Page MenuHomeMiraheze

Monitor LoginNotify & failed logins
Open, LowPublic

Description

We should setup alerts so if failed logins rise above a certain level, we know.

Event Timeline

RhinosF1 triaged this task as High priority.Feb 25 2022, 13:37
RhinosF1 created this task.
Reception123 lowered the priority of this task from High to Normal.Mar 1 2022, 14:53

Moving to normal priority since I'm not sure why after all these years it would suddenly be urgent to do this. Second, since there has been no work done on this since Friday it would indicate that it's not that urgent. If there is a rationale for why we need this quickly, feel free to change the status back.

From my perspective, as a Trust and Safety Responder, we have two-factor authentication required. We have strong passwords required. We have LoginNotify to notify us of such things. It's doing its job. I'm not sure there's much more we need to be doing. @Reception123, do you think we should maybe decline this for now, or perhaps lower to low priority?

@Dmehus: I meant this from a perspective of if we suddenly get a rise in alerts to users then we as SRE can see and respond in partnership with mainly T&S

@Dmehus: I meant this from a perspective of if we suddenly get a rise in alerts to users then we as SRE can see and respond in partnership with mainly T&S

@RhinosF1 Okay, fair, but how were you envisioning Trust and Safety would respond to a rise in failed logins? If you just mean SRE blocking access requests at the Varnish level, that's fine and within their scope. But as to any Trust and Safety-level involvement, I'm not sure we really need to do anything about failed logins. I suppose SRE could pass information from the Varnish server access logs to the Trust and Safety team to try and narrow down a responsible party, but then again, they're failed logins. If it's like some sort of mass scale of dictionary password attacks, then it's unlikely, I would say, to be a current Miraheze user, so the best level of involvement as by SRE at the Varnish level

@Dmehus: It would depend massively on exactly what happened but T&S are responsible for any long term action against anyone. We only take measures as SRE to ensure immediate site stability.

@Dmehus: It would depend massively on exactly what happened but T&S are responsible for any long term action against anyone. We only take measures as SRE to ensure immediate site stability.

That's true. Trust and Safety would have to be engaged in terms of long-term Varnish-level bans of IP ranges, certainly,

I suppose it's a concern, but from my perspective, I would consider it to be relative low priority so as not to derail or sidetrack focus from other tasks. T8065 seems to be a higher priority from T&S perspective.

Reception123 lowered the priority of this task from Normal to Low.Mar 17 2022, 06:00

For the same reasons in T8835#180967 moving to low