Anyone who attempts to use more than a few unsuccessful passwords while trying to log on to the system might be a malicious user. reCAPTCHA cannot prevent attacks by malicious users who can read the image. It cannot differentiate between malicious users and legitimate users. reCAPTCHA cannot prevent coordinated human DoS attacks.
To prevent brute-force or human attacks that bypass the reCAPTCHA protection, enable the user’s identity source to respond to this type of potential attack by disabling the user account for a preset period of time after a specified number of failed login attempts.
The supported identity sources have the following built-in intrusion detection systems:
Active Directory Account Lockout Policy: Active Directory allows you to specify an account lockout policy for users and global security groups in a domain. Set the policy on the domain group policy object from the domain controller.
To configure the Account Lockout Policy settings:
Log in as an Active Directory administrator user to the Windows Server that hosts Active Directory Domain Services (the domain controller).
Configure the Account Lockout Policy on the group policy object for the domain controller.For more information, see the Account Lockout Policy in Microsoft TechNet Library.
Verify that the Account Lockout Threshold value is higher than the number of failed login attempts you plan to specify for Start reCAPTCHA at in the reCAPTCHA tool.
Repeat these steps for each configured Active Directory identity source.
eDirectory Intruder Lockout Policy: eDirectory allows you to enable intruder detection and specify an Intruder Lockout policy for the container object where your user objects reside.
To configure eDirectory Intruder Detection and Intruder Lockout Policy:
Log in as the eDirectory administrator user to the eDirectory server management console.
Configure Intruder Detection and the Intruder Lockout policy on the container object where your user objects reside.For more information, see Setting Up Intruder Detection for All Users in a Container in the eDirectory 9.0 Administration Guide.
Verify that the Intruder Lockout value is higher than the number of failed login attempts you plan to specify for Start reCAPTCHA at in the reCAPTCHA tool.
Repeat these steps for each configured eDirectory identity source.
NOTE:By default, the intruder detection is disabled when you create a new container object. Perform the following steps in Administration Console to enable the intruder detection:
Click <username> > Manage Directory Objects > Tree > <container name> > (current level) > General > Intruder Detection.
Select Detect intruders.
Select Lock account after detection.
If you do not select this option, no action is taken when intruder detection is activated.
Click Apply > OK.
Continue with Setting Up a reCAPTCHA Account.