Failed Login Attempts

[Jeremiah Garmatter]

Hello,

I'm looking for a feature of CAS 6.3 that will allow me to lock or limit users after a few failed login attempts. I have tried the failure throttling module but find it confusing and not quite what I'm looking for.

The failure throttling module seems like it can only detect 2 auth failures if the second one comes in very quickly (fast enough to be caught by the defined threshold per secondRange rate). If someone slows down their authentication attempts so they occur once every second, they'll never be caught right? Also, 3 failed attempts over 15 seconds has the same effect as 2 failed attempt over 10 seconds, so if you only fail 2, you won't be allowed to try a third time.

Is there another feature that would let me define an actual amount of failed logins over a period of time instead of a rate?

[Ray Bon]

Jeremiah,

There is also throttling based on usename and IP address, https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Throttling.html. I have not used this, just rate throttling.

Ray

On Mon, 2021-05-17 at 08:32 -0700, Jeremiah Garmatter wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Richard Frovarp]

Adding user won't catch a spray over different usernames. I just use rate throttling as well. 

And yeah, if they go down to 1 per second, you'll never catch them with the throttle. You also won't catch them if they come at you with hundreds of IPs.

[Jeremiah Garmatter]

Thanks for the clarification guys,

Failure and rate throttling are better than nothing. I'll use them and maybe set up another script to alert me if strange behavior rolls in.

[Richard Frovarp]

Don't get me wrong, throttling is definitely good. The thing you want to watch out for is when unexpected attempts succeed. So one bit of strange behavior to be on the lookout for is an authentication that triggers MFA, but the MFA success never happens. It will depend on your MFA solution. However, for instance, Duo won't send a failure, only a success. So you would want to watch for the trigger on Duo, but never seeing any success. That either means your users have having trouble with MFA, or an attacker has found the creds, but hasn't triggered MFA by blocking the MFA scripts from even running. If they have blocked the scripts, you won't even see anything in Duo or your MFA solution of choice.