[keycloak-user] info about brute force detection

Stian Thorgersen sthorger at redhat.com
Tue Dec 8 10:17:06 EST 2015


You can also increase the number of owners for the cache which will mean
that login failures will survive a single node restart.

On 8 December 2015 at 16:15, Stian Thorgersen <sthorger at redhat.com> wrote:

> There's no assumption here that the server won't be restarted in
> production. However, when this was designed we decided it was good enough
> to store failed login attempts in memory. Reasoning behind that is we try
> to prevent changing users if possible. It's also good enough in our eyes as
> server restarts will be uncommon in production and it would be very
> unlikely that the server is restarted frequently enough for a brute force
> attack to succeed.
>
> However, if this really isn't good enough for you then feel free to create
> a feature request asking for an option to be able to persist failed log-in
> attempts. We don't have resources to implement it at the moment though, so
> it would have to be a community contribution it you want it soon.
>
> On 8 December 2015 at 15:29, Giovanni Baruzzi <
> giovanni.baruzzi at syntlogo.de> wrote:
>
>> The question of Mara was perfectly legitimated and the answers are not really acceptable.
>>
>> I have the opinion that the number of failures needs to be persisted and the designer should not make assumption about the times and periods for server restarts
>>
>> Secondly, where should be such a brute detection implemented if not in Keycloak?
>>
>> In effect is is implemented, but the implementation can be made better.
>>
>> FYI information we implemented it using the functionalities of the LDAP server.
>>
>>
>> Regards,
>>
>> Giovanni
>>
>>
>>
>> >>In addition, is pretty much possible to configure fail2ban to read the
>> >>log files and store it into the database for example
>> >>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>> >>
>> >>I can be wrong, but I don't think Keycloak should have something like this.
>> >>
>> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
>> >* On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>> *>>* Dear all,
>> *>>* I have enabled brute force detection on my keycloak application server.
>> *>>* I used keycloak 1.5.0 Final version.
>> *>>* After several trials I saw that the number of failures of the users are
>> *>* saved in session, so if the server will be restarted the counter starts from
>> *>* 0 again.
>> *>>* Why you don’t save it into db?
>> *>>* I didn't design this, but I think it's because brute force detection is
>> *>* designed to thwart guessing of credentials over a relatively short time
>> *>* period.  In production you don't restart the server very often.
>> *>>>>* Mara
>> *>>>>* _______*
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/4d3f1088/attachment-0001.html 


More information about the keycloak-user mailing list