Subsonic Forum

<-------------------------Subsonic Help Request---------------------->
Problem Description: I've searched around (see viewtopic.php?f=3&t=1830), and please correct me if I'm wrong, but there doesn't appear to be any way to limit login attempts with Subsonic. This seems like a huge security vulnerability to me. Is there a log of authentication attempts or a way to limit the amount of unsuccessful logins? With the server internet facing in order to use the mobile client, I am shocked to see such a lack in security. Is it even possible to disable admin logins?

Troubleshooting Steps: Anyone can brute force http://<yourdomain.com>[:port]/[context_url/]login.view?user=admin&password=password to get access.

Subsonic Version: 4.7 (build 3105) – September 11, 2012

Server Version: jetty-6.1.x, java 1.6.0_24, Linux (45.0 MB / 90.2 MB)
<-------------------------Subsonic Help Request---------------------->

You are correct. There is no logon auditing nor is there failed-attempt based lockouts.

If you think it is something that should be added, please post a request in the Feature Request section of the forums.

Glenn

.. but only after searching the Feature Request forum for a thread requesting the same functionality. Adding a "+1" to an existing thread is smarter as popular threads are more likely to gain attention.

hakko wrote:.. but only after searching the Feature Request forum for a thread requesting the same functionality. Adding a "+1" to an existing thread is smarter as popular threads are more likely to gain attention.

Great point. Always one step ahead of me hakko...

Glenn

More like one step behind!

ztnewman wrote:... there doesn't appear to be any way to limit login attempts with Subsonic. This seems like a huge security vulnerability to me.

It is not. In fact contrary if you lockout users after authentication failures you create the possiblity of denial of service attacks. Best practice is to use strong passwords to cause brute-force attacks to take years to succeed.

ztnewman wrote:Is it even possible to disable admin logins?

Disabling admin access or putting admin access on a different port or mechanism is a good idea as you turn something unlikely into impossible. Even just separating on URL (e.g. /admin instead of /subsonic) would allow to use a reverse proxy in front of Subsonic (I use ARR) that limits access to the outer world.
Best regards, jol

jol wrote:

ztnewman wrote:... there doesn't appear to be any way to limit login attempts with Subsonic. This seems like a huge security vulnerability to me.

It is not. In fact contrary if you lockout users after authentication failures you create the possiblity of denial of service attacks. Best practice is to use strong passwords to cause brute-force attacks to take years to succeed.

ztnewman wrote:Is it even possible to disable admin logins?

Disabling admin access or putting admin access on a different port or mechanism is a good idea as you turn something unlikely into impossible. Even just separating on URL (e.g. /admin instead of /subsonic) would allow to use a reverse proxy in front of Subsonic (I use ARR) that limits access to the outer world.
Best regards, jol

If anything, it stops DOS attacks. It takes computational resources to check the password. Increasing the strength of the password makes it harder to guess, but it doesn't stop a flood of requests from bringing your server to it's knees and cause others to not be able to use it. Using a basic firewall limited login attempt method like fail2ban on the other users very little resources to block a virtually unlimited number of tries. And this would only block that IP from trying again, so it wouldn't be disrupting service for others at all.