[Phplogcon-dev] brute force password cracking prevention
Rainer Gerhards
rgerhards at hq.adiscon.com
Wed Dec 7 17:20:28 CET 2005
Is there something like a sleep() call in php? Sleep(), in most OS, is a
way to tell the OS that the callig process has no interest in being
executed for the specified amount of time.
If such a beast exists, we could sleep() a few ms for each wrong login
and maybe up to 30 seconds as the failures increase...
Rainer
> -----Original Message-----
> From: phplogcon-dev-bounces at lists.adiscon.com
> [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> Michael Meckelein
> Sent: Wednesday, December 07, 2005 5:18 PM
> To: phplogcon-dev at lists.adiscon.com
> Subject: [Phplogcon-dev] brute force password cracking prevention
>
> Brian wrote:
> > Side note:
> > Maybe a good thing to slow it down in the case of brute force
> password
> > cracking. (Users Table). (scripts can do this, not for us to worry
> about,
> > yet).
>
> Rainer wrote:
> > hehe... another low priority todo list item - tarpiting
> attacks (after
> > all, such a brute force may case the system to exhaust its
> > ressources...)
>
> As a simply approach we can log failed login attempts. E.g.
> if there are
> more than three failed login attempts in a minute, we can disable the
> login for this user for some minutes.
>
> Michael
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>
More information about the Phplogcon-dev
mailing list