Hello Johannes, that's a good topic you've got here...
I agree to Korbinian that locking out IPs is a bad idea. One could extend that to the combination of username/IP, but that could be worked around with a more sofisticated script. What do you think about logging false logins on a per-user basis, and delay the response after the first false attempt by a couple of seconds until another valid login for that user happened? I think the Linux shell login works like that. Or, one could lock an account completely after say three false attempts, and send an email to the user with a link to unlock it again. .rue Johannes Fahrenkrug schrieb: > Hi! > > I'd like to prevent brute force attacks on the login page of my wicket > application. What would be the best approach? This is what I'm thinking > about doing: Record when the last request for the loginpage from a > certain IP came in and only handle the request when at least a second or > two have passed. > This would have to be done application wide because when an attacker > uses a tool like cURL a new session is created with each request. > > So what would you guys suggest? > > - Johannes > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
