[keycloak-dev] Brute force attack protection
Stian Thorgersen
stian at redhat.com
Mon Mar 17 05:38:19 EDT 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 14 March, 2014 10:01:47 PM
> Subject: Re: [keycloak-dev] Brute force attack protection
>
> Ugh, seems that Captchas are easily broken too and also cause as much as
> 10% loss in leads/users. I've seen suggestions of a combination of IP
> Address whitelists and blacklists per user and cross user.
>
>
> 1. If a user successfully logs in, add their IP address to the user's
> whitelist.
> 2. After X failed login attempts per user, set the User's notBefore to
> incrementally higher times on multiple failures. The notBefore check is
> ignored for IP address on the user's whitelist.
>
> The problem I see with this approach is that the attacker's IP might be
> on the whitelist because of a proxy. There's also the problem with a
> Gateway/Proxy screwing up the Server's idea of what the client IP is. I
> know a Gateway/Proxy can set headers like "HTTP_X_FORWARDED_FOR". I'm
> wondering if you can trust the Gateway/Proxy to remove
> "HTTP_X_FORWARDED_FOR" headers sent by the client itself.
Wouldn't a blacklist be better? If a user fails to login from a certain IP address N times add the IP to a blacklist?
I can see a few issues with a whitelist:
* Shared IP/NAT
* Public networks (anyone at a Starbucks is on the whitelist)
* Dynamic IP addresses (home broadband)
>
>
> Do you think that is good enough? If the site wants better protection
> then they should add two-factor auth. When we support certs, they
> should require those too.
>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list