[BUG] - 2FA about rustdesk-server-pro HOT 19 OPEN

And when user enter wrong pass, we have no alarm/alert and no log.

The alarm / alert is for RustDesk connection login.

https://github.com/rustdesk/rustdesk/blob/0020a370298130476fbde6996a13ddef7dbacaf0/src/server/connection.rs#L832

https://github.com/rustdesk/rustdesk/blob/0020a370298130476fbde6996a13ddef7dbacaf0/src/server/connection.rs#L1457

Yes, you are right, we should add this for web console login also. But we need to invesitgate first, I have never seen any website warn me via email after entering wrong password. Though alarm like loggin in different city is common.
@21pages

from rustdesk-server-pro.

@Apashh Thanks a lot, We reproduced the issue, we will fix soon.

from rustdesk-server-pro.

In this current release, client message box can pop up, but web console alarm log can't show, but it has been fixed, web console log will show in next release

from rustdesk-server-pro.

@Apashh can you invite me? and let me try. [email protected]

Or create an account for me, send to above mail.

from rustdesk-server-pro.

Infos send ! ;)

from rustdesk-server-pro.

Just tested, worked for me

• logged in with the usernane and password
• turned on email verification
• log out
• enter in username and password again
• enter verficaition code
• logged in

from rustdesk-server-pro.

Hm ok ! ;)
But i have tested this and if i want to connect on device with multiple wrong password i have no log/alarm...
What i'm doing wrong ?

from rustdesk-server-pro.

It only alarms after reaching the time as below.

https://github.com/rustdesk/rustdesk/blob/0020a370298130476fbde6996a13ddef7dbacaf0/src/server/connection.rs#L1457

from rustdesk-server-pro.

if failure.2 > 30 {
                    self.send_login_error("Too many wrong password attempts")
                        .await;
                    Self::post_alarm_audit(
                        AlarmAuditType::ManyWrongPassword,
                        json!({
                                    "ip":self.ip,
                        }),
                    );
                } else if time == failure.0 && failure.1 > 6 {
                    self.send_login_error("Please try 1 minute later").await;
                    Self::post_alarm_audit(
                        AlarmAuditType::FrequentAttempt,
                        json!({
                                    "ip":self.ip,
                        }),
                    );

I have this messages :

But no log

And never this : self.send_login_error("Too many wrong password attempts")

from rustdesk-server-pro.

@21pages verify this please.

from rustdesk-server-pro.

And never this : self.send_login_error("Too many wrong password attempts")

You need to make sure this controlled machine can access API server. #21 (comment)
Anyhow, @21pages will verify it. I did do not test this for long.

from rustdesk-server-pro.

self.send_login_error("Too many wrong password attempts")

More than 30 times

from rustdesk-server-pro.

And never this : self.send_login_error("Too many wrong password attempts")

You need to make sure this controlled machine can access API server. #21 (comment)

@Apashh can you confirm this? @21pages said he can get 3 alarms as above pic.

from rustdesk-server-pro.

I have 2/3 message :

this first (no log but its ok) :

after multiple test (but no log here, bug ?) :

after +50 test, no message indicate "Your IP is blocked by the peer"

from rustdesk-server-pro.

Set ip whiltelisting

from rustdesk-server-pro.

Hm i have the message :

But again no log...
It will be interesting to block IP auto after multiple attempt.

For example in web console we can edit the number of attempt password and how long ip will be block

from rustdesk-server-pro.

I installed 1.1.10 version and I tryied on client side with 50 bad login attempt ... no entry into alarm log.

from rustdesk-server-pro.

#70 (comment)

from rustdesk-server-pro.

from rustdesk-server-pro.