Jump to content

is there an ideal way to counter a brute force attempt?


alexandre
Go to solution Solved by mac_gyver,

Recommended Posts

i am just wondering if there is one way better than the others to counter this kind of attack, i believe it is targeting a single account at a time, if i want to avoid locking the user account since their is no account recovery on my website, what would be my best options?

Link to comment
Share on other sites

rate limiting in like counting the attempts of login for a said period of time? this would not solve the problem if i still have to lock the account temporary. someone could just spam the login for another user in order to make this person unable to participate in example the competitive event, one could just do this and donate more to steal a place while the other would be unable to defend his place in the rank. what i was thinking is if there is an obvious amount of attempts saying it is an attack, i could simply make the input disapear for this session and display a message instead. if i could i would make the attacker session never dying so he would always come back to this same screen where he is unable to do anything. do you know a way to make a session never dying?

Link to comment
Share on other sites

  • Solution
15 minutes ago, alexandre said:

this session

the existence or absence of a session is under the control of the client/script making the requests to your site. you cannot use session (or cookie) data to detect or control the login attempts, since the client/script can simply not propagate the session id (or cookie) between requests and they will get a new session. you must store the data needed to detect or control the login attempts in a database table.

you have two pieces of identifying information from the requests, the ip address (where the request came from and where you will send the response back to, along with any session id cookie or remember me cookie token) and the username/email for the login attempt. you would store the datetime, ip, and username/email for each failed login attempt, as a separate row, in a database table. it is this data that you would test to detect and control the login attempts.

also, you don't 'lock' the accounts, you rate limit the login attempts. if a user is already logged in, they should still be able to access the site, i.e. they are won't be attempting to login, since they already are logged in.

Link to comment
Share on other sites

in theory this is good but there are little chances that an attacker will not be hiding his ip adress, probably with a vpn changing of ip adress after some time, i dont know much about it but storing an ip adress would just protect against this ip adress. i am also not collecting any informations about my users , not even an email so it gets complicated for this reason. but when you say i need to collect those informations , isnt it ilegal to do this without the user consent, even if this user is someone trying to break your website?

Link to comment
Share on other sites

I think requinix was trying to point out, in a sarcastic tone, that any protection is better than none.

Also, I don't see why it would be illegal to collect email addresses.

If you are in a region that does not permit this, perhaps a notice or terms of service stating: "This website saves all applicable data during usage" will be beneficial (but I cannot provide legal advice on this).

Edited by phppup
Typos
Link to comment
Share on other sites

Legal advice is not provided here, but you can always contact an attorney or do you own research with an emphasis on your LOL locality.

Beyond my disclaimer, I do not think that gathering the information should cause a problem.  How you use it could be a different issue.

In other words, collecting email addresses to use to contact your customers/users would be a reasonable business activity.

Collecting the information to coordinate malicious activity would likely be frowned upon.

Divulging the personal data on a billboard by a highway would probably be unwise.

But again, this would be a good reason to have some kind of notification that informs users of what you are doing and your intentions.

If the do not agree with the terms, then they can decline.

Link to comment
Share on other sites

just a question like that , if the ip adress is changing automatically, do i need to catch that or the page will reload if it changes. i dont have a vpn to test that and it is kinda just a wonder about what i should do in this situation. i would like to be able to see a simulation of a sophisticated attack on a website, and be able to see how this is done and what they be using to bypass the security. most of what i heard by now, was the use of the inputs for sql injection, or the use of a brute force attack.. cross-site scripting i am still unsure of what this can use  or do apart from changing the output , there must be something more because i was probably hacked cause of a hack on a website , i received a mail telling that they have been hacked even if the passwords were hashed the attackers had access to informations, so i wonder what else can you use as tactic for insiding a server or get access to this information. a better question must be , what should i put in place to make a well sealed website in its whole.

Link to comment
Share on other sites

i found this example of blocking an ip adress for an amount of time after a said amount of tries , i would like to know if it is looking good.

<?php
  $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
  $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}";

  $tries = (int)apc_fetch($apc_key);
  if ($tries >= 10) {
    header("HTTP/1.1 429 Too Many Requests");
    echo "You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.";
    exit();
  }

  $success = login($_POST['username'], $_POST['password']);
  if (!$success) {
    $blocked = (int)apc_fetch($apc_blocked_key);

    apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60);  # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ...
    apc_store($apc_blocked_key, $blocked+1, 86400);  # store number of times blocked for 24 hours
  } else {
    apc_delete($apc_key);
    apc_delete($apc_blocked_key);
  }

 

Link to comment
Share on other sites

i also found a not so bad idea, which is to only allow the login for certain ip adresses which could be an option set by the user. in my opinion it would be the safest way unless i hit someone who knows how to clone an ip adress then it might be a good option but i feel like it is pretty easy for some to do that ...

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.