Throttler

class OC\Security\Bruteforce\Throttler

Class Throttler implements the bruteforce protection for security actions in

Nextcloud.

It is working by logging invalid login attempts to the database and slowing

down all login attempts from the same subnet. The max delay is 30 seconds and

the starting delay are 200 milliseconds. (after the first failed login)

This is based on Paragonie’s AirBrake for Airship CMS. You can find the original

code at https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/src/Engine/Security/AirBrake.php

Source:lib/private/Security/Bruteforce/Throttler.php#56

Constants

LOGIN_ACTION = login

Source:lib/private/Security/Bruteforce/Throttler.php#57

MAX_DELAY = 25

Source:lib/private/Security/Bruteforce/Throttler.php#58

MAX_DELAY_MS = 25000

Source:lib/private/Security/Bruteforce/Throttler.php#59

MAX_ATTEMPTS = 10

Source:lib/private/Security/Bruteforce/Throttler.php#60

Properties

Methods

public OC\Security\Bruteforce\Throttler::__construct($db, $timeFactory, $logger, $config)

Source:

lib/private/Security/Bruteforce/Throttler.php#77

Parameters:

• $db (OCP\IDBConnection)
• $timeFactory (OCP\AppFramework\Utility\ITimeFactory)
• $logger (OCP\ILogger)
• $config (OCP\IConfig)

public OC\Security\Bruteforce\Throttler::registerAttempt($action, $ip, $metadata=[])

Register a failed attempt to bruteforce a security control

Source:

lib/private/Security/Bruteforce/Throttler.php#119

Parameters:

• $action (string)
• $ip (string)
• $metadata (array) Optional metadata logged to the database

public OC\Security\Bruteforce\Throttler::getAttempts($ip, $action="", $maxAgeHours=12)

Get the throttling delay (in milliseconds)

Source:

lib/private/Security/Bruteforce/Throttler.php#228

Parameters:

• $ip (string)
• $action (string) optionally filter by action
• $maxAgeHours (float)

Returns:

int

public OC\Security\Bruteforce\Throttler::getDelay($ip, $action="")

Get the throttling delay (in milliseconds)

Source:

lib/private/Security/Bruteforce/Throttler.php#269

Parameters:

• $ip (string)
• $action (string) optionally filter by action

Returns:

int

public OC\Security\Bruteforce\Throttler::resetDelay($ip, $action, $metadata)

Reset the throttling delay for an IP address, action and metadata

Source:

lib/private/Security/Bruteforce/Throttler.php#295

Parameters:

• $ip (string)
• $action (string)
• $metadata (array)

public OC\Security\Bruteforce\Throttler::resetDelayForIP($ip)

Reset the throttling delay for an IP address

Source:

lib/private/Security/Bruteforce/Throttler.php#318

Parameters:

• $ip (string)

public OC\Security\Bruteforce\Throttler::sleepDelay($ip, $action="")

Will sleep for the defined amount of time

Source:

lib/private/Security/Bruteforce/Throttler.php#336

Parameters:

• $ip (string)
• $action (string) optionally filter by action

Returns:

int the time spent sleeping

public OC\Security\Bruteforce\Throttler::sleepDelayOrThrowOnMax($ip, $action="")

Will sleep for the defined amount of time unless maximum was reached in the last 30 minutes

In this case a “429 Too Many Request” exception is thrown

Source:

lib/private/Security/Bruteforce/Throttler.php#351

Parameters:

• $ip (string)
• $action (string) optionally filter by action

Returns:

int the time spent sleeping

Throws:

\OCP\Security\Bruteforce\MaxDelayReached when reached the maximum