As operators, we wan't to prevent any brute force attack on SonarQube.com.
With SonarQube 6.0, we can know detect if there is many 401 on login from the same IP.
We have several technical ways to protect SonarQube.com :
- Using online services such as https://www.cloudflare.com/waf/ or https://www.webranger.io/how-to-block-using-webranger-cloud-waf-cdn/
- This requires to make a PoC (there is no free plan to test those features) to check that they do not block scanners
- This brings additional security (out of scope of this MMF)
- Using InfluxDB + Kapacitor + fail2ban :
- Not easy since we should transfer information from Kapacitor to web front-end
- The user will not be able to see anything except the site is not available (the ip is blocked before reaching the website)
- Using mod_security (https://github.com/SpiderLabs/ModSecurity) this will protect directly on the httpd front (ex. http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/) :
- A better error message can be displayed
- We should add a notification with Logstash + Kapacitor when an IP is blocked (to be warned about this)
- We should add also notification from SonarQube log information in order to investigate issues
From our point of view the best solution is to use mod_security to protect the login page.
OAuth can also be attacked, so we must check that OAuth implementation is not affected by classics attacks (https://www.sans.org/reading-room/whitepapers/application/attacks-oauth-secure-oauth-implementation-33644) but this out of the scope for the MMF
MMF-366, we'll be able to have a more fine-grained detection.