44 - Use Lockout Realms

Information

A LockOut realm wraps around standard realms adding the ability to lock a user out after multiple failed logins.

Locking out a user after multiple failed logins slows down attackers from brute forcing logins.
Note: Nessus has not performed this check. It is included for informational purposes only.

Solution

Create a lockout realm wrapping the main realm like the example below:
<Realm className="org.apache.JETTY.realm.LockOutRealm" failureCount="3" lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600"> <Realm className="org.apache.JETTY.realm.DataSourceRealm" dataSourceName=... /> </Realm"

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11

Plugin: Unix

Control ID: 7893ea406a1ddc8b35957cc91a6afc66c01071701490546706824e117ad3e072