Hello RĂ¼diger, >What do you think about logging false logins on a per-user basis, and >delay the response after the first false attempt by a couple of seconds >until another valid login for that user happened? I think the Linux >shell login works like that. > > That's not a bad idea... that would mean delaying a response for a second or two _every time_ a false login happens... That would be a rather simple but yet effective solution, too: It would render brute force useless and behave quite similar to the Linux shell login you mentioned....
>Or, one could lock an account completely after say three false attempts, >and send an email to the user with a link to unlock it again. > > That's also an option... but I think that's mostly used for very high risk and high security applications like banking and stuff... I think GMail uses a captcha after a few (or even just one) false login... that would be extremely effective against scripts. - Johannes > >.rue > > >Johannes Fahrenkrug schrieb: > > >>Hi! >> >>I'd like to prevent brute force attacks on the login page of my wicket >>application. What would be the best approach? This is what I'm thinking >>about doing: Record when the last request for the loginpage from a >>certain IP came in and only handle the request when at least a second or >>two have passed. >>This would have to be done application wide because when an attacker >>uses a tool like cURL a new session is created with each request. >> >>So what would you guys suggest? >> >>- Johannes >> >>------------------------------------------------------------------------- >>Using Tomcat but need to do more? Need to support web services, security? >>Get stuff done quickly with pre-integrated technology to make your job easier >>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>_______________________________________________ >>Wicket-user mailing list >>Wicket-user@lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> >> > > >------------------------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Wicket-user mailing list >Wicket-user@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/wicket-user > > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user