Add Brute Force Preventative Measures for new client connections

[tousheroux]

Description

Currently, the blue-bubbles server does not incorporate brute force prevention. A BB server exposed to the web via reverse proxy may be subject to brute force attacks to authenticate by guessing the server password.

Environment

• Server: Mac Mini M4, reverse proxy through caddy server.
• Server Networking: Caddy reverse proxy running natively in MacOS. Caddy automates TLS certificates and authentication through DuckDNS. Caddy acts as TLS termination. Crowdsec bouncer and GeoIP blocking enabled.
• Client: Win11 PC, initial startup of bluebubbles client, clean install. Connecting via VPN, IP 155.133.4.240.

Issues Encountered

When attempting a brute force attack on my server as part of testing of server hardening, BB server does not limit the number of login attempts.

Impact

BB server in current configuration is weak to brute force attacker, assuming the brute force attacker knows the domain name of the server. The attacker only needs to guess a single alphanumeric password to gain access to BB.

Expected Behavior

BB server limits the number of failed login attempts from the same IP to a set amount. For example, 1x per second, 5x per minute, 20x per 24 hours.
BB server limits the total number of failed login attempts, regardless of IP, to a set amount per week. For example, 50x per week.
BB server generates a high-visibility notification upon any IP exceeding the login attempt limit.
Manually restarting the BB server resets the above login attempt accounts to zero.

Steps to Reproduce

1. Start BB client with fresh install on Win11 on a VPN.
2. In BB client first start wizard, instead of using google firebase, manually enter server details. Enter domain name (https://example.duckdns.org) and known incorrect password.
3. Continually re-attempt incorrect password.
4. BB server receives and logs failed attempts but continues to service failed login attempts regardless of frequency.

See attached log excerpt from BB server for example simulated brute force attack, from client IP 155.133.4.240.

Suggested Fix

Add internal logic to BB server according to the "Expected Behavior" section above. This does not need to be user-configurable (to minimize programming costs).

• Implement per-IP failed login attempt limit (per second, per hour, per day)
• Implement failed login attempt limit across all IPs (per week).
• Implement notification in BB server when login attempt limits are exceeded.
• Implement reset of login attempts when manually shutting down BB server (part of shut-down code, not triggered if BB server crashes or power outage).

example-bb-bruteforce.txt

[danielhintz]

You can get this behaviour via fail2ban relatively easily (and what I do)
The filter I use is

[Definition]
failregex = ^<HOST> .+\" 401 \d+ .*bluebubbles.hostname.xyz.*$

and the jail conf is

[bb-unauthorized]
enabled = true
port = http,https
logpath = %(nginx_access_log)s

obviously this is for nginx but changing the logpath and failregex to be caddy specific should be trivial