Page 2 of 2

Re: Blocking IP after x unsuccessful login attempts?

Posted: Wed May 21, 2008 3:47 pm
by josamoto
Thanks for the many informative replies, everyone! I think a combination of strong Captcha, and a limit to login attempts, and IP blocking AND maybe IP blocking might be a good idea.

I might use:
- Captcha to challenge the bots,
- Limited login attempts that block IP's and usernames to prevent bruteforce attacks.
- And a simple "Forgot my password", but only, "My IP has been blocked" feature for DOS victims that don't want to wait 15 minutes.

I'll also consider building in the ability to turn IP blocking and user blocking on and off etc. to counter DOS attempts.

O, and mod_evasive looks a good solution for preventing DOS altogether.

Keeping malicious people out of a site is a challenge, there is no guarantee that you can stop them, but slow them down so they can grow old and gray hacking your site, that's a definite possibility! :)

Thanks for the brainstorming guys!!!

Re: Blocking IP after x unsuccessful login attempts?

Posted: Thu May 22, 2008 3:32 am
by Maugrim_The_Reaper
Bear in mind if using CAPTCHA, then it would be really nice to allow for alternate CAPTCHAs that don't require a pair of pefectly healthy eyes. reCAPTCHA is one of my recommendations - it does everything except fix your kitchen sink when it backs up.

Re: Blocking IP after x unsuccessful login attempts?

Posted: Sun Jun 01, 2008 10:41 am
by Jaxolotl
josamoto wrote: I can try blocking them by:
a) session id
b) ip address

...but

a) ...can be tricked by simply restarting the browser, thus creating a new session.
b) ...can be tricked by using proxies and techniques I don't even know about, not even to mention ISP's that give dynamic IP addresses.
To prevent getting just the IP of the proxi you may use three Server Variables $_SERVER['REMOTE_ADDR'] , $_SERVER["HTTP_CLIENT_IP"] and $_SERVER['HTTP_X_FORWARDED_FOR']
Here you have an example http://ar.php.net/manual/en/language.va ... .php#31724

Re: Blocking IP after x unsuccessful login attempts?

Posted: Sun Jun 01, 2008 2:39 pm
by Mordred
Jaxolotl wrote: To prevent getting just the IP of the proxi you may use three Server Variables $_SERVER['REMOTE_ADDR'] , $_SERVER["HTTP_CLIENT_IP"] and $_SERVER['HTTP_X_FORWARDED_FOR']
Here you have an example http://ar.php.net/manual/en/language.va ... .php#31724
X-Forwarded-For? You don't actually know much about proxies, do you? This is a security forum, we measure our methods against malicious adversaries, not against pious users.

Re: Blocking IP after x unsuccessful login attempts?

Posted: Mon Jun 02, 2008 8:10 am
by Jaxolotl
Mordred wrote: X-Forwarded-For? You don't actually know much about proxies, do you? This is a security forum, we measure our methods against malicious adversaries, not against pious users.
Well, we all know that X-Forwarded-For and HTTP_HOST can be faked by manipulating the http headers, I was just suggesting the idea of getting all of them (as I do) an trust none of them, even if REMOTE_ADDR could not be faked as easy as X-forworded it's information may not be the real user ip but the proxi.

when i save users access i save $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR'] if available, $_SERVER['REMOTE_HOST'] if available. to have them for further analyzation if i need it.

by the way --You don't actually know much about proxies, do you? -- no I'm not, you're wright. Would you suggest us a dedicated good quality information to retrive and study that you already study before and consider relevant? I'm very interested on this topic to improve my knowledge about security

Re: Blocking IP after x unsuccessful login attempts?

Posted: Mon Jun 02, 2008 4:46 pm
by Mordred
I can't really recommend a book on HTTP and proxies, I learned the hard way - just went and wrote one.
The several HTTP RFCs are an excellent source, if a bit hard to read (also there are one or two caveats where reality differs from RFC). Following some grey/blackhat resources on the subject of anonymous proxies will provide interesting and different angles on the problem as well.

Back on topic, the rules for dealing with proxies are simple:

1. Don't rely on detecting them. There are undetectable proxies, so deal with security as if all attacks would come from such ones.

2. Whenever appropriate, do try to detect and log proxified IPs, but don't make decisions based on them, leave them for human audit only. Every header is spoofable.

3. When you need to, inspect and log all HTTP headers that look like IPs. There are several standard and several unstandard, but widely used proxy-related headers. There are bizzare headers only set by certain proxies. You can't know or expect which will be filled in the request. The only possible solution is to log them all.

Re: Blocking IP after x unsuccessful login attempts?

Posted: Tue Jun 03, 2008 10:58 am
by Jaxolotl
Thanks Mordred !
I'll start by reading your personal Codex Securitatis ;)