Brute force

[jaymc]

How can I stop brute force on my website for a login page?

 

I dont want to use those image verification things where you type the letters

 

So what can I do to stop someone writing a script to POST dictionary passwords at a page and keep doing it until it gets the correct password

 

Leading on from this, how can I stop someone from blasting my web servers over and over again as its not hard to kill a server by putting a few scripts on someone boxes to continuouusly request a page which has some heavy mysql stuff on. Banning from IP can take 5 mins to get the IP, add to iptables etc etc and thats assuming your online at that moment.

 

I need something that can add protection 24/7.

 

Whats to stop me firing 400 requests a sec at this forum, killing its max conections and knocking the server offline...

[rarebit]

Since this is a php forum, i'll give you some php answers (automated ones)...

 

I have a frequency checking algorithm on my logs, it is only on 'entrances' to the site but logs attempts including ssid, ip, agent and proxy. For each one there is a max attempt within a set time, if exceed then there banned for a set amount of time. This ban is the first thing checked on the CMS, so it minimizes the server usage. Also if this happens twice in a row (without logging in) then they are added to a banned table (just their ip), this is also checked top of the pops. You can also add to this table, it greps on ip or agent (the agent can be pretty weildly, but numerous hackers like to leave a signature!)

 

oops, 'ave been on phone for 45mins, can't finish now...