yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-10-13 08:25:06 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add brute force protection to authentication system

Browse source 
- Implemented IP-based blocking after 3 failed login attempts, with a 1-minute lockout period.
- Enhanced login handler to check for blocked IPs and record failed attempts.
- Added tests for brute force protection and successful login clearing failed attempts.
- Updated README and example configuration to document new security features.
This commit is contained in:
Andy Oknen 2025-07-30 09:19:05 +00:00
parent 113dcbb72a
commit a984fba30d
5 changed files with 309 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/webui/README.md
View file

@ -9,6 +9,7 @@ This module provides a web interface for managing Yggdrasil node through a brows
- ✅ Development and production build modes
- ✅ Custom session-based authentication
- ✅ Beautiful login page (password-only)
- ✅ **Brute force protection** with IP blocking
- ✅ Session management with automatic cleanup
- ✅ IPv4 and IPv6 support
- ✅ Path traversal attack protection
@ -90,6 +91,10 @@ server.Stop()
- Custom session-based authentication (password protection)
- HttpOnly and Secure cookies
- Session expiration (24 hours)
- **Brute force protection**: IP blocking after 3 failed attempts
- **Temporary lockout**: 1-minute timeout for blocked IPs
- Automatic cleanup of expired blocks and sessions
- Real IP detection (supports X-Forwarded-For, X-Real-IP headers)
- Health check endpoint always accessible without authentication
## Testing