Skip to content

ENT-14161: Limit RPC login attempts #8033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adelel1 merged 14 commits into from
Dec 23, 2025
Merged

ENT-14161: Limit RPC login attempts #8033

adelel1 merged 14 commits into from
Dec 23, 2025

Conversation

@jakubzadroga
Copy link
Contributor

@jakubzadroga jakubzadroga commented Nov 13, 2025
edited
Loading

Added optional RPC authentication rate-limiting to protect nodes from brute-force or dictionary attacks. When enabled, repeated failed logins trigger an exponential backoff, temporarily blocking further attempts. All parameters — base delay, maximum delay, and attempt expiry — are fully configurable programmatically and via node.conf, while the default behaviour remains unchanged (no rate limiting unless explicitly enabled).

PR Checklist:

  • Have you run the unit, integration and smoke tests as described here?
  • If you added public APIs, did you write the JavaDocs/kdocs?
  • If the changes are of interest to application developers, have you added them to the changelog, and potentially the release notes (https://docs.r3.com/release-notes.html)?
  • If you are contributing for the first time, please read the contributor agreement now and add a comment to this pull request stating that your PR is in accordance with the Developer's Certificate of Origin.

Thanks for your code, it's appreciated! :)

@jakubzadroga jakubzadroga marked this pull request as draft November 13, 2025 16:09
@jakubzadroga jakubzadroga changed the title ENT-14229: Limit RPC login attempts ENT-14161: Limit RPC login attempts Nov 13, 2025
@jakubzadroga jakubzadroga marked this pull request as ready for review November 17, 2025 12:20
rick-r3
rick-r3 reviewed Dec 9, 2025
View reviewed changes
@jakubzadroga jakubzadroga requested a review from rick-r3 December 18, 2025 11:54
rick-r3
rick-r3 reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@rick-r3 rick-r3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the algorithm and implementation is now basically right. Just made some detailed comments on the code now.

@jakubzadroga jakubzadroga requested a review from rick-r3 December 18, 2025 16:00
adelel1
adelel1 reviewed Dec 23, 2025
View reviewed changes
...src/main/kotlin/net/corda/node/services/messaging/RateLimitingActiveMQJAASSecurityManager.kt
Comment on lines +68 to +69
log.warn(printWarnMessage(user, remaining))
throw FailedLoginException(printWarnMessage(user, remaining))
Copy link
Collaborator

@adelel1 adelel1 Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a comment, if these logs turn out to be an issue. Then log4j2.xml can be used to filter them out if needed.

@adelel1 adelel1 merged commit 4daad7b into release/os/4.11 Dec 23, 2025
5 checks passed
@adelel1 adelel1 deleted the jzadroga/ent-14229/limit-rpc-access-attempts branch December 23, 2025 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rick-r3 rick-r3 rick-r3 approved these changes

@adelel1 adelel1 adelel1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jakubzadroga @rick-r3 @adelel1