Spring MVC Web应用程序检测暴力攻击的最佳方式是什么？ [英] Best way for a Spring MVC web app to detect a brute force attack?

问题描述

Spring 3.0 MVC中是否有任何特性可以帮助在Web应用程序的身份验证/登录页面上检测暴力攻击？

Are there any features specifically in Spring 3.0 MVC that would help implementing detection of a brute force attack on the authentication/login page of a web app?

推荐答案

久经考验的做法是在认证失败时引入随机但相当大的延迟。

Long-proven practice is to introduce a random but sizable delay if authentication has failed.

这样合法用户就可以立即登录，但攻击者每次尝试将花费500ms-1s，这使得整个暴力想法变得不切实际（将需要永远） 。

This way legitimate users will log on right away, but an attacker will spend 500ms-1s per try, which makes the whole brute-force idea impractical (will take forever).

合法用户偶尔登录失败会导致他们只有一点点延迟而且会被忽视。

Occasional failed login by legitimate users will cause them only a minor delay and will go unnoticed.

如果你需要在重复登录失败时收到通知，您需要实现报告打印每个用户的后续失败登录数量，按该数量desc限制100订购。

If you need to be notified on repeated failed logins, you need to implement a report printing number of consequential failed logins per user, order by that number desc limit 100.

PS 此处是一篇解释如何获得登录尝试通知的帖子。我相信按照相同的方法可以引入延迟。

P.S. Here is a post explaining how to get notified on login attempt. Following the same approach one can introduce a delay, I believe.

这篇关于Spring MVC Web应用程序检测暴力攻击的最佳方式是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！