Best way for a Spring MVC web app to detect a brute force attack?

Question

Are there any features specifically in Spring 3.0 MVC that would help implementing detection of a brute force attack on the authentication/login page of a web app?

Answer 1

Long-proven practice is to introduce a random but sizable delay if authentication has failed.

This way legitimate users will log on right away, but an attacker will spend 500ms-1s per try, which makes the whole brute-force idea impractical (will take forever).

Occasional failed login by legitimate users will cause them only a minor delay and will go unnoticed.

If you need to be notified on repeated failed logins, you need to implement a report printing number of consequential failed logins per user, order by that number desc limit 100.

P.S. Here is a post explaining how to get notified on login attempt. Following the same approach one can introduce a delay, I believe.