Jul 10th, 2012, 10:15 PM
Stopping brute force authentication attacks.
This is a question about stopping brute force authentication attempts.
What I would like to achieve, is the following;
- Four failed authentication attempts on an account locks it.
- Six failed authentication attempts in total denies any further attempts from the remote address.
The first point was easy.
Simply extend the relevant AuthenticationProvider, register the number of failed attempts and throw LockedException once the limit was reached.
The second point however, is much trickier.
AuthenticationProvider does not have a concept of remote address.
Somewhere I read extending UsernamePasswordAuthenticationFilter is the way to go, but that seems to make things terribly complicated. Failure/Success handlers must be installed, <security:http> needs auto-config to be disabled.. The XML configuration files grows. :/
What to do?
Surely I can't be alone in trying to thwart those pesky brute forcing bots ravaging sites to left and right.
Thank you for any tips, ideas and help.
Jul 11th, 2012, 03:04 AM
I would implement ApplicationListeners for AuthenticationFailureBadCredentialsEvent (increment counter) and AuthenticationSuccessEvent (set counter = 0).
If you have a Http-based Authentication the Authentication object contains the IP-address of the client.
I would NOT implement a lockout based on IP's. What if 100's of users come over a proxy?
Jul 13th, 2012, 09:10 AM
I've done the first item by implementing a custom AuthenticationFailureHandler that increments a strike count of the user record in the db. When the strike threshold is exceeded, the account is locked. Don't forget to create a AuthenticationSuccessHandler that resets the strike counter after the user logs in. .
I agree with spgmx, programatically blocking an ip address is not a good idea. If this is really a problem, consider recording the frequency and source of failed authentications and then compile this into a report. Reqeusts from malicious IPs could then be restricted at a layer before the application server, and also quickly undone if it's found to be blocking legitimate requests.