[keycloak-user] info about brute force detection

Bill Burke bburke at redhat.com
Sun Dec 6 21:51:20 EST 2015


It will be useful in the future to warn people of rogue nations logging 
in.  i.e.  Somebody from China logged into your account, was it you?  It 
used to be an experimental feature, then people started asking for it 
because they wanted to disable accounts that failed to produce right 
password 3 times or so.  Weak, I know, but people wanted it.



On 12/4/2015 3:01 PM, Bruno Oliveira wrote:
> In addition, is pretty much possible to configure fail2ban to read the
> log files and store it into the database for example
> (http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>
> I can be wrong, but I don't think Keycloak should have something like this.
>
> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com> wrote:
>> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>>
>> Dear all,
>>
>> I have enabled brute force detection on my keycloak application server.
>>
>> I used keycloak 1.5.0 Final version.
>>
>> After several trials I saw that the number of failures of the users are
>> saved in session, so if the server will be restarted the counter starts from
>> 0 again.
>>
>> Why you don’t save it into db?
>>
>> I didn't design this, but I think it's because brute force detection is
>> designed to thwart guessing of credentials over a relatively short time
>> period.  In production you don't restart the server very often.
>>
>>
>>
>> Mara
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list