ah ok thank's i understand now, I confused, I thought it was like a fail2ban, but it's a rate limiting system!
but it's badly done, because if I set cas.authn.throttle.failure.range-seconds=3600 cas.authn.throttle.failure.threshold=5 it does not block for 1 hour if I have 5 bad logins So I have to find another solution for ban , maybe by changing the log format to have it parsed by fail2ban Le jeu. 6 avr. 2023 à 09:43, Pascal Rigaux <[email protected]> a écrit : > Hi, > > Throttling protects against brute force, so the time you refresh the page > *manually* the throttling has been removed. > > We have the exact same throttle conf. This conf allows 1 error per 2.5 > seconds: you must wait 2.5 after a failure otherwise it will be rejected. > Our integration tests this: > https://github.com/UnivParis1/integration-tests-cas-server/blob/main/throttle.test.js > (it checks french msgs, but you should get it) > > On this subject, check > https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Throttling.html#failure-throttling > > | Threshold Rate > | > | The failure threshold rate is calculated as: failureThreshold / > failureRangeInSeconds. For instance, the failure rate for the above > scenario would be 0.333333. An authentication > attempt may be considered throttled if the request submission rate > (calculated as the difference between the current date and the last > submission date) exceeds the failure > threshold rate. > > cu > > > On 05/04/2023 16:14, William Vincent (Wix31) wrote: > > Hello > > I have a problem with throttling > > When I do a lot of unsuccessful tries I get the message "Unauthorized > access You have entered the wrong password too many times in a row. You > have been rejected.". > > But if I refresh the page, the form is displayed and in > "cas/actuator/throttles" the line with my ip disappears > > How do I make this persistent? > > Maybe also would it be possible to send this ip to nftables? > > Thanks in advance > > > > > > My configuration : > > CAS 6.6.6 > > > > build.graddle: > > //authentication/Configuring-Authentication-Throttling = secu DDOS > > implementation > "org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}" > > //authentication/Configuring-Authentication-Throttling = secu Brute > Force > > implementation > "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}" > > > > cas.properties: > > # Sécurité DDOS / Brute force > > cas.authn.throttle.failure.range-seconds=30 > > cas.authn.throttle.failure.threshold=12 > > cas.authn.throttle.core.username-parameter=username > > > > # Throttle DDOS > > cas.authn.throttle.bucket4j.blocking=true > > cas.authn.throttle.bucket4j.enabled=true > > cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S > > cas.authn.throttle.bucket4j.bandwidth[0].capacity=50 > > > > -- > > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > > - Gitter Chatroom: https://gitter.im/apereo/cas < > https://gitter.im/apereo/cas> > > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > > --- > > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <mailto: > [email protected]>. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/527ad47d-a0da-4763-8b9c-b84f89895e9an%40apereo.org > > < > https://groups.google.com/a/apereo.org/d/msgid/cas-user/527ad47d-a0da-4763-8b9c-b84f89895e9an%40apereo.org?utm_medium=email&utm_source=footer > >. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/TCiEN94ph4k/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1dc0899-ce8c-9754-3588-d3193587156d%40univ-paris1.fr > . > -- -- William VINCENT Administrateur systèmes et réseaux -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BU6N_znSVy6eosgm_1nxmDh_%2BzbWRsCpRajy6FhnFViHD1%2BqA%40mail.gmail.com.
