Skip to main content

Managing the Applications Lifecycle

 

OutSystems

Protection against Brute Force Attacks

Applications secured with authentication can be subject to brute force attacks that systematically try to guess user passwords. OutSystems provides a built-in protection mechanism that allows taking countermeasures against these attacks:

  • User-level Attack: The attack is perpetrated with a user from a specific IP address. In this case, that user is blocked from logging in from the attacker IP address. The legitimate user can still login from his IP address;
  • IP-level Attack: The attacker has a list of users and tries to guess their passwords from a specific IP address. In this case, the attacker IP address is blocked. By blocking the IP address, the platform won't also allow the attacker to go through all users and flood the application with requests, which could also lead to a denial-of-service (DoS) attack.

The countermeasure provided consists of a two-step backoff mechanism:

  1. The first backoff
    If the number of failed login attempts reaches a limit within a period of time, the following happens:

    • User-level attack: The user gets blocked for that IP address and cannot log in from there for a short time (a few minutes);
    • IP-level attack: The IP address gets blocked and users cannot log in from there for a short time (a few minutes);
    In both cases, the error message changes from "Invalid username or password" to "Too many failed login attempts. Please try again in a few minutes."
  2. The second backoff
    If the attack continues and a second limit is reached, the login is blocked for a long time (about an hour). The error message changes to: "Too many failed login attempts. Please try again in 60 minutes."

Unblocking Application Users and IP Addresses

Users and IP addresses can get blocked even if they're legitimate, for example:

  • A user forgot his password and did too many login attempts;
  • A brute force attack that blocks an IP address (e.g.: an ISP) that is also used by many legitimate users.

To unblock users/IP addresses and restore the normal login process you need to go to the Users management console (located at http:///Users).

To unblock a user, proceed as follows:

  1. Log in to the Users application;
  2. Go to the User details page and if login attempts are blocked for the user, a warning message is displayed on the page;
  3. Go to the bottom of the page. There is a list of IP addresses for which user login attempts are blocked;
  4. Click Unblock to restore the normal login process for the user in desired IP address(es).

To unblock an IP address, proceed as follows:

  1. Log in to the Users application;
  2. On the right-hand side of the screen, click the Blocked Addresses link to display the page with blocked IP addresses;
  3. Click Unblock to restore the normal login process for all users in the desired IP address(es).

Unblocking Administrator Users

In case an administrator user gets blocked, use one of the following ways to unblock:

  • Log in as administrator from a different IP address and unblock;
  • Log in with another user with permissions to manage users and teams and unblock.

Unblocking in LifeTime and Service Center

LifeTime and Service Center are safeguarded against brute force attacks, which means its users can get blocked. When they get blocked use the infrastructure management console (LifeTime) to unblock them. If not installed, use the environment management console (Service Center).

Unblock in LifeTime

To unblock IT users in LifeTime, do the following:

  1. Log in to LifeTime (with a user with permissions to manage users and teams);
  2. Go to the Users & Roles section;
  3. Go to the page with the details of the user. If login attempts are blocked for the user, a warning message is displayed on the page;
  4. Go to the end of the page, where there is a list of IP addresses for which user login attempts are blocked;
  5. Click Unblock to restore the normal login process for the user in desired IP address(es).

To unblock IP Addresses in LifeTime, do the following:

  1. Log in to LifeTime (with a user with permissions to manage users and teams);
  2. Go to Infrastructure section;
  3. On the desired environment, click on the Blocked Addresses link to display the page with blocked IP addresses;
  4. Click Unblock to restore the normal login process for all users in the desired IP address(es).

Unblock in Service Center

To unblock IT users in Service Center, do the following:

  1. Log in to Service Center (with a user with permissions to manage users);
  2. Go to the Administration section;
  3. Select the Users option;
  4. Go to the page with the details of the user. If login attempts are blocked for the user, a warning message is displayed on the page;
  5. Go to the Blocked Addresses tab, where there is a list of IP addresses for which user login attempts are blocked;
  6. Pick the IP address(es) for which you want to unblock the user;
  7. Click the Unblock Selected button. The user will be able to log in again from that IP address.

To unblock IP addresses in Service Center, do the following:

  1. Log in to Service Center (with a user with permissions to manage users);
  2. Go to the Monitoring section;
  3. Select the Security option, where there is a list of blocked IP addresses;
  4. Check the IP address(es) which you want to restore the normal login process for all users;
  5. Click the Unblock Selected button.

Check for Possible Brute Force Attacks

The environment management console (Service Center) provides logs with information that can be used to monitor possible brute force attacks.

To access the log, proceed as follows:

  1. Log in to Service Center;
  2. Go to the Monitoring section;
  3. Select the Errors option;
  4. Filter by Login module.

When a user or IP address is blocked due to a possible brute force attack, the information is displayed in the following format:

  • The timestamp of the login attempt
  • The user who did the login attempt;
  • The IP address from where the login attempt was made;
  • The approximated time elapsed since the last login attempt;
  • When was the last login attempt;
  • The count of login attempts.

If a failed login attempt does not configure an attack, the information is displayed as follows:

  • The timestamp of the login attempt;
  • The user who did the login attempt;
  • The count of login attempts at user-level and IP-level.

Configure Brute Force Protection

The protection of OutSystems applications against brute force attacks is configurable. To change the behavior, proceed as follows:

  1. Log in to Service Center;
  2. Go to the Factory section and select the eSpaces option;
  3. Search for the Users module and open the page with the details;
  4. Select the Site Properties tab;
  5. Configure the protection in the Site Properties described in the table below.
Site Property Description
EnableBruteForceProtection Enables brute force login protection at user level.
MaxUsernameAttemptsFirstBackoff The maximum number of login attempts for a user after which the first backoff protection is triggered. The default value is 3 times.
MaxUsernameAttemptsSecondBackoff The maximum number of login attempts for a user after which the second backoff protection is triggered. The default value is 6 times.
UsernameAttemptsFirstBackoffDelayInSeconds After hitting the first backoff, it's the time that login attempts are blocked for a user. The default value is 30 seconds.
UsernameAttemptsSecondBackoffDelayInSeconds After hitting the second backoff, it's the time that login attempts are blocked for a user. The default value is 1800 seconds.
EnableBruteForceProtectionPerIP Enables brute force login protection at IP level.
MaxIPAttemptsFirstBackoff The number of login attempts for an IP address after which the first backoff is triggered. The default value is 20 times.
MaxIPAttemptsSecondBackoff The number of login attempts from an IP address after which the second backoff is triggered. The default value is 50 times.
IPAttemptsFirstBackoffDelayInSeconds After hitting the first backoff, it's the time that login attempts are blocked for an IP address. The default value is 300 seconds.
IPAttemptsSecondBackoffDelayInSeconds After hitting the second backoff, it's the time that login attempts are blocked for an IP address. The default value is 3600 seconds.
InvalidLoginCheckWindowInMinutes Time frame in minutes in which failed attempts are accounted. Default value is 60 minutes.

This configuration is only for brute force protection of OutSystems applications and it does not affect the protection of LifeTime and Service Center.

  • Was this article helpful?