gatekeeper

command module

v0.1.3 Latest Latest Go to latest Published: Nov 21, 2021 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/maypok86/gatekeeper

Links

Open Source Insights

README ¶

Gatekeeper

General description

The service is designed to combat password brute-forcing during authorization in any system. The service is called before the user is authorized and can either allow or block the attempt. It is assumed that the service is used only for server-server, i.e. it is hidden from the end user.

Project architecture

Algorithm of work

The service limits the frequency of authorization attempts for different combinations of parameters, for example:

no more than RATE_LOGIN = 10 attempts per minute for this login.
no more than RATE_PASSWORD = 100 attempts per minute for a given password (protection against reverse brute-force).
no more than RATE_IP = 1000 attempts per minute for a given IP (a large number, because NAT).

White/black lists contain lists of network addresses, which are handled in a simpler way. If incoming ip is in whitelist - service unconditionally allows authorization (ok=true), if in blacklist - rejects (ok=false).

It uses time/rate package, which implements the token bucket algorithm.

Description of API methods

Authorization attempt

Request:

login
password
ip

Response:

ok (true/false) - the service should return ok=true if it thinks the request is normal and ok=false if the request is brute-force.

login

Must clear the bucket(s) corresponding to the passed login.

Reset bucket by IP

ip

Must clear the bucket(s) corresponding to the passed ip.

Add IP to blacklist

subnet (ip + mask)

Remove IP from blacklist

subnet (ip + mask)

Add IP to whitelist

subnet (ip + mask)

Remove IP from whitelist

subnet (ip + mask)

Command-Line interface

A command-line interface for manual administration of the service is developed. The CLI allows you to reset the bucket and manage the whitelist/blacklist. The CLI works through GRPC interface.

Configuration

For the service configuration are used environment variables:

RATE_LOGIN - number of login attempts per minute, default value: 10
RATE_PASSWORD - number of authorization attempts per minute for password, default value: 100
RATE_IP - number of authorization attempts per minute for IP, default value: 1000
HOST - host on which the service will run, default value: 0.0.0.0
PORT - port on which the service will run, default value: 50051
LOGGER_LEVEL - logging level, possible values: DEBUG, INFO, WARN, ERRORS, PANIC, DPANIC, FATAL, default value: INFO
LOGGER_FILE - the name of the file that will be logged, default value: develop.log

For configuration, it is advisable to use the file .env in the root of the project.

Deployment

To start or stop the service, run the commands in the project directory:

make up - start the service
make down - stop the service

Testing

The service is covered by unit tests.
There are integration tests - as part of the test, the server rises and the logic of work is tested.

Monitoring

When you start a build in docker prometheus comes up To access prometheus you need to go to: http://localhost:9090. View status: http://localhost:9090/targets