I am having a thin gateway/portal application based on Node.js and express. It is managing sessions, user authentication and routing (to the actual application).
According to https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Guessing_and_Brute_Force_Detection it is recommended to block IP-adresses once the application detects multiple failed login attempts in a given period.
Now I am having 2 questions:
1) In what part of the infrastructure should those IP-Adresses be blocked? What will be best practice in this department?
- Node.js application (which will leave the overall application affected by brutefoce/DoS attacks)
- Some webserver(?) installed 'in front of' the
Node.jsapplication? - A dedicated proxy-server installed 'in front of' the
Node.jsapplication? - In the firewall itself, in case the firewall will have such a feature?
- Anything else?
2) In case it should be handled directly in the Node.js application, how would I go about blocking IP-adresses in the most efficient way (technically/in code)? I would imagine that brute force attacks will still cause load on the process if I just check this kind of brute-forcing in my normal express request handler?
To clarify, the application is reachable through internet as well as intranet (thousands of users).
