40.5 Securing against Brute-Force Attacks with CAPTCHA

CAPTCHA provides additional security against brute-force attacks on the Vibe web application.

Brute-force attack monitoring is enabled on the Vibe system by default.

By default, Vibe considers a brute-force attack to be taking place if any user has 5 failed login attempts to the Vibe system within a 30-minute timeframe. During the time that Vibe believes that a brute-force attack is occurring, Vibe requires all users to specify the CAPTCHA response when logging in to the Vibe web application. Vibe considers the system to be safe from the brute-force attack as soon as there have been fewer than 5 failed login attempts within the past 30 minutes. At that time, specifying a CAPTCHA response is no longer required.

To change the default configuration settings for CAPTCHA for the Vibe web application:

  1. Log in to the Vibe server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).

  2. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes/config
  3. Open the ssf.properties file in a text editor.

  4. Locate and copy the following lines:

    #failed.user.authentication.history = true
    #failed.user.authentication.history.max.user.size = 5
    #brute.force.attack.in.last.num.seconds = 30
    #brute.force.attack.num.failed.logins = 5
  5. Close the ssf.properties file without saving.

  6. Make a backup copy of the ssf-ext.properties file, located in the same directory with the ssf.properties file.

  7. Open the ssf-ext.properties file in a text editor.

  8. Paste and uncomment the lines that you copied in Step 4 to the bottom of the file:

    failed.user.authentication.history = true
    failed.user.authentication.history.max.user.size = 5
    brute.force.attack.in.last.num.seconds = 30
    brute.force.attack.num.failed.logins = 5
  9. Change the values to match your desired functionality. The function of each setting is as follows:

    failed.user.authentication.history: When this option is set to true it enables tracking of failed login attempts on a per-user basis. The subsequent settings allow you to further customize the functionality.

    failed.user.authentication.history.max.user.size: The number of failed login attempts per user of which Vibe keeps a history.

    brute.force.attack.in.last.num.seconds: The number of seconds for which Vibe will look for the number of failed login attempts. The default value for this setting is 30 seconds.

    brute.force.attack.in.last.num.failed.logins: The number of failed login attempts allowed per user (within the specified number of seconds) before Vibe requires all users to specify the CAPTCHA response. The default of failed login attempts allowed per user is 5.

    For example, suppose brute.force.attack.in.last.num.seconds is set to 300 (5 minutes) and brute.force.attack.num.failed.logins is set to 4. If user A unsuccessfully attempts to log in to the Vibe web application 4 times within a 5-minute period, the next time any user in the Vibe system attempts to log in he or she will be required to enter a CAPTCHA response.

  10. Save the ssf-ext.properties file, then exit the text editor

  11. Restart Vibe to put the change into effect.