Jump to content

is this the good method to block an ip adress?

alexandre

By alexandre
in PHP Coding Help

 Share

Recommended Posts

alexandre Advanced Member

alexandre

Posted
Posted 
	 <?php 
       $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
	   $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}";
	 
	   $tries = (int)apc_fetch($apc_key);
	   if ($tries >= 10) {
	     header("HTTP/1.1 429 Too Many Requests");
	     echo "You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.";
	     exit();
	   }
	 
	   $success = login($_POST['username'], $_POST['password']);
	   if (!$success) {
	     $blocked = (int)apc_fetch($apc_blocked_key);
	 
	     apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60);  # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ...
	     apc_store($apc_blocked_key, $blocked+1, 86400);  # store number of times blocked for 24 hours
	   } else {
	     apc_delete($apc_key);
	     apc_delete($apc_blocked_key);
	   }
       ?>

i am just trying to figure what to do or not do. 

this code is supposed to block an ip address after too many failed attempts and for each block the time blocked go up. 

i have put this code in the else condition of my login authentication file, if the login is not a success then it will do this.

i was also thinking about writing an advanced option to allow the user to set a unique ip adress to be allowed to login their account.

i would like to know if it is easy or possible to clone another user's ip adress? if so it wouldnt be a really good idea to make this option.

gizmola Prolific Member

gizmola

Posted
Posted

In general, the less information you provide the better.  The message should simply say something like "Too Many Requests" and shouldn't disclose that you are banning things by IP, or what the IP actually is.  Don't provide information to bad actors that helps them work around your system.  One other thing about apc: it's memory on a specific server, so if you ever have load balancing in place, these stats are going to be spread out across servers. 

It's also fairly standard to store bad attempts against a particular username, and perform an account lockout if a particular bad password attempt threshold is reached.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.