Suggestion regarding authentication

Jörg Dommaschk j.dommaschk at instar.com
Thu Sep 29 22:22:34 PDT 2022


Hello, 

I was trying to add some brute force protection to my live555-based RTSP server, but I realised that this cannot be easily done (unless I am overlooking something - please let me know if I do), so I would like to suggest a small change: 

In the RTSPServer class, there are 2 functions, specialClientAccessCheck and specialClientUserAccessCheck, that are called in RTSPServer::RTSPClientConnection::authenticationOK. The first one is called right at the beginning to enforce some global restrictions, e.g. based on IP address, and the second one is called when authentication was successful to apply some additional restrictions based on the user. I would like to propose a third function, say specialFailedLoginCheck (feel free to choose a different name if you don't like this one), that would be called if a login attempt failed. So in RTSPServer::RTSPClientConnection::authenticationOK it would look like this: 

if (success) { 
//nothing changes here 
} 
else if (!fOurRTSPServer.specialFailedLoginCheck(fClientInputSocket, fClientAddr, urlSuffix, username)) { 
setRTSPResponse("401 Unauthorized"); 
delete[] (char*)username; 
return False; 
} 

The idea then is that in specialFailedLoginCheck one could count how many false attempts there were for some IP address and act upon this, e.g. by locking this IP address out for some time with specialClientAccessCheck or whatever the user of the library thinks makes sense for their RTSP server. (the default implementation of specialFailedLoginCheck just returns True) 

Best regards, 
Jay 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20220930/f5343982/attachment.htm>


More information about the live-devel mailing list