Stop OAuth Brute Force Attacks

TL;DR

Brute force attacks try many usernames and passwords to get into your oAuth authorization server. This guide shows you how to slow them down using rate limiting, account lockout, strong password policies, multi-factor authentication (MFA), and monitoring.

1. Rate Limiting

Rate limiting restricts the number of login attempts from a single IP address or user within a specific timeframe. This makes brute force attacks much slower and less effective.

1. Choose a rate limit: Start with something like 5 failed attempts per minute per IP address. You can adjust this based on your server’s capacity and typical user behaviour.
2. Implement the limit in your oAuth server configuration: Most oAuth servers (like Keycloak, Auth0, or custom implementations) have built-in rate limiting features. Consult your server’s documentation for specifics. Example using a reverse proxy like Nginx:

   
   http {
     ...
     limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/m;
     server {
       location /oauth-endpoint {
         limit_req zone=mylimit burst=5 nodelay;
         ...
       }
     }
   }

3. Monitor the logs: Check your server logs for blocked requests due to rate limiting. This helps you fine-tune the limits and identify potential attackers.

2. Account Lockout

After a certain number of failed login attempts, temporarily lock the account. This prevents further guessing.

1. Set a lockout threshold: For example, lock an account after 5 consecutive failed login attempts.
2. Implement lockout in your application logic: Store the number of failed attempts for each user (e.g., in a database). When the threshold is reached, disable the account.

   
   // Example pseudocode
   if (failedLoginAttempts[username] >= 5) {
     lockAccount(username);
   }
   

3. Implement an unlock mechanism: Allow users to unlock their accounts after a specific period (e.g., 15 minutes) or via email verification.

   Consider using CAPTCHA before unlocking.

3. Strong Password Policies

Enforce strong password requirements to make passwords harder to crack.

• Minimum length: Require a minimum password length (e.g., 12 characters).
• Complexity: Mandate a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Password history: Prevent users from reusing previous passwords.
• Regular updates: Encourage or force regular password changes (e.g., every 90 days).

4. Multi-Factor Authentication (MFA)

Require a second form of verification in addition to the password, such as a code sent to their phone or an authenticator app.

1. Choose an MFA method: Options include SMS codes, authenticator apps (like Google Authenticator), and security keys.
2. Integrate MFA into your oAuth flow: Most oAuth servers support MFA integration.
3. Encourage or require MFA for all users: Prioritize requiring MFA for privileged accounts.

5. Monitoring and Logging

Keep a close eye on login attempts and other security-related events.

• Log failed login attempts: Record the username, IP address, timestamp, and any error messages.
• Monitor for suspicious activity: Look for patterns like multiple failed logins from the same IP address or unusual login times.
• Set up alerts: Receive notifications when a certain number of failed attempts occur within a short period.

  
  // Example log entry format
  2023-10-27 10:00:00 - Failed login attempt for user 'testuser' from IP address '192.168.1.1'