alexandre Posted January 5, 2023 Share Posted January 5, 2023 i am just wondering if there is one way better than the others to counter this kind of attack, i believe it is targeting a single account at a time, if i want to avoid locking the user account since their is no account recovery on my website, what would be my best options? Quote Link to comment Share on other sites More sharing options...
requinix Posted January 5, 2023 Share Posted January 5, 2023 Rate limiting. Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 5, 2023 Author Share Posted January 5, 2023 rate limiting in like counting the attempts of login for a said period of time? this would not solve the problem if i still have to lock the account temporary. someone could just spam the login for another user in order to make this person unable to participate in example the competitive event, one could just do this and donate more to steal a place while the other would be unable to defend his place in the rank. what i was thinking is if there is an obvious amount of attempts saying it is an attack, i could simply make the input disapear for this session and display a message instead. if i could i would make the attacker session never dying so he would always come back to this same screen where he is unable to do anything. do you know a way to make a session never dying? Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted January 5, 2023 Solution Share Posted January 5, 2023 15 minutes ago, alexandre said: this session the existence or absence of a session is under the control of the client/script making the requests to your site. you cannot use session (or cookie) data to detect or control the login attempts, since the client/script can simply not propagate the session id (or cookie) between requests and they will get a new session. you must store the data needed to detect or control the login attempts in a database table. you have two pieces of identifying information from the requests, the ip address (where the request came from and where you will send the response back to, along with any session id cookie or remember me cookie token) and the username/email for the login attempt. you would store the datetime, ip, and username/email for each failed login attempt, as a separate row, in a database table. it is this data that you would test to detect and control the login attempts. also, you don't 'lock' the accounts, you rate limit the login attempts. if a user is already logged in, they should still be able to access the site, i.e. they are won't be attempting to login, since they already are logged in. Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 5, 2023 Author Share Posted January 5, 2023 in theory this is good but there are little chances that an attacker will not be hiding his ip adress, probably with a vpn changing of ip adress after some time, i dont know much about it but storing an ip adress would just protect against this ip adress. i am also not collecting any informations about my users , not even an email so it gets complicated for this reason. but when you say i need to collect those informations , isnt it ilegal to do this without the user consent, even if this user is someone trying to break your website? Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 5, 2023 Author Share Posted January 5, 2023 dang i didnt realized, that for every atempts even if the ip adress is changing it wil store the new one and limit it as well so i think this seems good finally. sorry i always try to question everything. Quote Link to comment Share on other sites More sharing options...
requinix Posted January 6, 2023 Share Posted January 6, 2023 So I guess if you can't protect yourself from the very few sophisticated attackers then there's no point protecting yourself against an army of dumb attackers? Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 6, 2023 Author Share Posted January 6, 2023 maybe, how would i do that? are you talking about ddos attack there or is this something else? Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 6, 2023 Author Share Posted January 6, 2023 unless you was saying this because i asked if it was illegal to collect those informations . Quote Link to comment Share on other sites More sharing options...
phppup Posted January 6, 2023 Share Posted January 6, 2023 (edited) I think requinix was trying to point out, in a sarcastic tone, that any protection is better than none. Also, I don't see why it would be illegal to collect email addresses. If you are in a region that does not permit this, perhaps a notice or terms of service stating: "This website saves all applicable data during usage" will be beneficial (but I cannot provide legal advice on this). Edited January 6, 2023 by phppup Typos Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 6, 2023 Author Share Posted January 6, 2023 i was more talking about user agent of the users or the ip adresses Quote Link to comment Share on other sites More sharing options...
phppup Posted January 6, 2023 Share Posted January 6, 2023 Legal advice is not provided here, but you can always contact an attorney or do you own research with an emphasis on your LOL locality. Beyond my disclaimer, I do not think that gathering the information should cause a problem. How you use it could be a different issue. In other words, collecting email addresses to use to contact your customers/users would be a reasonable business activity. Collecting the information to coordinate malicious activity would likely be frowned upon. Divulging the personal data on a billboard by a highway would probably be unwise. But again, this would be a good reason to have some kind of notification that informs users of what you are doing and your intentions. If the do not agree with the terms, then they can decline. Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 6, 2023 Author Share Posted January 6, 2023 thank you, thats what i was wondering about. Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 7, 2023 Author Share Posted January 7, 2023 just a question like that , if the ip adress is changing automatically, do i need to catch that or the page will reload if it changes. i dont have a vpn to test that and it is kinda just a wonder about what i should do in this situation. i would like to be able to see a simulation of a sophisticated attack on a website, and be able to see how this is done and what they be using to bypass the security. most of what i heard by now, was the use of the inputs for sql injection, or the use of a brute force attack.. cross-site scripting i am still unsure of what this can use or do apart from changing the output , there must be something more because i was probably hacked cause of a hack on a website , i received a mail telling that they have been hacked even if the passwords were hashed the attackers had access to informations, so i wonder what else can you use as tactic for insiding a server or get access to this information. a better question must be , what should i put in place to make a well sealed website in its whole. Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 7, 2023 Author Share Posted January 7, 2023 i found this example of blocking an ip adress for an amount of time after a said amount of tries , i would like to know if it is looking good. <?php $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}"; $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}"; $tries = (int)apc_fetch($apc_key); if ($tries >= 10) { header("HTTP/1.1 429 Too Many Requests"); echo "You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes."; exit(); } $success = login($_POST['username'], $_POST['password']); if (!$success) { $blocked = (int)apc_fetch($apc_blocked_key); apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60); # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ... apc_store($apc_blocked_key, $blocked+1, 86400); # store number of times blocked for 24 hours } else { apc_delete($apc_key); apc_delete($apc_blocked_key); } Quote Link to comment Share on other sites More sharing options...
alexandre Posted January 7, 2023 Author Share Posted January 7, 2023 i also found a not so bad idea, which is to only allow the login for certain ip adresses which could be an option set by the user. in my opinion it would be the safest way unless i hit someone who knows how to clone an ip adress then it might be a good option but i feel like it is pretty easy for some to do that ... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.