PaperCut 18.3 introduced a security enhancement to rate limit authentication attempts in line with OWASP recommendations. This hardens deployments against password brute forcing attacks, by failing authentication requests when the number of incorrect login requests exceeds the limit.
The rate limits apply for built-in admin users and all internal users managed by the server. For users external to the server, such as those from an external user source, the authentication is delegated to the source itself and should be configurable there.
The limits apply across all of the servers’ login interfaces and APIs and are based per client IP. The default limit is 20 incorrect logins per 60 seconds per IP, which can be changed via user.security.ip-rate-limit-per-min config key. Any change to the value of this key will only be applied once the PaperCut Application Server service has been restarted, as the value is only interpreted when the server starts up. Admins are alerted of the limit activation via an application log message.
Migration note Please note previously client.api.security.rate-limit.enabled was used to control this functionality in client. This key is now deprecated and controlled via user.security.ip-rate-limit-per-min. If it was previously disabled it will be re-enabled by the virtue of the new config key, therefore it will need to be set to a negative value to disable it, remembering to then restart the PaperCut Application Server service.
Comments
0 comments
Please sign in to leave a comment.