Trying to understand Authentication Throttling
39 views
Skip to first unread message
Alberto Cabello Sánchez
May 30, 2019, 6:25:52 AM5/30/19
to cas-...@apereo.org
Hi,
I want to prevent a CAS server from being used to guess passwords, so
I'm reading the docs about Authentication Throttling. I find it somewhat
confusing, because it is not clear how period and threshold work together.
From the docs:
> All login throttling components that ship with CAS limit successive
> failed login attempts that exceed a threshold rate in failures per
> second. The following properties are provided to define the failure
> rate:
>
> failureRangeInSeconds:
> Period of time in seconds during which the threshold applies.
> failureThreshold:
> Number of failed login attempts permitted in the above period.
On the other hand, I've read in this group
> Those throttle settings get reduced to a common denominator. When you
> set 3 failures within 15 seconds, it is converted to 1 in 5 seconds.
If I'm understanding it correctly, there is no point having two different
properties instead of just a hypotetical "secondsBetweenConsecutiveFailures".
Besides that, the logged message (e. g. "More than [3] failed login
attempts within [15] seconds. Authentication attempt exceeds the failure
threshold [3]") is very misleading, as it can be triggered just after two
quick failed logins.
There is no way for sending the IP/username to the waiting room when failing
four times in a minute but not when failing two times in 30 seconds?
Regards,
--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura
I want to prevent a CAS server from being used to guess passwords, so
I'm reading the docs about Authentication Throttling. I find it somewhat
confusing, because it is not clear how period and threshold work together.
From the docs:
> All login throttling components that ship with CAS limit successive
> failed login attempts that exceed a threshold rate in failures per
> second. The following properties are provided to define the failure
> rate:
>
> failureRangeInSeconds:
> Period of time in seconds during which the threshold applies.
> failureThreshold:
> Number of failed login attempts permitted in the above period.
On the other hand, I've read in this group
> Those throttle settings get reduced to a common denominator. When you
> set 3 failures within 15 seconds, it is converted to 1 in 5 seconds.
If I'm understanding it correctly, there is no point having two different
properties instead of just a hypotetical "secondsBetweenConsecutiveFailures".
Besides that, the logged message (e. g. "More than [3] failed login
attempts within [15] seconds. Authentication attempt exceeds the failure
threshold [3]") is very misleading, as it can be triggered just after two
quick failed logins.
There is no way for sending the IP/username to the waiting room when failing
four times in a minute but not when failing two times in 30 seconds?
Regards,
--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura
Reply all
Reply to author
Forward
0 new messages