Password Attempts restriction
Moderator: General Moderators
Password Attempts restriction
We are trying to put a restriction of 3 attempts on a password and login
but at the moment when we put code in it gives us 3 login fields.
but still not restricted access which is what we are trying to achieve
but at the moment when we put code in it gives us 3 login fields.
but still not restricted access which is what we are trying to achieve
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
sleep() would be to slow down brute force attempts as the bot doing the work would have to wait a few seconds befor trying again.
Assume that the bot can make 10 requests at a time (and it takes 1 second to do). It can make 600 sttempts a minute, 36000 an hour etc. Now add a 5 second sleep to the script, so it can still make 10 requests a second, but now it takes 5 seconds, so now only 200 attempts can be made a minute - 12000 an hour - increasing the time needed by a considerable amount.
I would personally log each and every login attempt in a database with the time and IP, username used etc and then dont allow the form or process page of the login be loaded until a timeout period has passed - so it stops brute forcing - and then if there are 3 attempts from the same IP in 100 seconds dont let them see the login form.
This way you also have a log of whats been happening on your site, and the same table can be used elsewhere to log other events.
Assume that the bot can make 10 requests at a time (and it takes 1 second to do). It can make 600 sttempts a minute, 36000 an hour etc. Now add a 5 second sleep to the script, so it can still make 10 requests a second, but now it takes 5 seconds, so now only 200 attempts can be made a minute - 12000 an hour - increasing the time needed by a considerable amount.
I would personally log each and every login attempt in a database with the time and IP, username used etc and then dont allow the form or process page of the login be loaded until a timeout period has passed - so it stops brute forcing - and then if there are 3 attempts from the same IP in 100 seconds dont let them see the login form.
This way you also have a log of whats been happening on your site, and the same table can be used elsewhere to log other events.
Sessions
You can use sessions to store attempts ...
than check and ban it from the session.
Attacker needs to close browser to try again ...
You can extend this after x attempts and session ban store him in ban ip DB forever or for x amount of time ...
http://www.vision.to
than check and ban it from the session.
Attacker needs to close browser to try again ...
You can extend this after x attempts and session ban store him in ban ip DB forever or for x amount of time ...
http://www.vision.to
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
feyd | Help us, help you. Please use
you put this in common file...
part of thr code
using at http://www.vision.to
regards
feha
feyd | Help us, help you. Please use
Code: Select all
andCode: Select all
tags where approriate when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]Code: Select all
if(CCGetSession("BANNED".SUFFIX) == 1)
{
echo "ACCESS DENIED!";
exit;
}part of thr code
Code: Select all
if(!CCLoginUser($LogIn_inc->Login->login->Value, $LogIn_inc->Login->password->Value))
{
$LogIn_inc->Login->Errors->addError("LNG_LOGIN_ERROR_0.");
if(defined("USE_HACKLOG") && USE_HACKLOG==1)
{
if(CCGetSession("HACK_TRY".SUFFIX)==""){CCSetSession("HACK_TRY".SUFFIX,0);}
CCSetSession("HACK_TRY".SUFFIX,CCGetSession("HACK_TRY".SUFFIX)+1);
if(CCGetSession("HACK_TRY".SUFFIX) == MAX_LOGIN)
{
hack_logger ( $_SERVER["REQUEST_URI"], get_real_ip(), $_SERVER["HTTP_USER_AGENT"], $_SERVER["HTTP_REFERER"], "Invalid Userid : ".$LogIn_inc->Login->login->Value." Or Password : ".$LogIn_inc->Login->password->Value);
echo "HACK ATTEMPT !? <br>THIS ATTEMPTS HAS BEEN LOGGED FOR FURTHER INVESTIGATION.";
exit;
}
$LogIn_inc->Login->Errors->addError("Login ATTEMPT ".CCGetSession("HACK_TRY".SUFFIX));
}regards
feha
feyd | Help us, help you. Please use
Code: Select all
andCode: Select all
tags where approriate when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]