Isn't Brute Force logging wrongly implemented ?
663 views
Skip to first unread message
Philippe ROUVRAY
Jan 25, 2020, 8:57:49 AM1/25/20
to Keycloak User
Hi,
One of my client (using Keycloak) was alerting me that the brute force attempts against his commercial site were very high actually as high as the login failures.
I set up the brute force detection for my Demo realm like this :
Max Login Failures : 2
Wait Increment : 15 min
My first 2 attempts to login with a wrong password are logged as login errors, fair enough, but they are logged as well as brute force attempts. See the logs below :
14:21:37,865 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
14:21:37,869 WARN [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user 2bc255ad-46c6-4032-91d6-a4376f6b3240 from ip 127.0.0.1
14:21:57,211 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
14:21:57,214 WARN [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user 2bc255ad-46c6-4032-91d6-a4376f6b3240 from ip 127.0.0.1
14:22:07,687 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=user_temporarily_disabled, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
14:22:53,614 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=user_temporarily_disabled, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
14:21:37,869 WARN [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user 2bc255ad-46c6-4032-91d6-a4376f6b3240 from ip 127.0.0.1
14:21:57,211 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
14:21:57,214 WARN [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user 2bc255ad-46c6-4032-91d6-a4376f6b3240 from ip 127.0.0.1
14:22:07,687 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=user_temporarily_disabled, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
14:22:53,614 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=demo, clientId=account, userId=2bc255ad-46c6-4032-91d6-a4376f6b3240, ipAddress=127.0.0.1, error=user_temporarily_disabled, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8180/auth/realms/demo/account/login-redirect, code_id=8821f21a-73ea-46f7-b68a-5c012c70fccb, username=stian, authSessionParentId=8821f21a-73ea-46f7-b68a-5c012c70fccb, authSessionTabId=vzLNcFow7qs
It is wrong ! The first attempt is a simple login error that should not be logged as brute force attempt. Only the second attempt should be logged as brute force attempt in compliance with my setup. I'm tempted to say that the following attempts which happened once my user was locked out should also the be logged as brute force attempts. It's debatable. But what is not debatable, in my opnion, is to log as brute force attempt any login failure that takes place before the max login failure treshold. Should I log a Jira ticket ?
Best regards,
Max Allan
Jan 27, 2020, 4:19:33 AM1/27/20
to Keycloak User
I think it is simply the brute force protector warning that there was a login failure.
Are you saying that the first login fail should not be counted against a brute force attempt? That if you set the threshold to 3, you should have one free go that it doesn't warn you about and then 3 more attempts that do get logged as brute force?
Or are you saying that the brute force protector should not log all instances where it counts failed logins? So if you leave the threshold at 3, you only get one warning and one "locked" message that someone is brute forcing in the log files.
You can simply ignore the brute force protector messages if they concern you. If you want to know if an account is locked, look for "user_temporarily_disabled". Unless you have any other temporary disabling features?
Philippe ROUVRAY
Jan 27, 2020, 4:46:48 AM1/27/20
to Keycloak User
My client wants to track down the brute force attempts.
To achieve that, he counts the brute force protector warnings out of the logs. I don't know any other way to get such information.
If I set the threshold to 3, I should have 2 free go (not 1) and then the 3rd failed attempt should be logged as brute force attack.
Exactly what I'm saying : the brute force protector should not log all failed logins when we are below the set treshold.
I cannot simply ignore the brute force protector messages as you suggest, because I want to know when I'm facing a brute force attack and act accordingly (phone the customer that his account has been hacked or that suspisious activity take place with his account)
Tracking down user_temporarily_disabled statuses may be a way, but I need to build up some watchdog mechanism, the locked-down customer being active again after some configurable time.
Rowan Matulis
May 12, 2020, 9:42:20 PM5/12/20
to Keycloak User
I believe failed login attempts are logged in the database also.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages