security: rate limiting on auth endpoints + rpcbind disabled (F-01/02/05/09)

F-01 — API key brute-force protection: per-IP failure counter in auth.py
tracks failed attempts in a 60s sliding window; returns 429 + Retry-After
after 20 failures from the same IP.

F-02 — Login brute-force protection: @limiter.limit("10/minute; 30/hour")
on POST /api/v1/auth/login via flask-limiter 4.1.1 (added to requirements.txt,
Limiter instance in extensions.py, init_app() in create_app()).

F-05 — Webhook exemption documented with explicit IMPORTANT comment warning
future developers that new webhook handlers must implement their own auth.

F-09 — rpcbind service and socket unit disabled on LXC CT101 (pve-node1);
port 111 confirmed closed via nmap from Kali VM.

Author: DennisSico

backend/app.py

@@ -11,7 +11,7 @@
 
 from flask import Flask
 
-from extensions import socketio
+from extensions import limiter, socketio
 
 LOG_FORMAT = "%(asctime)s [%(levelname)s] %(name)s: %(message)s"
 
@@ -180,6 +180,9 @@ def create_app(testing=False):
 
     register_error_handlers(app)
 
+    # Initialize rate limiter (in-memory; swap storage_uri for Redis in multi-worker setups)
+    limiter.init_app(app)
+
     # Initialize authentication
     from auth import init_auth
     from routes.auth_ui import auth_ui_bp

backend/auth.py

@@ -8,13 +8,38 @@
 import functools
 import hmac
 import logging
+import threading
+import time
+from collections import defaultdict
 
 from flask import jsonify, request
 
 from config import get_settings
 
 logger = logging.getLogger(__name__)
 
+# Per-IP rate limiting for failed API key attempts.
+# Tracks timestamps of failures; entries older than _WINDOW are discarded.
+_failed_lock = threading.Lock()
+_failed_attempts: dict[str, list[float]] = defaultdict(list)
+_FAIL_LIMIT = 20  # max failed attempts per window
+_FAIL_WINDOW = 60  # seconds
+
+
+def _is_rate_limited(ip: str) -> bool:
+    """Return True if ip has exceeded the failed-auth rate limit."""
+    now = time.monotonic()
+    with _failed_lock:
+        cutoff = now - _FAIL_WINDOW
+        _failed_attempts[ip] = [t for t in _failed_attempts[ip] if t > cutoff]
+        return len(_failed_attempts[ip]) >= _FAIL_LIMIT
+
+
+def _record_failure(ip: str) -> None:
+    """Record a failed auth attempt for ip."""
+    with _failed_lock:
+        _failed_attempts[ip].append(time.monotonic())
+
 
 def require_api_key(f):
     """Decorator to enforce API key authentication on a route."""
@@ -70,16 +95,36 @@ def check_api_key():
         if path == "/api/v1/health":
             return None
 
-        # Skip auth for webhook endpoints (they use their own auth)
+        # Skip auth for webhook endpoints — each handler performs its own
+        # HMAC-based auth (see routes/webhooks.py). IMPORTANT: any new webhook
+        # route added under /api/v1/webhook/ MUST implement auth manually;
+        # there is no fallback enforcement here.
         if path.startswith("/api/v1/webhook/"):
             return None
 
+        # Skip auth for UI auth endpoints (login, setup, status, logout)
+        # These handle their own authentication logic
+        if path.startswith("/api/v1/auth/"):
+            return None
+
+        ip = request.remote_addr or "unknown"
+
+        # Reject IPs that have exceeded the failed-auth rate limit
+        if _is_rate_limited(ip):
+            logger.warning("Rate limit exceeded for API key auth from %s", ip)
+            resp = jsonify({"error": "Too many failed attempts. Try again later."})
+            resp.headers["Retry-After"] = str(_FAIL_WINDOW)
+            return resp, 429
+
         provided_key = request.headers.get("X-Api-Key") or request.args.get("apikey")
 
         if not provided_key:
+            _record_failure(ip)
             return jsonify({"error": "API key required"}), 401
 
         if not hmac.compare_digest(provided_key, current_settings.api_key):
+            _record_failure(ip)
+            logger.warning("Invalid API key from %s", ip)
             return jsonify({"error": "Invalid API key"}), 401
 
         return None

backend/extensions.py

@@ -7,10 +7,16 @@
 for graceful degradation during the transition period.
 """
 
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 from flask_socketio import SocketIO
 
 socketio = SocketIO()
 
+# Rate limiter — unbound, init_app() called in create_app()
+# Default storage: in-memory (sufficient for single-process Gunicorn)
+limiter = Limiter(key_func=get_remote_address, default_limits=[])
+
 try:
     from flask_migrate import Migrate
     from flask_sqlalchemy import SQLAlchemy

backend/requirements.txt

@@ -1,5 +1,6 @@
 flask==3.1.3
 flask-socketio==5.6.1
+flask-limiter==4.1.1
 Flask-SQLAlchemy==3.1.1
 Flask-Migrate==4.1.0
 SQLAlchemy==2.0.46

backend/routes/auth_ui.py

@@ -13,6 +13,7 @@
 from flask import Blueprint, jsonify, request, session
 
 import ui_auth
+from extensions import limiter
 
 logger = logging.getLogger(__name__)
 
@@ -65,6 +66,7 @@ def setup():
 
 
 @auth_ui_bp.post("/login")
+@limiter.limit("10/minute; 30/hour")
 def login():
     if not ui_auth.is_ui_auth_enabled():
         session["ui_authenticated"] = True