Spring MVC Web应用程序检测暴力攻击的最佳方式是什么? [英] Best way for a Spring MVC web app to detect a brute force attack?
问题描述
Spring 3.0 MVC中是否有任何特性可以帮助在Web应用程序的身份验证/登录页面上检测暴力攻击?
Are there any features specifically in Spring 3.0 MVC that would help implementing detection of a brute force attack on the authentication/login page of a web app?
推荐答案
久经考验的做法是在认证失败时引入随机但相当大的延迟。
Long-proven practice is to introduce a random but sizable delay if authentication has failed.
这样合法用户就可以立即登录,但攻击者每次尝试将花费500ms-1s,这使得整个暴力想法变得不切实际(将需要永远) 。
This way legitimate users will log on right away, but an attacker will spend 500ms-1s per try, which makes the whole brute-force idea impractical (will take forever).
合法用户偶尔登录失败会导致他们只有一点点延迟而且会被忽视。
Occasional failed login by legitimate users will cause them only a minor delay and will go unnoticed.
如果你需要在重复登录失败时收到通知,您需要实现报告打印每个用户的后续失败登录数量,按该数量desc限制100订购。
If you need to be notified on repeated failed logins, you need to implement a report printing number of consequential failed logins per user, order by that number desc limit 100.
PS 此处是一篇解释如何获得登录尝试通知的帖子。我相信按照相同的方法可以引入延迟。
P.S. Here is a post explaining how to get notified on login attempt. Following the same approach one can introduce a delay, I believe.
这篇关于Spring MVC Web应用程序检测暴力攻击的最佳方式是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!