From e204554057d0607c8a29a379b6cb8c75dbb60422 Mon Sep 17 00:00:00 2001 From: astrachan Date: Fri, 19 Jul 2019 12:15:23 +1000 Subject: Update root default email address to current value --- doc/security/reset_root_password.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/security') diff --git a/doc/security/reset_root_password.md b/doc/security/reset_root_password.md index 6a6c5262179..ec360e2d338 100644 --- a/doc/security/reset_root_password.md +++ b/doc/security/reset_root_password.md @@ -23,7 +23,7 @@ user = User.where(id: 1).first or ```bash -user = User.find_by(email: 'admin@local.host') +user = User.find_by(email: 'admin@example.com') ``` Now you can change your password: -- cgit v1.2.1 From 7cfbeaac506b346f65f0549770f59c127ca1b6db Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Fri, 2 Aug 2019 02:41:52 +0000 Subject: Add rate limit docs --- doc/security/README.md | 2 +- doc/security/rack_attack.md | 77 ++++++++++++++++++++++++++++++++++++++------- doc/security/rate_limits.md | 32 +++++++++++++++++++ 3 files changed, 99 insertions(+), 12 deletions(-) create mode 100644 doc/security/rate_limits.md (limited to 'doc/security') diff --git a/doc/security/README.md b/doc/security/README.md index c48d5bc2065..5d498ac7602 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -7,7 +7,7 @@ type: index - [Password length limits](password_length_limits.md) - [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) -- [Rack attack](rack_attack.md) +- [Rate limits](rate_limits.md) - [Webhooks and insecure internal web services](webhooks.md) - [Information exclusivity](information_exclusivity.md) - [Reset your root password](reset_root_password.md) diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index 1e5678ec47c..c772f783f71 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -2,7 +2,9 @@ type: reference, howto --- -# Rack Attack +# Rack Attack initializer + +## Overview [Rack Attack](https://github.com/kickstarter/rack-attack), also known as Rack::Attack, is a Ruby gem that is meant to protect GitLab with the ability to customize throttling and @@ -14,19 +16,72 @@ If you find throttling is not enough to protect you against abusive clients, Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering, and tracking. -**Note:** Starting with 11.2, Rack Attack is disabled by default. To continue -using Rack Attack, please enable it by [configuring `gitlab.rb` as described in Settings](#settings). +For more information on how to use these options see the [Rack Attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). + +NOTE: **Note:** See +[User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md) +for simpler throttles that are configured in UI. + +NOTE: **Note:** Starting with 11.2, Rack Attack is disabled by default. If your +instance is not exposed to the public internet, it is recommended that you leave +Rack Attack disabled. + +## Behavior + +If set up as described in the [Settings](#settings) section below, two behaviors +will be enabled: + +- Protected paths will be throttled +- Failed authentications for Git and container registry requests will trigger a temporary IP ban + +### Protected paths throttle + +GitLab responds with HTTP status code 429 to POST requests at protected paths +over 10 requests per minute per IP address. + +By default, protected paths are: + +```ruby +default['gitlab']['gitlab-rails']['rack_attack_protected_paths'] = [ + '/users/password', + '/users/sign_in', + '/api/#{API::API.version}/session.json', + '/api/#{API::API.version}/session', + '/users', + '/users/confirmation', + '/unsubscribes/', + '/import/github/personal_access_token' +] +``` + +This header is included in responses to blocked requests: + +``` +Retry-After: 60 +``` + +For example, the following are limited to a maximum 10 requests per minute: + +- user sign-in +- user sign-up (if enabled) +- user password reset + +After trying for 10 times, the client will +have to wait a minute before to be able to try again. + +### Git and container registry failed authentication ban + +GitLab responds with HTTP status code 403 for 1 hour, if 30 failed +authentication requests were received in a 3-minute period from a single IP address. -By default, user sign-in, user sign-up (if enabled), and user password reset is -limited to 6 requests per minute. After trying for 6 times, the client will -have to wait for the next minute to be able to try again. +This applies only to Git requests and container registry (`/jwt/auth`) requests +(combined). -If you installed or upgraded GitLab by following the [official guides](../install/README.md), -Rack Attack should be disabled by default. If your instance is not exposed to any incoming -connections, it is recommended that you leave Rack Attack disabled. +This limit is reset by requests that authenticate successfully. For example, 29 +failed authentication requests followed by 1 successful request, followed by 29 +more failed authentication requests would not trigger a ban. -For more information on how to use these options check out -[rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). +No response headers are provided. ## Settings diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md new file mode 100644 index 00000000000..0e5bdcd9c79 --- /dev/null +++ b/doc/security/rate_limits.md @@ -0,0 +1,32 @@ +--- +type: reference, howto +--- + +# Rate limits + +NOTE: **Note:** +For GitLab.com, please see +[GitLab.com-specific rate limits](../user/gitlab_com/index.md#gitlabcom-specific-rate-limits). + +Rate limiting is a common technique used to improve the security and durability +of a web application. + +For example, a simple script can make thousands of web requests per second. +Whether malicious, apathetic, or just a bug, your application and infrastructure +may not be able to cope with the load. For more details, see +[Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack). +Most cases can be mitigated by limiting the rate of requests from a single IP address. + +Most [brute-force attacks](https://en.wikipedia.org/wiki/Brute-force_attack) are +similarly mitigated by a rate limit. + +## Admin Area settings + +See +[User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md). + +## Rack Attack initializer + +This method of rate limiting is cumbersome, but has some advantages. It allows +throttling of specific paths, and is also integrated into Git and container +registry requests. See [Rack Attack initializer](rack_attack.md). -- cgit v1.2.1 From ac7661924eebd6eb0fa72848e2b4bf4391ebf113 Mon Sep 17 00:00:00 2001 From: George Koltsov Date: Fri, 26 Jul 2019 14:03:06 +0100 Subject: Update security/webhooks.md doc page & specs Updating security/webhooks.md to match new behaviour as well as drying up few specs to extract shared examples --- doc/security/img/outbound_requests_section_v2.png | Bin 0 -> 21108 bytes doc/security/webhooks.md | 8 ++++---- 2 files changed, 4 insertions(+), 4 deletions(-) create mode 100644 doc/security/img/outbound_requests_section_v2.png (limited to 'doc/security') diff --git a/doc/security/img/outbound_requests_section_v2.png b/doc/security/img/outbound_requests_section_v2.png new file mode 100644 index 00000000000..4fd3c7d9fce Binary files /dev/null and b/doc/security/img/outbound_requests_section_v2.png differ diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index 1194234a295..401df02e5c3 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -34,15 +34,15 @@ to 127.0.0.1, ::1 and 0.0.0.0, as well as IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 site-local (ffc0::/10) addresses won't be allowed. This behavior can be overridden by enabling the option *"Allow requests to the -local network from hooks and services"* in the *"Outbound requests"* section +local network from web hooks and services"* in the *"Outbound requests"* section inside the Admin area under **Settings** (`/admin/application_settings/network`): -![Outbound requests admin settings](img/outbound_requests_section.png) +![Outbound requests admin settings](img/outbound_requests_section_v2.png) >**Note:** -*System hooks* are exempt from this protection because they are set up by -admins. +*System hooks* are enabled to make requests to local network by default since they are set up by admins. +However, it can be turned off by disabling *"Allow requests to the local network from system hooks"* option.