Search code examples
securitykeycloakbrute-forcelocked

Prevent brute-force detection for certain users in keycloak

I have applied the brute-force detection in keycloak in my project. But my requirement is that I want to keep out 2 users from brute-force detection and want a default setting for them.

How can I set in the realm so that I can prevent brute-force detection for certain users?

Solution

  • In the Keycloak documentation for the Password guess: brute force attacks feature, one can read:

    A brute force attack happens when an attacker is trying to guess a user’s password. Keycloak has some limited brute force detection capabilities. If turned on, a user account will be temporarily disabled if a threshold of login failures is reached. To enable this feature go to the Realm Settings left menu item, click on the Security Defenses tab, then additional go to the Brute Force Detection sub-tab.

    From this, one can infer that this feature is applied at the Realm level, and consequently, will affect all the users within that realm. Moreover, reading the complete Keycloak documentation on this feature, and on its configuration settings, there is no option to exclude certain users' accounts. Therefore, if the two users that you want to exclude from the brute force detection feature are within the same realm of those that you want to use that feature on, you are out of luck.

    Nevertheless, from the following paragraph

    The downside of Keycloak brute force detection is that the server becomes vulnerable to denial of service attacks. An attacker can simply try to guess passwords for any accounts it knows and these account will be disabled. Eventually we will expand this functionality to take client IP address into account when deciding whether to block a user.

    So maybe in the future, you can exclude those two users based on their IPs?! But this is a wild guess; it depends upon how the future feature will be implemented.

    And finally:

    A better option might be a tool like Fail2Ban. You can point this service at the Keycloak server’s log file. Keycloak logs every login failure and client IP address that had the failure. Fail2Ban can be used to modify firewalls after it detects an attack to block connections from specific IP addresses.

    I guess you can try (for now) to use the Fail2Ban, and integrate it with Keycloak, accordingly. Then try to exclude those two users based on their IPs.