Re: [keycloak-dev] Brute force attack protection
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 14 March, 2014 10:01:47 PM
Subject: Re: [keycloak-dev] Brute force attack protection
Ugh, seems that Captchas are easily broken too and also cause as much as
10% loss in leads/users. I've seen suggestions of a combination of IP
Address whitelists and blacklists per user and cross user.
1. If a user successfully logs in, add their IP address to the user's
whitelist.
2. After X failed login attempts per user, set the User's notBefore to
incrementally higher times on multiple failures. The notBefore check is
ignored for IP address on the user's whitelist.
The problem I see with this approach is that the attacker's IP might be
on the whitelist because of a proxy. There's also the problem with a
Gateway/Proxy screwing up the Server's idea of what the client IP is. I
know a Gateway/Proxy can set headers like "HTTP_X_FORWARDED_FOR". I'm
wondering if you can trust the Gateway/Proxy to remove
"HTTP_X_FORWARDED_FOR" headers sent by the client itself.
Wouldn't a blacklist be better? If a user fails to login from a certain IP address N
times add the IP to a blacklist?
I can see a few issues with a whitelist:
* Shared IP/NAT
* Public networks (anyone at a Starbucks is on the whitelist)
* Dynamic IP addresses (home broadband)
Do you think that is good enough? If the site wants better protection
then they should add two-factor auth. When we support certs, they
should require those too.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev