5.2 Use LockOut Realms

Information

A LockOut realm wraps around standard realms adding the ability to lock a user out after multiple failed logins.

Rationale:

Locking out a user after multiple failed logins slows down attackers from brute forcing logins.

Solution

Create a lockout realm wrapping the main realm similar to the example below:

<Realm className='org.apache.catalina.realm.LockOutRealm' failureCount='3' lockOutTime='600' acheSize='1000' cacheRemovalWarningTime='3600'>
<Realm className='org.apache.catalina.realm.DataSourceRealm' dataSourceName=... />
</Realm>

References:

https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/config/realm.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 0c8547ad0cb27c7ad9ebb127917c644ddb4eb032917d44ba23ad8af13da824e8