防止在 keycloak 中对某些用户进行暴力检测
Prevent brute-force detection for certain users in keycloak
我在我的项目中使用了keycloak中的暴力检测。但我的要求是,我希望将 2 个用户排除在暴力检测之外,并希望为他们设置默认设置。
如何在领域中设置以防止对某些用户进行强力检测?
在 Password guess: brute force attacks 功能的 Keycloak 文档中,可以阅读:
A brute force attack happens when an attacker is trying to guess a
user’s password. Keycloak has some limited brute force detection
capabilities. If turned on, a user account will be temporarily
disabled if a threshold of login failures is reached. To enable this
feature go to the Realm Settings left menu item, click on the Security
Defenses tab, then additional go to the Brute Force Detection sub-tab.
由此可以推断,此功能应用于领域级别,因此将影响该领域内的所有用户。此外,阅读有关此功能及其配置设置的完整 Keycloak 文档,没有选项可以排除某些用户的帐户。因此,如果您要从强力检测功能中排除的两个用户与您要使用该功能的用户处于同一领域,那么您就不走运了。
然而,从下面的段落
The downside of Keycloak brute force detection is that the server
becomes vulnerable to denial of service attacks. An attacker can
simply try to guess passwords for any accounts it knows and these
account will be disabled. Eventually we will expand this functionality
to take client IP address into account when deciding whether to block
a user.
所以也许将来,您可以根据他们的 IP 排除这两个用户?!但这是一个大胆的猜测;这取决于未来的功能将如何实现。
最后:
A better option might be a tool like Fail2Ban. You can point this
service at the Keycloak server’s log file. Keycloak logs every login
failure and client IP address that had the failure. Fail2Ban can be
used to modify firewalls after it detects an attack to block
connections from specific IP addresses.
我想您可以(暂时)尝试使用 Fail2Ban,并相应地将其与 Keycloak 集成。然后尝试根据他们的 IP 排除这两个用户。
我在我的项目中使用了keycloak中的暴力检测。但我的要求是,我希望将 2 个用户排除在暴力检测之外,并希望为他们设置默认设置。
如何在领域中设置以防止对某些用户进行强力检测?
在 Password guess: brute force attacks 功能的 Keycloak 文档中,可以阅读:
A brute force attack happens when an attacker is trying to guess a user’s password. Keycloak has some limited brute force detection capabilities. If turned on, a user account will be temporarily disabled if a threshold of login failures is reached. To enable this feature go to the Realm Settings left menu item, click on the Security Defenses tab, then additional go to the Brute Force Detection sub-tab.
由此可以推断,此功能应用于领域级别,因此将影响该领域内的所有用户。此外,阅读有关此功能及其配置设置的完整 Keycloak 文档,没有选项可以排除某些用户的帐户。因此,如果您要从强力检测功能中排除的两个用户与您要使用该功能的用户处于同一领域,那么您就不走运了。
然而,从下面的段落
The downside of Keycloak brute force detection is that the server becomes vulnerable to denial of service attacks. An attacker can simply try to guess passwords for any accounts it knows and these account will be disabled. Eventually we will expand this functionality to take client IP address into account when deciding whether to block a user.
所以也许将来,您可以根据他们的 IP 排除这两个用户?!但这是一个大胆的猜测;这取决于未来的功能将如何实现。
最后:
A better option might be a tool like Fail2Ban. You can point this service at the Keycloak server’s log file. Keycloak logs every login failure and client IP address that had the failure. Fail2Ban can be used to modify firewalls after it detects an attack to block connections from specific IP addresses.
我想您可以(暂时)尝试使用 Fail2Ban,并相应地将其与 Keycloak 集成。然后尝试根据他们的 IP 排除这两个用户。