8:29 a.m.
The question of Mara was perfectly legitimated and the answers are not
really acceptable.
I have the opinion that the number of failures needs to be persisted and the
designer should not make assumption about the times and periods for server
restarts
Secondly, where should be such a brute detection implemented if not in
Keycloak?
In effect is is implemented, but the implementation can be made better.
FYI information we implemented it using the functionalities of the LDAP
server.
Regards,
Giovanni
>In addition, is pretty much possible to configure fail2ban to read
the
>log files and store it into the database for example
>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>
>I can be wrong, but I don't think Keycloak should have something like this.
>
On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user> > wrote:
On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
Dear all,
I have enabled brute force detection on my keycloak application server.
I used keycloak 1.5.0 Final version.
After several trials I saw that the number of failures of the users are
saved in session, so if the server will be restarted the counter starts from
0 again.
Why you don¹t save it into db?
I didn't design this, but I think it's because brute force detection is
designed to thwart guessing of credentials over a relatively short time
period. In production you don't restart the server very often.
Mara
_______
9:15 a.m.
There's no assumption here that the server won't be restarted in
production. However, when this was designed we decided it was good enough
to store failed login attempts in memory. Reasoning behind that is we try
to prevent changing users if possible. It's also good enough in our eyes as
server restarts will be uncommon in production and it would be very
unlikely that the server is restarted frequently enough for a brute force
attack to succeed.
However, if this really isn't good enough for you then feel free to create
a feature request asking for an option to be able to persist failed log-in
attempts. We don't have resources to implement it at the moment though, so
it would have to be a community contribution it you want it soon.
On 8 December 2015 at 15:29, Giovanni Baruzzi <giovanni.baruzzi(a)syntlogo.de>
wrote:
The question of Mara was perfectly legitimated and the answers are
not really acceptable.
I have the opinion that the number of failures needs to be persisted and the designer
should not make assumption about the times and periods for server restarts
Secondly, where should be such a brute detection implemented if not in Keycloak?
In effect is is implemented, but the implementation can be made better.
FYI information we implemented it using the functionalities of the LDAP server.
Regards,
Giovanni
>>In addition, is pretty much possible to configure fail2ban to read the
>>log files and store it into the database for example
>>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>>
>>I can be wrong, but I don't think Keycloak should have something like this.
>>
On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
>* On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
*>>* Dear all,
*>>* I have enabled brute force detection on my keycloak application server.
*>>* I used keycloak 1.5.0 Final version.
*>>* After several trials I saw that the number of failures of the users are
*>* saved in session, so if the server will be restarted the counter starts from
*>* 0 again.
*>>* Why you don’t save it into db?
*>>* I didn't design this, but I think it's because brute force detection
is
*>* designed to thwart guessing of credentials over a relatively short time
*>* period. In production you don't restart the server very often.
*>>>>* Mara
*>>>>* _______*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:17 a.m.
You can also increase the number of owners for the cache which will mean
that login failures will survive a single node restart.
On 8 December 2015 at 16:15, Stian Thorgersen <sthorger(a)redhat.com> wrote:
There's no assumption here that the server won't be restarted
in
production. However, when this was designed we decided it was good enough
to store failed login attempts in memory. Reasoning behind that is we try
to prevent changing users if possible. It's also good enough in our eyes as
server restarts will be uncommon in production and it would be very
unlikely that the server is restarted frequently enough for a brute force
attack to succeed.
However, if this really isn't good enough for you then feel free to create
a feature request asking for an option to be able to persist failed log-in
attempts. We don't have resources to implement it at the moment though, so
it would have to be a community contribution it you want it soon.
On 8 December 2015 at 15:29, Giovanni Baruzzi <
giovanni.baruzzi(a)syntlogo.de> wrote:
> The question of Mara was perfectly legitimated and the answers are not really
acceptable.
>
> I have the opinion that the number of failures needs to be persisted and the designer
should not make assumption about the times and periods for server restarts
>
> Secondly, where should be such a brute detection implemented if not in Keycloak?
>
> In effect is is implemented, but the implementation can be made better.
>
> FYI information we implemented it using the functionalities of the LDAP server.
>
>
> Regards,
>
> Giovanni
>
>
>
> >>In addition, is pretty much possible to configure fail2ban to read the
> >>log files and store it into the database for example
> >>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
> >>
> >>I can be wrong, but I don't think Keycloak should have something like
this.
> >>
> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
> >* On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
> *>>* Dear all,
> *>>* I have enabled brute force detection on my keycloak application server.
> *>>* I used keycloak 1.5.0 Final version.
> *>>* After several trials I saw that the number of failures of the users are
> *>* saved in session, so if the server will be restarted the counter starts from
> *>* 0 again.
> *>>* Why you don’t save it into db?
> *>>* I didn't design this, but I think it's because brute force
detection is
> *>* designed to thwart guessing of credentials over a relatively short time
> *>* period. In production you don't restart the server very often.
> *>>>>* Mara
> *>>>>* _______*
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3306
days inactive
3306
days old
2 comments
2 participants
participants (2)
-
Giovanni Baruzzi -
Stian Thorgersen