[Phplogcon-dev] brute force password cracking prevention
Rainer Gerhards
rgerhards at hq.adiscon.com
Wed Dec 7 17:30:11 CET 2005
OK, I propose to usleep((f/2)*1000000+200000) where f is the number of
failed logins. f should not be allowed to grow larger than 60, because I
think we will get into trouble with php execution timeout (there is one,
isn't it? ;)) at some point. Please note that the +200000 handles the
case of just one invalid login.
How does this sound?
Rainer
> -----Original Message-----
> From: phplogcon-dev-bounces at lists.adiscon.com
> [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> Michael Meckelein
> Sent: Wednesday, December 07, 2005 5:23 PM
> To: phplogcon-dev at lists.adiscon.com
> Subject: Re: [Phplogcon-dev] brute force password cracking prevention
>
> > Is there something like a sleep() call in php?
>
> Of course, it is.
> http://www.php.net/sleep
>
> Michael
>
>
> > Sleep(), in most OS, is a
> > way to tell the OS that the callig process has no interest in being
> > executed for the specified amount of time.
> >
> > If such a beast exists, we could sleep() a few ms for each
> wrong login
> > and maybe up to 30 seconds as the failures increase...
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: phplogcon-dev-bounces at lists.adiscon.com
> > > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > > Michael Meckelein
> > > Sent: Wednesday, December 07, 2005 5:18 PM
> > > To: phplogcon-dev at lists.adiscon.com
> > > Subject: [Phplogcon-dev] brute force password cracking prevention
> > >
> > > Brian wrote:
> > > > Side note:
> > > > Maybe a good thing to slow it down in the case of brute force
> > > password
> > > > cracking. (Users Table). (scripts can do this, not for
> us to worry
> > > about,
> > > > yet).
> > >
> > > Rainer wrote:
> > > > hehe... another low priority todo list item - tarpiting
> > > attacks (after
> > > > all, such a brute force may case the system to exhaust its
> > > > ressources...)
> > >
> > > As a simply approach we can log failed login attempts. E.g.
> > > if there are
> > > more than three failed login attempts in a minute, we can disable
> the
> > > login for this user for some minutes.
> > >
> > > Michael
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > >
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>
More information about the Phplogcon-dev
mailing list