[keycloak-user] info about brute force detection

Bruno Oliveira bruno at abstractj.org
Fri Dec 4 15:01:55 EST 2015


In addition, is pretty much possible to configure fail2ban to read the
log files and store it into the database for example
(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).

I can be wrong, but I don't think Keycloak should have something like this.

On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com> wrote:
> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>
> Dear all,
>
> I have enabled brute force detection on my keycloak application server.
>
> I used keycloak 1.5.0 Final version.
>
> After several trials I saw that the number of failures of the users are
> saved in session, so if the server will be restarted the counter starts from
> 0 again.
>
> Why you don’t save it into db?
>
> I didn't design this, but I think it's because brute force detection is
> designed to thwart guessing of credentials over a relatively short time
> period.  In production you don't restart the server very often.
>
>
>
> Mara
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj



More information about the keycloak-user mailing list