How to block brute force attempts on a login-service/application gateway?
问题 I am having a thin gateway/portal application based on Node.js and express . It is managing sessions, user authentication and routing (to the actual application). According to https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Guessing_and_Brute_Force_Detection it is recommended to block IP-adresses once the application detects multiple failed login attempts in a given period. Now I am having 2 questions: 1) In what part of the infrastructure should those IP-Adresses be