On 13-07-26 12:49 PM, Scott Battaglia wrote:
I don't believe CAS2 ever had that feature enabled (if they did there is a 99% chance CAS3 would have launched with it).
I was looking at the CAS2 code last week, it had it.
IP-based blocking is not always accurate depending on your environment. You could accidentally block a huge number of people because of one very bad person.
Maybe I'm wrong, but it seems to me that brute force IP blocking is fine, as long as the expiry of that block is sufficiently short to not cause problems. The repeat count must also be sufficiently large to not cause problems. i.e. NAT based organizations could have all their users going through a single IP, so blocking that would be bad.
Account based locking can be problematic as well, as you could have a brute force attack that essentially locks all accounts. IP blocking would prevent that sort of thing. It does seem to me that a combination of account locking and IP blocking would be ideal.
We had CAS 2 in place for a lot of years, and never had a single complaint about people being blocked.
IP and IP + username blocking won't catch a distributed attack on single or multiple users. So, account based locking (with a short expiry) would catch the remaining attacks.
Any thoughts?
On Fri, Jul 26, 2013 at 1:31 PM, Trenton D. Adams <[email protected] <mailto:[email protected]>> wrote: On 13-07-26 10:13 AM, Trenton D. Adams wrote: On 13-07-25 02:48 PM, Andrew Morgan wrote: On Thu, 25 Jul 2013, Trenton D. Adams wrote: Hmm, it doesn't seem reasonable for an authentication system to not be throttled. Any ideas on why it's not on by default? I know it was for CAS 2. Can we get it enabled by default going forward? Our CAS system uses our LDAP service to handle authentication, and our LDAP service already has a password policy with handles lockout after X number of failed authentication attempts. Additionaly, we have different password policies for different categories of users ("higher" security accounts allow fewer failed authentication attempts). How does your LDAP support this feature? Is it based on account? if so, that seems rather inferior to IP based throttling. If for some reason I was able to gain access to all of the LDAP ids (temporarily maybe, not as unlikely as one might think) I could use a dictionary attack, and attempt the same password on every account. That wouldn't trigger an account based lock out. Sorry, I've always had attention problems. You already stated it was based on account. But, that does seem rather inferior to IP based blocking, don't you think? I remember CAS 2 being something like 100 repeated attempts in quick succession was deemed as an attack, and that IP was blocked. And, if LDAP does IP based throttling, that wouldn't work too well with CAS, as it would block everyone. We don't really want CAS to handle the lockout/throttling for us, so I would prefer it wasn't enabled by default. However, it isn't too difficult to overlay our own configuration with Maven, so we can remove it if the defaults do change. Thanks, Andy -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Navy Penguins at your service! Athabasca University (780) 675-6195 <tel:%28780%29%20675-6195> :wq! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/__display/JSG/cas-user <http://www.ja-sig.org/wiki/display/JSG/cas-user> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- Trenton D. Adams Senior Systems Analyst/Web Software Developer Navy Penguins at your service! Athabasca University (780) 675-6195 :wq! -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
