jaymc Posted June 10, 2008 Share Posted June 10, 2008 How can I stop brute force on my website for a login page? I dont want to use those image verification things where you type the letters So what can I do to stop someone writing a script to POST dictionary passwords at a page and keep doing it until it gets the correct password Leading on from this, how can I stop someone from blasting my web servers over and over again as its not hard to kill a server by putting a few scripts on someone boxes to continuouusly request a page which has some heavy mysql stuff on. Banning from IP can take 5 mins to get the IP, add to iptables etc etc and thats assuming your online at that moment. I need something that can add protection 24/7. Whats to stop me firing 400 requests a sec at this forum, killing its max conections and knocking the server offline... Quote Link to comment Share on other sites More sharing options...
rarebit Posted June 10, 2008 Share Posted June 10, 2008 Since this is a php forum, i'll give you some php answers (automated ones)... I have a frequency checking algorithm on my logs, it is only on 'entrances' to the site but logs attempts including ssid, ip, agent and proxy. For each one there is a max attempt within a set time, if exceed then there banned for a set amount of time. This ban is the first thing checked on the CMS, so it minimizes the server usage. Also if this happens twice in a row (without logging in) then they are added to a banned table (just their ip), this is also checked top of the pops. You can also add to this table, it greps on ip or agent (the agent can be pretty weildly, but numerous hackers like to leave a signature!) oops, 'ave been on phone for 45mins, can't finish now... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.