Prevent Vault from Brute Force Attack - User Lockout

Problem

Introduction

User Lockout is a new feature added in Vault 1.13.0 designed to prevent Brute Forcing of credentials across three initial Auth Methods, that are UserPass, Ldap, and Approle. If a user provides incorrect credentials several times in a row, Vault will stop trying to validate their credentials for a predefined period of time and instead return an error indicating permission denied.

Configuration

The user lockout feature is enabled by default with Vault 1.13.0.  The following are the available parameters with default values for this feature:

Lets understand the parameters defined above with scenarios:

Assume we define a user lockout threshold of 5, lockout duration of 10 minutes and lockout reset counter of 15 minutes. 

Scenario 1:Assume we have 4 failed logins and the user attempts another failed login (5th attempt), the user will be locked out for 10 minutes. After this 10 minutes lockout duration, the user will be unlocked and will be able to login.

Scenario 2: Consider we've had four failed logins and the user hasn't attempted to log in for 15 minutes. The user's lockout counter is reset in this case.The lockout counter will be reset only for unlocked users, not locked users.

#By default we will not able to see the default values of user lockout parameter until we change it
root@vaults0:/home/vagrant# vault read sys/auth/userpass/tune
 #Key                 Value
 #---                 -----
 #default_lease_ttl   768h
 #description         n/a
 #force_no_cache      false
 #max_lease_ttl       768h
 #token_type          default-service

#Let's override the -user-lockout-disable parameter value to false which is false bydefault
root@vaults0:/home/vagrant# vault auth tune -user-lockout-disable=false /userpass
#Success! Tuned the auth method at: userpass/

#Here it is showing the default values that are defined above and it will change once we change these values by ourselves.
root@vaults0:/home/vagrant# vault read sys/auth/userpass/tune
 #Key                                 Value
 #---                                 -----
 #default_lease_ttl                   768h
 #description                         n/a
 #force_no_cache                      false
 #max_lease_ttl                       768h
 #token_type                          default-service
 #user_lockout_counter_reset_duration 0s
 #user_lockout_disable                false
 #user_lockout_duration               0s
 #user_lockout_threshold              0

The following is the order of precedence for user lockout configuration:

Configuration for an auth mount using tune >> Configuration for an auth method in config file >> Configuration for "all" auth methods in config file >> Default values.

The precedence for disable user lockout is as follows:

Disable using environment variable VAULT_DISABLE_USER_LOCKOUT >> Configuration for an auth mount using tune >> Configuration for an auth method in config file >> Configuration for "all" auth methods in config file >> Default values.

#Disable user lockout feature for all three auth methods i.e., Userpass, Ldap, Approle by
#exporting the env variable

root@vaults0:/home/vagrant# export VAULT_DISABLE_USER_LOCKOUT="true"

#If we want to disable a single auth method(type: userpass, approle, ldap), set -user-lockout-disable="true"
root@vaults0:/home/vagrant# vault auth tune -user-lockout-disable="true" /userpass
 #Success! Tuned the auth method at: userpass/

How to list the Locked Users:

We can list the locked users from CLI and API. The commands return a list of locked users from the current namespace as well as from its all child namespaces

#We can list the locked users from CLI and via API
#CLI Command
#Below command give the list of locked users from current namespace + all of its child namespace for all auth mount accessor
vault read /sys/locked-users

#Below command give the list of locked users from specific mount accessor only
vault read /sys/locked-users mount_accessor=$auth_mount_accessor

#Equivalent API calls for the above CLI commands
curl --header "X-Vault-Token: $VAULT_TOKEN" -H "X-Vault-Namespace: root/" --request GET http://localhost:8200/v1/sys/locked-users | jq
curl --header "X-Vault-Token: $VAULT_TOKEN" -H "X-Vault-Namespace: root/" --request GET http://localhost:8200/v1/sys/locked-users?mount_accessor=auth_userpass_16ec4b33 | jq

How to unlock the Locked Users:

 We can unlock the users via CLI and API. For unlocking the users we have to provide mount_accessor and alias_identifier in the commands. This command is idempotent, which means it can be executed even if the user with the specified mount_accessor and alias_identifier is not locked.

#Commands to unlock the users
#CLI Command
vault write -force /sys/locked-users/$mount_accessor/unlock/$alias-identifier 

#Equivalent API calla for the above CLI command
curl --header "X-Vault-Token: $VAULT_TOKEN" --header "X-Vault-Namespace: root/" --request POST http://localhost:8200/v1/sys/locked-users/$mount_accessor/unlock/$alias-identifier 

Error that we get after user locked in the audit log