Blocking IP after x unsuccessful login attempts?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
josamoto
Forum Commoner
Posts: 41
Joined: Fri Aug 24, 2007 6:57 am
Location: South Africa
Contact:

Re: Blocking IP after x unsuccessful login attempts?

Post by josamoto »

Thanks for the many informative replies, everyone! I think a combination of strong Captcha, and a limit to login attempts, and IP blocking AND maybe IP blocking might be a good idea.

I might use:
- Captcha to challenge the bots,
- Limited login attempts that block IP's and usernames to prevent bruteforce attacks.
- And a simple "Forgot my password", but only, "My IP has been blocked" feature for DOS victims that don't want to wait 15 minutes.

I'll also consider building in the ability to turn IP blocking and user blocking on and off etc. to counter DOS attempts.

O, and mod_evasive looks a good solution for preventing DOS altogether.

Keeping malicious people out of a site is a challenge, there is no guarantee that you can stop them, but slow them down so they can grow old and gray hacking your site, that's a definite possibility! :)

Thanks for the brainstorming guys!!!
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Blocking IP after x unsuccessful login attempts?

Post by Maugrim_The_Reaper »

Bear in mind if using CAPTCHA, then it would be really nice to allow for alternate CAPTCHAs that don't require a pair of pefectly healthy eyes. reCAPTCHA is one of my recommendations - it does everything except fix your kitchen sink when it backs up.
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

Re: Blocking IP after x unsuccessful login attempts?

Post by Jaxolotl »

josamoto wrote: I can try blocking them by:
a) session id
b) ip address

...but

a) ...can be tricked by simply restarting the browser, thus creating a new session.
b) ...can be tricked by using proxies and techniques I don't even know about, not even to mention ISP's that give dynamic IP addresses.
To prevent getting just the IP of the proxi you may use three Server Variables $_SERVER['REMOTE_ADDR'] , $_SERVER["HTTP_CLIENT_IP"] and $_SERVER['HTTP_X_FORWARDED_FOR']
Here you have an example http://ar.php.net/manual/en/language.va ... .php#31724
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by Mordred »

Jaxolotl wrote: To prevent getting just the IP of the proxi you may use three Server Variables $_SERVER['REMOTE_ADDR'] , $_SERVER["HTTP_CLIENT_IP"] and $_SERVER['HTTP_X_FORWARDED_FOR']
Here you have an example http://ar.php.net/manual/en/language.va ... .php#31724
X-Forwarded-For? You don't actually know much about proxies, do you? This is a security forum, we measure our methods against malicious adversaries, not against pious users.
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

Re: Blocking IP after x unsuccessful login attempts?

Post by Jaxolotl »

Mordred wrote: X-Forwarded-For? You don't actually know much about proxies, do you? This is a security forum, we measure our methods against malicious adversaries, not against pious users.
Well, we all know that X-Forwarded-For and HTTP_HOST can be faked by manipulating the http headers, I was just suggesting the idea of getting all of them (as I do) an trust none of them, even if REMOTE_ADDR could not be faked as easy as X-forworded it's information may not be the real user ip but the proxi.

when i save users access i save $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR'] if available, $_SERVER['REMOTE_HOST'] if available. to have them for further analyzation if i need it.

by the way --You don't actually know much about proxies, do you? -- no I'm not, you're wright. Would you suggest us a dedicated good quality information to retrive and study that you already study before and consider relevant? I'm very interested on this topic to improve my knowledge about security
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by Mordred »

I can't really recommend a book on HTTP and proxies, I learned the hard way - just went and wrote one.
The several HTTP RFCs are an excellent source, if a bit hard to read (also there are one or two caveats where reality differs from RFC). Following some grey/blackhat resources on the subject of anonymous proxies will provide interesting and different angles on the problem as well.

Back on topic, the rules for dealing with proxies are simple:

1. Don't rely on detecting them. There are undetectable proxies, so deal with security as if all attacks would come from such ones.

2. Whenever appropriate, do try to detect and log proxified IPs, but don't make decisions based on them, leave them for human audit only. Every header is spoofable.

3. When you need to, inspect and log all HTTP headers that look like IPs. There are several standard and several unstandard, but widely used proxy-related headers. There are bizzare headers only set by certain proxies. You can't know or expect which will be filled in the request. The only possible solution is to log them all.
User avatar
Jaxolotl
Forum Contributor
Posts: 137
Joined: Mon Nov 13, 2006 4:19 am
Location: Argentina and Italy

Re: Blocking IP after x unsuccessful login attempts?

Post by Jaxolotl »

Thanks Mordred !
I'll start by reading your personal Codex Securitatis ;)
Post Reply