[keycloak-user] info about brute force detection

Giovanni Baruzzi giovanni.baruzzi at syntlogo.de
Tue Dec 8 09:29:30 EST 2015


The question of Mara was perfectly legitimated and the answers are not
really acceptable.
I have the opinion that the number of failures needs to be persisted and the
designer should not make assumption about the times and periods for server
restarts
Secondly, where should be such a brute detection implemented if not in
Keycloak?
In effect is is implemented, but the implementation can be made better.
FYI information we implemented it using the functionalities of the LDAP
server.

Regards,
Giovanni


>>In addition, is pretty much possible to configure fail2ban to read the
>>log files and store it into the database for example
>>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>>
>>I can be wrong, but I don't think Keycloak should have something like this.
>>
On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user> > wrote:
> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>
> Dear all,
>
> I have enabled brute force detection on my keycloak application server.
>
> I used keycloak 1.5.0 Final version.
>
> After several trials I saw that the number of failures of the users are
> saved in session, so if the server will be restarted the counter starts from
> 0 again.
>
> Why you don¹t save it into db?
>
> I didn't design this, but I think it's because brute force detection is
> designed to thwart guessing of credentials over a relatively short time
> period.  In production you don't restart the server very often.
>
>
>
> Mara
>
>
>
> _______


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/da32ccb5/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5133 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/da32ccb5/attachment.bin 


More information about the keycloak-user mailing list