Page 1 of 1

Password Attempts restriction

Posted: Sun Oct 17, 2004 10:13 pm
by nzmaori
We are trying to put a restriction of 3 attempts on a password and login
but at the moment when we put code in it gives us 3 login fields.
but still not restricted access which is what we are trying to achieve

Posted: Sun Oct 17, 2004 10:27 pm
by d3ad1ysp0rk
- Sessions
- Variable called "login_attempts" starts as 0, +1 everytime they attempt to login, if it's 3, don't process the login, and show an error instead.

Posted: Mon Oct 18, 2004 12:56 am
by m3mn0n
On a related note: look into using [php_man]sleep()[/php_man] to prevent scanning/cracking programs from doing their job easier.

Posted: Tue Oct 19, 2004 5:49 am
by djot
-
hi,

what should sleep() be good for? If access is denied anyway after 3 attemps, sleep will have no use. Also the time being denied would be held in the authentication database anyway!?

djot
-

Posted: Tue Oct 19, 2004 6:56 am
by kettle_drum
sleep() would be to slow down brute force attempts as the bot doing the work would have to wait a few seconds befor trying again.

Assume that the bot can make 10 requests at a time (and it takes 1 second to do). It can make 600 sttempts a minute, 36000 an hour etc. Now add a 5 second sleep to the script, so it can still make 10 requests a second, but now it takes 5 seconds, so now only 200 attempts can be made a minute - 12000 an hour - increasing the time needed by a considerable amount.

I would personally log each and every login attempt in a database with the time and IP, username used etc and then dont allow the form or process page of the login be loaded until a timeout period has passed - so it stops brute forcing - and then if there are 3 attempts from the same IP in 100 seconds dont let them see the login form.

This way you also have a log of whats been happening on your site, and the same table can be used elsewhere to log other events.

Posted: Tue Oct 19, 2004 7:13 am
by m3mn0n
Yep. Excellent advice, kettle_drum.

That's a very good administration strategy for user management applications.

Sessions

Posted: Tue Oct 19, 2004 7:15 am
by feha
You can use sessions to store attempts ...
than check and ban it from the session.
Attacker needs to close browser to try again ...
You can extend this after x attempts and session ban store him in ban ip DB forever or for x amount of time ...

http://www.vision.to

Posted: Tue Oct 19, 2004 7:20 am
by djot
-
Hi,

right. That's what I meant with denying access - depending on banned IP don't even show the login form, so you don't need login slowdowns with sleep();

djot
-

Posted: Tue Oct 19, 2004 7:26 am
by kettle_drum
Yeah, but the stopping is just as important as the logging. You want to KNOW that people are trying to break into accounts so you can take further actions - as if you dont notice them doing it, then they can continue - just slowed down a bit.

Posted: Tue Oct 19, 2004 7:36 am
by feha
feyd | Help us, help you. Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Code: Select all

if(CCGetSession("BANNED".SUFFIX) == 1)
{
echo "ACCESS DENIED!";
exit;
}
you put this in common file...

part of thr code

Code: Select all

if(!CCLoginUser($LogIn_inc->Login->login->Value, $LogIn_inc->Login->password->Value))
    {
        $LogIn_inc->Login->Errors->addError("LNG_LOGIN_ERROR_0.");
        
		if(defined("USE_HACKLOG") && USE_HACKLOG==1)
        {
		if(CCGetSession("HACK_TRY".SUFFIX)==""){CCSetSession("HACK_TRY".SUFFIX,0);}
		CCSetSession("HACK_TRY".SUFFIX,CCGetSession("HACK_TRY".SUFFIX)+1);

        if(CCGetSession("HACK_TRY".SUFFIX) == MAX_LOGIN)
		{
		
		hack_logger ( $_SERVER["REQUEST_URI"], get_real_ip(), $_SERVER["HTTP_USER_AGENT"], $_SERVER["HTTP_REFERER"], "Invalid Userid : ".$LogIn_inc->Login->login->Value." Or Password : ".$LogIn_inc->Login->password->Value);
        echo "HACK ATTEMPT !? <br>THIS ATTEMPTS HAS BEEN LOGGED FOR FURTHER INVESTIGATION.";
		exit;

		}
		$LogIn_inc->Login->Errors->addError("Login ATTEMPT ".CCGetSession("HACK_TRY".SUFFIX));
		}
using at http://www.vision.to

regards
feha


feyd | Help us, help you. Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]