[Phplogcon-dev] brute force password cracking prevention
Rainer Gerhards
rgerhards at hq.adiscon.com
Wed Dec 7 17:33:15 CET 2005
oh, and one thing: we would probably need to track failed logins on a
per-ip basis (beware of concurrent requests). Now this simple thing
begins to become complicated ;) Anyhow, I think we are far enough to
create a todo item (but not to solve it).
Is there agreement?
Rainer
> -----Original Message-----
> From: phplogcon-dev-bounces at lists.adiscon.com
> [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> Andre Lorbach
> Sent: Wednesday, December 07, 2005 5:31 PM
> To: phplogcon-dev at lists.adiscon.com
> Subject: Re: [Phplogcon-dev] brute force password cracking prevention
>
> Hi,
>
> Finally I can also say something here ;)
> A sleep of 1000 ms "if" the password was wrong would slow down a brute
> force attack. Sounds like a good idea.
>
> Regards,
> Andre
>
> > -----Original Message-----
> > From: phplogcon-dev-bounces at lists.adiscon.com
> > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > Michael Meckelein
> > Sent: Wednesday, December 07, 2005 5:23 PM
> > To: phplogcon-dev at lists.adiscon.com
> > Subject: Re: [Phplogcon-dev] brute force password cracking
> prevention
> >
> > > Is there something like a sleep() call in php?
> >
> > Of course, it is.
> > http://www.php.net/sleep
> >
> > Michael
> >
> >
> > > Sleep(), in most OS, is a
> > > way to tell the OS that the callig process has no
> interest in being
> > > executed for the specified amount of time.
> > >
> > > If such a beast exists, we could sleep() a few ms for each
> > wrong login
> > > and maybe up to 30 seconds as the failures increase...
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: phplogcon-dev-bounces at lists.adiscon.com
> > > > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > > > Michael Meckelein
> > > > Sent: Wednesday, December 07, 2005 5:18 PM
> > > > To: phplogcon-dev at lists.adiscon.com
> > > > Subject: [Phplogcon-dev] brute force password cracking
> prevention
> > > >
> > > > Brian wrote:
> > > > > Side note:
> > > > > Maybe a good thing to slow it down in the case of brute force
> > > > password
> > > > > cracking. (Users Table). (scripts can do this, not for
> > us to worry
> > > > about,
> > > > > yet).
> > > >
> > > > Rainer wrote:
> > > > > hehe... another low priority todo list item - tarpiting
> > > > attacks (after
> > > > > all, such a brute force may case the system to exhaust its
> > > > > ressources...)
> > > >
> > > > As a simply approach we can log failed login attempts. E.g.
> > > > if there are
> > > > more than three failed login attempts in a minute, we
> can disable
> > the
> > > > login for this user for some minutes.
> > > >
> > > > Michael
> > > > _______________________________________________
> > > > Phplogcon-dev mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > >
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> >
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>
More information about the Phplogcon-dev
mailing list