FogBugz Technical Support

A forum for technical support discussion related to Fogbugz.
The current FogBugz Knowledge Base can be found at http://help.fogcreek.com/fogbugz.

Posts by Fog Creek Employees are marked:

Documentation
Release Notes
Network Status

Security: How can we see failed password attempts?

How can I tell if my FB system is being attacked?

(We are on FB 6)

Thanks!
Sam Jones
Sunday, September 6, 2009
 
 
Hmmm, it's not in the schema doc, but I'm pretty sure 6.1.46 has a cFailedLogons column in the Person table.  Can you try using that?
Rich Armstrong Send private email
Tuesday, September 8, 2009
 
 
We can look at that, but that is not sufficient.

The issue is when folks make FB accessible on the internet. Once we make it publicly accessible, it comes under our audit rules. The audit rules (which are imposed on any vendor to a large tech firm) require that we be able to detect attacks on all externally accessible systems.

The normal way this is done (for example, by the web software we make), is for the software to keep a log of all logins and login attempts. Then the host of the software is responsible for keeping the log table secure, but can at least answer the question: Is your system being attacked? Is it being compromised?

Does FB v7 solve this?

Wednesday, September 9, 2009
 
 
No. If FogBugz's security levels are not up to your audit requirements, we strongly suggest you keep FogBugz inaccessible to the public.  If this makes FogBugz unusable for you, we certainly understand and will refund any qualifying purchase.  We do not have plans to change FogBugz authentication in the near future.
Rich Armstrong Send private email
Wednesday, September 9, 2009
 
 
Rich,

I am not looking for a refund.

The audit requirements aren't my requirements. This isn't about me, my company, or what we think. It is about the growing spectre of "compliance" which is imposed by the "larger corporate world."

Any site that comes under PCI level 1 2 or 3 (and similar regimes) would encounter this issue. (Note that PCI standards are often applied to non credit card data. For example, in our case the security of our code is under review. And our FogBugz system contains a lot of discussions (cases) of us implementing security elements. So our FogBugz system is supposed to be as secure as our code.)

That said, I think they have a point.

Say a Fogbugz on Demand user found his account had been accessed by someone else. He comes to you and says "what is going on?"

You would want logs to be able to say "Well, someone from IP XXX started trying to log into your account over the past two weeks, and finally got in five days ago."

It makes a big difference to know thinks like:

-- The attacker has been logging in for three months, without touching any data, so no one noticed.

vs.

-- The attacker first successfully logged in yesterday.

vs.

-- We review the logs monthly, saw a lot of failed login attempts from IP X on different user accounts, and have blocked that IP address range on the firewall to secure the system.

vs.

-- We have no clue, because there are no logs of failed or successful login attempts.


Note that even forcing access through a VPN does not solve for this issue. If our environment is compromised (e.g. a back door is created anywhere on our internal net), we expect the systems on our internal net to be attacked. Windows itself (and many other systems) log all login attempts.

Our version control system, Perforce, keeps a pretty detailed log (which is picked up by our backup). So if someone accesses it at 3:00 AM when we are asleep and grabs a bunch of code, we can see it in the logs.

I think Subversion can keep detailed logging also (not positive here).

But FB...
Sam Jones
Wednesday, September 9, 2009
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz Bug Tracking and Evidence-Based Scheduling.