1

I have a JBoss application which has Oracle DB based password authentication using org.jboss.security.auth.spi.DatabaseServerLoginModule. This application is running on the older community edition jboss-6.1.0.Final. I would like to throttle failed login attempts. I figure that these may come in a couple of ways:

  1. A username which exists in the database has repeated failed password attempts
  2. Attempts are made with usernames (likely machine generated) that do not exist in the database

I am currently only concerned with (2).

This server is behind a reverse proxy, which would make tracking the IPs attempts come from difficult.

After a few fruitless hours of Googling I am none the wiser about how to implement logic whereby, in the case of (2), the failed attempts may be logged and some sort of lockout takes place. Another thought I had was that maybe a lockout isn't necessary, and instead implement some sort of CAPTCHA system. Again, I find no good resources on how to implement this within my current authentication scheme.

What are the suggested practices to deal with this?

sail0r
  • 445
  • 1
  • 5
  • 18
  • see https://stackoverflow.com/questions/30369529/block-request-for-multiple-unsuccessful-logins-for-a-period-of-time/30382110#30382110 – Neil McGuigan Sep 24 '15 at 20:02
  • @NeilMcGuigan I do not see any suggestions on that page which address (2) and occur behind a proxy. – sail0r Sep 25 '15 at 18:24
  • there is nothing in my solution that requires that a username already exist. My solution doesn't use IP addresses, so I don't understand your second issue – Neil McGuigan Sep 26 '15 at 01:25

0 Answers0