35 lines
2.3 KiB
Text
35 lines
2.3 KiB
Text
|
|
=== Password guess: brute force attacks
|
|
|
|
A brute force attack happens when an attacker is trying to guess a user's password.
|
|
{{book.project.name}} has some limited brute force detection capabilities.
|
|
If turned on, a user account will be temporarily disabled if a threshold of login failures is reached.
|
|
To enable this feature go to the `Realm Settings` left menu item, click on the `Security Defenses` tab, then additional
|
|
go to the `Brute Force Detection` sub-tab.
|
|
|
|
.Brute Force Detection
|
|
image:../../{{book.images}}/brute-force.png[]
|
|
|
|
The way this works is that if there are `Max Login Failures` during a period of `Failure Reset Time`,
|
|
the account is temporarily disabled for the `Wait Increment` multiplied by the number of failures over the max. After
|
|
`Failure Reset Time` is reached all failures are wiped clean. The `Max Wait` is the maximum amount of time
|
|
an account can be disabled. Another preventive measure is that if there are subsequent login failures for one
|
|
account that are too quick for a human to initiate the account will be disabled. This is controlled by the
|
|
`Quick Login Check Milli Seconds` value. So, if there are two login failures for the same account within that value,
|
|
the account will be disabled for `Minimum Quick Login Wait`.
|
|
|
|
The downside of {{book.project.name}} brute force detection is that the server becomes vulnerable to denial of service attacks.
|
|
An attacker can simply try to guess passwords for any accounts it knows and these account will be disabled.
|
|
Eventually we will expand this functionality to take client IP address into account when deciding whether to block a user.
|
|
|
|
A better option might be a tool like http://fail2ban.org[Fail2Ban]. You can point this service at the {{book.project.name}} server's log file.
|
|
{{book.project.name}} logs every login failure and client IP address that had the failure. Fail2Ban can be used to modify
|
|
firewalls after it detects an attack to block connections from specific IP addresses.
|
|
|
|
==== Password Policies
|
|
|
|
Another thing you should do to prevent password guess is to have a complex enough password policy to ensure that
|
|
users pick hard to guess passwords. See the <<fake/../../authentication/password-policies.adoc#_password-policies, Password Policies>> chapter for more details.
|
|
|
|
The best way to prevent password guessing though is to set up the server to use a one-time-password (OTP).
|
|
|