[keycloak-user] info about brute force detection

Stian Thorgersen sthorger at redhat.com
Tue Dec 8 10:15:50 EST 2015


There's no assumption here that the server won't be restarted in
production. However, when this was designed we decided it was good enough
to store failed login attempts in memory. Reasoning behind that is we try
to prevent changing users if possible. It's also good enough in our eyes as
server restarts will be uncommon in production and it would be very
unlikely that the server is restarted frequently enough for a brute force
attack to succeed.

However, if this really isn't good enough for you then feel free to create
a feature request asking for an option to be able to persist failed log-in
attempts. We don't have resources to implement it at the moment though, so
it would have to be a community contribution it you want it soon.

On 8 December 2015 at 15:29, Giovanni Baruzzi <giovanni.baruzzi at syntlogo.de>
wrote:

> The question of Mara was perfectly legitimated and the answers are not really acceptable.
>
> I have the opinion that the number of failures needs to be persisted and the designer should not make assumption about the times and periods for server restarts
>
> Secondly, where should be such a brute detection implemented if not in Keycloak?
>
> In effect is is implemented, but the implementation can be made better.
>
> FYI information we implemented it using the functionalities of the LDAP server.
>
>
> Regards,
>
> Giovanni
>
>
>
> >>In addition, is pretty much possible to configure fail2ban to read the
> >>log files and store it into the database for example
> >>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
> >>
> >>I can be wrong, but I don't think Keycloak should have something like this.
> >>
> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
> >* On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
> *>>* Dear all,
> *>>* I have enabled brute force detection on my keycloak application server.
> *>>* I used keycloak 1.5.0 Final version.
> *>>* After several trials I saw that the number of failures of the users are
> *>* saved in session, so if the server will be restarted the counter starts from
> *>* 0 again.
> *>>* Why you don’t save it into db?
> *>>* I didn't design this, but I think it's because brute force detection is
> *>* designed to thwart guessing of credentials over a relatively short time
> *>* period.  In production you don't restart the server very often.
> *>>>>* Mara
> *>>>>* _______*
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/2ad0f3a0/attachment.html 


More information about the keycloak-user mailing list