You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, if a rdap-server has shino configuration in order to allow credentials and roles management, there isn't a mechanism to protect the server from a brute force attack to gain credentials for a rdap user.
Could it be possible to create a functionality to manage failed login tries in order to avoid a brute force attack for rdap users?
The text was updated successfully, but these errors were encountered:
The closest functionality provided by the server is the Rate Limit Filter, but just as stated in the docs:
{...} this problem would be handled by means of firewall rules, load balancing and/or rate-limits within reverse proxies (mod-qos and limitipconn2, for example) {...}
Why does the server lack of this protection? Because of REST. REST is supposed to be stateless, so the server shouldn't be remembering who did this or that (at least in terms of requests). The recommendation is to place "something" protecting the server, just as mentioned in the docs (firewall, balancer, etc.).
So, the login management will be avoided by the server for now. It's a fact that the server itself can be attacked by brute force, but we trust that whoever uses this RDAP implementation will use something to protect the server.
Currently, if a rdap-server has shino configuration in order to allow credentials and roles management, there isn't a mechanism to protect the server from a brute force attack to gain credentials for a rdap user.
Could it be possible to create a functionality to manage failed login tries in order to avoid a brute force attack for rdap users?
The text was updated successfully, but these errors were encountered: