Skip to content

feat: Built-in brute-force protection with IP blocking and user lockout #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
mrmm wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

feat: Built-in brute-force protection with IP blocking and user lockout #1630

mrmm wants to merge 11 commits into from

Conversation

@mrmm
Copy link

@mrmm mrmm commented Dec 27, 2025

Summary

This PR adds fail2ban-like login protection to Warpgate with:

  • IP-based rate limiting - Automatically blocks IPs after configurable failed login attempts
  • Exponential backoff - Each subsequent block has longer duration (30min → 1h → 2h → ... → 24h max)
  • User account lockout - Locks accounts after repeated failures (optional auto-unlock)
  • Cross-protocol protection - Failed attempts across SSH, HTTP, MySQL, PostgreSQL all count together
  • Admin management - View status, unblock IPs, unlock users via Admin UI or API
  • In-memory caching - Fast lookups with periodic database sync

Configuration

login_protection:
  enabled: true
  ip_rate_limit:
    max_attempts: 5
    time_window_minutes: 15
    base_block_duration_minutes: 30
    block_duration_multiplier: 2.0
    max_block_duration_hours: 24
  user_lockout:
    max_attempts: 10
    time_window_minutes: 60
    auto_unlock: false
  retention_days: 30

Admin API Endpoints

  • GET /login-protection/status - Security overview
  • GET /login-protection/blocked-ips - List blocked IPs
  • DELETE /login-protection/blocked-ips/:ip - Unblock an IP
  • GET /login-protection/locked-users - List locked users
  • DELETE /login-protection/locked-users/:username - Unlock a user

Test plan

  • Docker Compose local setup - containers start correctly
  • IP blocking test - after 3 failed attempts, returns {"state":"IpBlocked"}
  • User lockout test - account locks after threshold
  • Integration tests - pytest tests pass
  • Build - cargo build succeeds
  • Admin UI - Login Protection page shows stats and lists

mrmm added 11 commits December 27, 2025 16:58
@mrmm
feat(login-protection): add configuration and error types
6a5c344 
Add LoginProtectionConfig, IpRateLimitConfig, and UserLockoutConfig
structs with sensible defaults. Add IpBlocked and UserLocked error
variants for authentication flow.
@mrmm
feat(login-protection): add database entities and migration
0baa852 
Add FailedLoginAttempt, IpBlock, and UserLockout entities.
Create m00025_login_protection migration with composite indexes
for efficient queries on IP/timestamp and username/timestamp.
@mrmm
feat(login-protection): implement core service with cache
4ecbe3a 
Add LoginProtectionService with in-memory caching for fast lookups.
Implement IP blocking with exponential backoff, user lockout,
and background cleanup task for expired records.
@mrmm
docs: add login protection feature to README
353d42f 
- Add bullet point about built-in brute-force protection
- Add Documentation section with links to external docs
- Add comparison table row for brute-force protection
@mrmm
feat(protocols): integrate login protection across all protocols
cbe0580 
- SSH: Check IP blocks before auth, record failed attempts
- HTTP: Check IP blocks and user lockouts in auth flow
- MySQL: Add login protection checks to session authentication
- PostgreSQL: Add login protection checks to session authentication

All protocols now share the same login protection service for
consistent brute-force protection across the entire gateway.
@mrmm
feat(admin-api): add login protection management endpoints
dd8f37d 
- GET /login-protection/status - Security status overview
- GET /login-protection/blocked-ips - List blocked IPs
- DELETE /login-protection/blocked-ips/:ip - Unblock an IP
- GET /login-protection/locked-users - List locked users
- DELETE /login-protection/locked-users/:username - Unlock a user

All endpoints require admin authentication.
@mrmm
chore: regenerate OpenAPI schemas for login protection endpoints
50ea0de 
Updates admin and gateway OpenAPI schemas with new login protection
types and endpoints.
@mrmm
feat(ui): add Login Protection admin page
117fc1e 
- New LoginProtection.svelte page with:
  - Stats cards (blocked IPs, locked users, failed attempts)
  - Blocked IPs list with unblock action
  - Locked users list with unlock action
- Add navigation link in Config.svelte
@mrmm
test: add login protection local testing setup
70af86e 
- Docker Compose setup with warpgate and SSH target
- Test configuration with aggressive settings for quick testing
- Test scripts for IP blocking and user lockout scenarios
- README with testing instructions
@mrmm
test: add login protection integration tests
414569e 
Comprehensive pytest tests covering:
- IP blocking after failed attempts threshold
- Exponential backoff for repeat offenders
- User lockout functionality
- Admin API endpoints (status, unblock, unlock)
- Cross-protocol attempt counting
@mrmm
chore: regenerate config-schema.json for login protection
6d4342b 
Adds LoginProtectionConfig, IpRateLimitConfig, and UserLockoutConfig
definitions to the JSON schema.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrmm