From version 5.1
edited by Clemens Robbenhaar
on 2019/08/21 18:20
To version 6.1
edited by Clemens Robbenhaar
on 2019/08/21 19:17
Change comment: There is no comment for this version

Summary

Details

ExtensionCode.ExtensionClass[0]
Description
... ... @@ -1,7 +1,54 @@
1 -{{info}}This extension implements something similar to the "Authentication Security Module" introduced in XWiki 11.6. If you use a XWiki 11.6 or newer, you are unlikely to need this extension; it is meant to be helpful if you are running the LTS version of XWiki, which is 10.x when the initial version of this extension has been released.{{/info}}
1 +{{info}}This extension implements something similar to the //"Authentication Security Module"// introduced in XWiki **11.6**. If you use XWiki 11.6 or newer, you are unlikely to need this extension; it is meant to be helpful if you are running older versions of XWiki and want some protection against brute force password cracking.{{/info}}
2 2  
3 3  This extension adds an authenticator to your wiki that temporarily blocks users and IPs after a configured number of login failures are recorded for that login or IP. It also adds a section to the XWiki Administration where you can configure the number of failed logins to trigger the blockage and the duration of the blockage, and where you can view and selectively unblock users and IPs.
4 +Because this information is only stored in memory and not on persistent storage, the blockings go away if you restart your XWiki instance.
5 +On the other hand the configuration about the number of failures is stored persistently and does not get reset.
4 4  
5 -{{error}}If you have a wiki that has been in use for a long time, so that it still has the user named "Admin" as predefined adminstrative user, please set up another user with administrative privileges and a less conspicuous name. Otherwise this extension might lock you out from your admin account until you restart the wiki every time someone tries to guess the "Admin"-password.{{/error}}
7 +{{error}}If you have a wiki that has been in use for a long time, so that it still has an account named "Admin" as predefined adminstrative user, please set up another user with administrative privileges and a less conspicuous login. Otherwise this extension might lock you out from your admin account every time someone tries to guess the "Admin" password.{{/error}}
6 6  
7 -(Screenshots are following soon.)
9 +== Configuration ==
10 +
11 +(% style="float:left" %)
12 +{{image reference="ba-menu.png" width="300px" /}}
13 +
14 +After you installed this extension and configured the ##xwiki.authentication.authclass##, you can find a new section "Blockings" in the "Users" category of the wiki administration. If you click on that section you should see a screen with a lost of blocked users and/or IPs followed by a configuration section.
15 +
16 +If instead you see an error message, then it is likely that XWiki is not configured to use the blocking authenticator. Please review your configuration in the ##xwiki.cfg## config file.
17 +
18 +(% class="clearfloats" %)
19 +Otherwise you can review and adjust the initial configuration:
20 +
21 +{{image reference="ba-config.png" width="650px" /}}
22 +//Configuration section. Note that the values displayed are already modified from the defaults.//
23 +
24 +First you can define how many failed login attempts are necessary before the login is blocked. A value of 0 disables this feature. The default value is 3.
25 +
26 +The next field defines for how long a login remains blocked after enough failures accumulated. This is also the time frame for how long failed logins are remembered from the past. (A successful login always resets the counter to 0.)
27 +
28 +The default value is 900 seconds = 15 minutes. You might want to set this to a much higher value if you prefer.
29 +
30 +Similar there is a counter for blocking an IP for failed logins, no matter for which login. The default value is 0, e.g. no blocking by IP. Before you activate this by setting it to a nonzero value you might check the other configuration settings to prevent locking out yourself.
31 +
32 +The "Time of blockage" again is the time (given in seconds) that a blocked IP remains blocked.
33 +
34 +The "List of whitelisted IPs" can contain a comma or space separated list of IPs which are excluded from being blocked. If your organization is running the XWiki on an external server ("in the cloud"), then you might add the gateway IP(s) of your organization here. This should prevent to lock everyone using the same gateway just because several of your users manage to mistype their password.
35 +The default value is empty, which means no whitelisted IPs.
36 +
37 +In case you have a reverse proxy running in front of XWiki, the next setting allows to pass this proxy to pass on the actual IP of the visitor. Otherwise the authenticator will see the IP or the reverse proxy instead.
38 +Below the configuration form you can see the IP of your own request. If this is the same IP as your reverse proxy, you might add it to the whitelist, save the form and check if your displayed IP is updates to the actual IP with which you access the internet.
39 +The default values are the IPv4 and IPv6 values for "localhost", which should be ok if the reverse proxy is on the same server as the XWiki. If you have no reverse proxy set up then you can safely remove these entries.
40 +
41 +Please not that if you use a //proxy// to access the internet (not a //reverse proxy// in front of the server, then you do not have to add this to the list of trusted proxies. More likely you wan to add that IP to the whitelist.
42 +
43 +As the login failures are not stored in any persistent storage, restarting the server/servlet container for XWiki erases all blocking information. This can be used as a last resort if this authentication has locked you out completely out of your wiki.
44 +
45 +=== Review and Unblock Users and IPs ===
46 +
47 +Above of the configuration section you can see information about the currently blocked logins and IPs.
48 +
49 +{{image reference="ba-blockings.png" width="650px" /}}
50 +//An example with two blocked logins, one beloning to an actual XWiki user, and one blocked IP//
51 +
52 +For each either you see a notice that nothing is blocked, or a list of blocked values. In case of logins the entries are linked to the actual user profile if there is one (i.e. it is the login of an existing XWiki user.)
53 +
54 +Behind each entry there is a link to unblock that entry immediately. There is no confirmation dialog coming up; instead the action is performed without further interaction.
Properties
... ... @@ -1,5 +1,1 @@
1 -maven.groupid=org.xwiki.contrib.authentication maven.artifactid=authenticator-blocking-ui maven.Model=org.xwiki.contrib.authentication:authenticator-blocking-ui:xar:1.0 xwiki.extension.recommendedVersions.commons=org.xwiki.commons:.*/[9.11.4] xwiki.extension.recommendedVersions=org.xwiki.commons:.*/[9.11.4],
2 - org.xwiki.rendering:.*/[9.11.4],
3 - org.xwiki.platform:.*/[9.11.4] xwiki.extension.recommendedVersions.platform=org.xwiki.commons:.*/[9.11.4],
4 - org.xwiki.rendering:.*/[9.11.4],
5 - org.xwiki.platform:.*/[9.11.4]
1 +maven.groupid=org.xwiki.contrib.authentication maven.artifactid=authenticator-blocking-ui maven.Model=org.xwiki.contrib.authentication:authenticator-blocking-ui:xar:1.0 xwiki.extension.recommendedVersions.commons=org.xwiki.commons:.*/[9.11.4] xwiki.extension.recommendedVersions=org.xwiki.commons:.*/[9.11.4], org.xwiki.rendering:.*/[9.11.4], org.xwiki.platform:.*/[9.11.4] xwiki.extension.recommendedVersions.platform=org.xwiki.commons:.*/[9.11.4], org.xwiki.rendering:.*/[9.11.4], org.xwiki.platform:.*/[9.11.4]

Get Connected