如何限制 Java Web 应用程序中的登录尝试?
我想实现一种有效的机制来限制 Java Web 应用程序中的登录尝试,以防止对用户帐户的暴力攻击。
Simon Willison 展示了 Django 的 Python 实现: 这并没有真正帮助我,因为我不能使用 memcached 也不能使用 Django。
从头开始移植他的想法似乎也不是一件好事——我不想重新发明轮子。
我找到了一个 Java 实现,虽然看起来相当天真:它不是 LRU 缓存,而是在 15 分钟后清除所有条目。
EHCache 可能是 memcached 的替代方案,但我没有任何使用它的经验,并且如果有更好的替代方案来完成此任务,我也不想引入另一种技术。
那么,在Java中实现登录限制有什么好方法呢?
I want to implement an efficient mechanism to throttle login attemps in my Java web application, to prevent brute-force attacks on user accounts.
Jeff explained the why, but not the how.
Simon Willison showed an implementation in Python for Django:
That doesn't really help me along as I can't use memcached nor Django.
Porting his ideas from scratch doesn't seem like a great either - I don't want to reinvent the wheel.
I found one Java implementation, though it seems rather naiive: Instead of a LRU cache, it just clears all entries after 15 minutes.
EHCache could be an alternative for memcached, but I don't have any experience with it and don't really want to intoduce yet another technology if there are better alternatives for this task.
So, whats a good way to implement login throttling in Java?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
我认为即使 EHCache 也在用凝固汽油弹杀死一只苍蝇。 问题很简单,实现也很简单。
我建议在顶层使用 servlet 过滤器,以便尽可能少地进行处理。
创建一个类来存储以下内容:
现在,sunchronized 块中的代码很简单:
就是这样(只要代码是同步的)。
I think even EHCache is killing a fly with a napalm bomb. The problem is simple and so is the implementation.
I suggest using a servlet filter a the top level so that as little processing as possible is done.
Create a class to store the following:
Now, the code is simple in a sunchronized block:
thats it man (as long as the code is synchronized).
我刚刚完成了由方面安全性运行的网络安全课程,其中的建议之一是在任何登录尝试中加入自然延迟 - 理论是 1 或 2第二次延迟对于真实用户来说没什么,但会严重阻碍暴力攻击。
I've just completed the web security course run by aspect security and one of the suggestions that came out of that was to just include a natural delay in any login attempt - the theory being that a 1 or 2 second delay is nothing to a real-user but will seriously hamper brute force attacks.
没有提到的一个是让他们在多次错误尝试后回答忘记密码的问题+输入密码
One that hasn't been mentioned is make them answer forgotten password question(s) after so many bad attempts + enter their password
EHCache 非常好,更重要的是不是由您编写的,因此您不必重新实现功能并可能出错。
我的解决方案将在登录代码中涉及 EHCache 或更简单的东西(如果它是一个小应用程序并且我并不真正关心并发性能)。
您将为每个 IP 存储失败计数和时间戳。
EHCache is pretty good, and more importantly Not Written By You, so you don't have to reimplement features and possibly get them wrong.
My solution would involve either EHCache or something simpler (if it was a small app and I didn't really care about concurrency performance) in the login code.
You would store, per IP, a fail count and a timestamp.
我使用了包含用户详细信息的登录尝试计数字段。 当达到 50 时,正确的密码将被拒绝,用户必须执行密码重置。
I've used a Login Attempt count field with user details. When it gets to 50, correct passwords are rejected and the user has to perform a password reset.
如果登录尝试之间的时间呈指数增长怎么办?
What about an exponential increase in time between login attemps?
维护错误的登录尝试次数,如果达到 N,则阻止用户并要求验证码或重置密码才能继续。
Maintain wrong login attempt number and if it will reach to N, block the user and ask for captcha or password reset to continue.