I needed to run something by you as well. One of my nodes has a relatively high uptime in terms of currency generation. However, this is also a node that I may have, at one point, connected to view and copy down the private key without any SSL (before I knew how). Should I be concerned about this? I've been meaning to switch keys, but I forget if the generation uptime is tied to the IP or tied to the public key. But if switching public/private keys would mean losing my uptime....that would suck so much. =( I've opened up another node, with SSL enabled right at the start, and have uploaded the old public/private keys here. I'm just wondering if it's possible to "transfer the uptime count" to a new set of public/private keys just to put my mind at ease (NSA metadata collection and all lol).

I know my newer node is fine as I did not attempt to view the private key prior to getting the SSL installed. Just wanted to get your opinion on what you think I should do in terms of my older, relatively high uptime currency generation node?
User avatar
KnightMB
Site Admin
Posts: 1019
Joined: Thu Feb 23, 2012 5:03 pm

Re: Logging of failed login attempts

Post by KnightMB »

PoisonWolf wrote:This is awesome Knight. You really sure do brainstorm all the various contingencies regarding the possible security breaches. I think I'll get into the habit of just clearing my logs regularly if I've made a username/password mistake.

I needed to run something by you as well. One of my nodes has a relatively high uptime in terms of currency generation. However, this is also a node that I may have, at one point, connected to view and copy down the private key without any SSL (before I knew how). Should I be concerned about this? I've been meaning to switch keys, but I forget if the generation uptime is tied to the IP or tied to the public key. But if switching public/private keys would mean losing my uptime....that would suck so much. =( I've opened up another node, with SSL enabled right at the start, and have uploaded the old public/private keys here. I'm just wondering if it's possible to "transfer the uptime count" to a new set of public/private keys just to put my mind at ease (NSA metadata collection and all lol).

I know my newer node is fine as I did not attempt to view the private key prior to getting the SSL installed. Just wanted to get your opinion on what you think I should do in terms of my older, relatively high uptime currency generation node?
It is a valid concern if someone did capture that private key in the clear at some point in the past. The only damage that person could do is steal whatever balance it has at the time. If you do create a new key pair, then yes the server will basically reset back to 0 gen time because those times are tied to the public key creating the currency. I think I had timekoin.com almost to 7 gen at once time until an ISP outage shut that down :( Afterwards, I just transferred what balance was left out and generated a new key for the server since it was going to have to start from 0 again anyway. Good way to close out a balance and start fresh at least.

Since you don't want to lose the gen status you have for a long running server, and the possibility that someone could have seen that private key in the clear, the best you can do is have the server automatically transfer out some balance to another account, that way if the chance someone did try to do something with that key, it would minimize damage and you would know right away that someone is tampering with your key pair. You could use the auto-transfer plugin to have it send about 500 TK every-time the balance goes over that amount automatically. That way, anyone trying to steal the balance could never get more than 500 at a time and maybe even discourage them from trying when they see that the balance is already on an "automatic" withdraw so it will never build up to high amounts.
warmach
Posts: 404
Joined: Thu Jun 21, 2012 5:18 pm

Re: Logging of failed login attempts

Post by warmach »

PoisonWolf wrote:This is awesome Knight. You really sure do brainstorm all the various contingencies regarding the possible security breaches. I think I'll get into the habit of just clearing my logs regularly if I've made a username/password mistake.

I needed to run something by you as well. One of my nodes has a relatively high uptime in terms of currency generation. However, this is also a node that I may have, at one point, connected to view and copy down the private key without any SSL (before I knew how). Should I be concerned about this? I've been meaning to switch keys, but I forget if the generation uptime is tied to the IP or tied to the public key. But if switching public/private keys would mean losing my uptime....that would suck so much. =( I've opened up another node, with SSL enabled right at the start, and have uploaded the old public/private keys here. I'm just wondering if it's possible to "transfer the uptime count" to a new set of public/private keys just to put my mind at ease (NSA metadata collection and all lol).

I know my newer node is fine as I did not attempt to view the private key prior to getting the SSL installed. Just wanted to get your opinion on what you think I should do in terms of my older, relatively high uptime currency generation node?
Use the Auto Transfer plugin to "collect" funds from VPS servers. Because they are not under my control, they could be potentially abused by hardware owners/operators. This plugin would check a key and then make a transfer to a designated account once balance reaches certain level. It can easily funnel funds to a particular account. Check it out. I haven't looked at in years... You could then keep it running but harvest the currency.
User avatar
koinmaster
Posts: 357
Joined: Mon Jun 18, 2012 8:07 pm

Re: Logging of failed login attempts

Post by koinmaster »

Maybe not exactly on topic but I have seen many attempts in my timekoin logs from IPs doing the same thing, trying stuff like the 12345 password for example. People really should not leave any TK servers running on the default password, that is insane!
User avatar
bucket
Posts: 32
Joined: Thu May 16, 2013 8:30 pm

Re: Logging of failed login attempts

Post by bucket »

koinmaster wrote:Maybe not exactly on topic but I have seen many attempts in my timekoin logs from IPs doing the same thing, trying stuff like the 12345 password for example. People really should not leave any TK servers running on the default password, that is insane!
I just checked mine, I see the same thing coming from IP 37.187.29.250, Google says it is in France?!?
Post Reply