[keycloak-dev] Brute force attack protection
Bill Burke
bburke at redhat.com
Fri Mar 14 18:01:47 EDT 2014
Ugh, seems that Captchas are easily broken too and also cause as much as
10% loss in leads/users. I've seen suggestions of a combination of IP
Address whitelists and blacklists per user and cross user.
1. If a user successfully logs in, add their IP address to the user's
whitelist.
2. After X failed login attempts per user, set the User's notBefore to
incrementally higher times on multiple failures. The notBefore check is
ignored for IP address on the user's whitelist.
The problem I see with this approach is that the attacker's IP might be
on the whitelist because of a proxy. There's also the problem with a
Gateway/Proxy screwing up the Server's idea of what the client IP is. I
know a Gateway/Proxy can set headers like "HTTP_X_FORWARDED_FOR". I'm
wondering if you can trust the Gateway/Proxy to remove
"HTTP_X_FORWARDED_FOR" headers sent by the client itself.
Do you think that is good enough? If the site wants better protection
then they should add two-factor auth. When we support certs, they
should require those too.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list