Quick suggestions



  • There isn't a formal "suggestions" forum;  with luck this is a reasonable place for some quick ideas for developer review :)

    • Rate limiting login - There isn't rate limiting on router logins, which makes brute forcing of the GUI or console login easier. I asked about this and was told you have to manually modify the php to do it. Relying on difficult passwords but no rate limiting seems weak. Can some kind of rate limiting be added to the router config?

    • Bits/bytes - The traffic graphs have a "bits/bytes" option. However the traffic table shows bits, regardless, even if bytes is selected. It also doesn't allow flexibility of units (GB/MB/KB/B/GiB/MiB/KiB/mbits/kbits/bits/variable). Maybe fix this so it shows the same units as the graph? Maybe there could be an easy way to set one's data unit prefs as a standard option on relevant pages?

    • Option to keep open pages when troubleshooting - Session timeout is generally important for security, but when troubleshooting, a router admin might sometimes need diagnostic pages such as traffic graphs or router status kept open indefinitely without being logged out until they navigate away from the page. Perhaps a checkbox option on those pages which constantly reload, to "keep page open until I close it"?

    • URL blocking - A repeated theme that comes up in the forum is domain blocking. Squid or IP blocklists are usually suggested for blocking domains that have many (or dynamic) subdomains but both have issues for simple domain blocking - squid is overkill for simple domain blocking of a few URLs, and IP blocklists don't necessarily catch all subdomains and also block other domains than those desired.

      Pfsense includes some URL/DNS handling such as forwarding and authoritative DNS, so it seems simple enough to have pfsense identify and autofail all attempts to access a list of domains (and their subdomains) by reporting "cannot be found". I can't find a specific discussion but would be interested to know what's involved in adding this functionality, as it seems this function is the sole reason many people add squid.

    Thanks for any ideas and for a great router!



  • For rate limiting if you have it use another database for authentication you can set a lockout after the number of failed attempts that pleases you for however long it pleases you.

    On your timeout option, the default is 4 hours you can change it to longer or shorter under System>User manager>Settings.

    I believe there are other ways to accomplish your other issues as well I just cant think if them right now.



  • There is rate limiting on the login on 2.0.

    For the others when it gets done or when you do it ;)



  • @ermal:

    There is rate limiting on the login on 2.0.

    @XIII:

    For rate limiting if you have it use another database for authentication you can set a lockout after the number of failed attempts that pleases you for however long it pleases you.

    @ermal - I can't find a reference to the login being rate limited, any details of this and how one would change the rates if desired? I'm looking for a setting that says "after X failed GUI login attempts lock the account out for Y minutes".

    @XIII - I don't understand this. If I have "it" (what?) then I can use "another" (which?) database. What I mean is, I don't see anything stopping a brute force attempt to login via the GUI - a usual security precaution even with decent passwords.

    @XIII:

    On your timeout option, the default is 4 hours you can change it to longer or shorter under System>User manager>Settings.

    I have it set to 10 minutes. The thinking is that if trying to keep an eye on a net traffic issue I might not want to disable normal timeout in settings, where it could be forgotten, just to keep the traffic graph updating. A checkbox under the graph makes sense in the context since navigating away or closing the browser page would automatically re-enable the timeout.

    @ermal:

    For the others when it gets done or when you do it ;)

    Indeed - I'd do it for sure if I had a clue how. Sadly this would mean starting with "bsd for utter non programmers" and working upwards from complete cluelessness to being a security and coding expert - the general principle being don't tamper naively with stuff that plays a security role, because clueless changes inevitably have an high chance to weaken it. Which means I can see the use of these but I'm not able to do a thing about them on a sane timescale. Mentioning them and hoping someone more skilled thinks "those would be useful to lots of people and not too complicated!" is probably the best I can do.



  • There is rate limit on the login attempts a host can make.
    So its not based on user but host sending login attempts. Its hardcoded in php code to 5 attempts in 15minutes but do not quote me on that.



  • @ermal:

    There is rate limit on the login attempts a host can make.
    So its not based on user but host sending login attempts. Its hardcoded in php code to 5 attempts in 15minutes but do not quote me on that.

    That's the sort of thing I'm looking for. If it were configurable for # attempts and # minutes for future, it would be nice. Also worth adding to the documentation if correct. While it allows multiple clients (which causes the limit to scale) it's not nearly enough for heavy duty brute force to be viable. Thanks. As to the others…? :)


Locked