[Phplogcon-dev] brute force password cracking prevention
Michael Meckelein
mmeckelein at hq.adiscon.com
Wed Dec 7 17:35:21 CET 2005
Actually, maximum execution time is 30 seconds by default. Editable in
php.ini (max_execution_time).
Michael
> -----Original Message-----
> From: phplogcon-dev-bounces at lists.adiscon.com [mailto:phplogcon-dev-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, December 07, 2005 5:30 PM
> To: phplogcon-dev at lists.adiscon.com
> Subject: Re: [Phplogcon-dev] brute force password cracking prevention
>
> OK, I propose to usleep((f/2)*1000000+200000) where f is the number of
> failed logins. f should not be allowed to grow larger than 60, because
I
> think we will get into trouble with php execution timeout (there is
one,
> isn't it? ;)) at some point. Please note that the +200000 handles the
> case of just one invalid login.
>
> How does this sound?
>
> Rainer
>
> > -----Original Message-----
> > From: phplogcon-dev-bounces at lists.adiscon.com
> > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > Michael Meckelein
> > Sent: Wednesday, December 07, 2005 5:23 PM
> > To: phplogcon-dev at lists.adiscon.com
> > Subject: Re: [Phplogcon-dev] brute force password cracking
prevention
> >
> > > Is there something like a sleep() call in php?
> >
> > Of course, it is.
> > http://www.php.net/sleep
> >
> > Michael
> >
> >
> > > Sleep(), in most OS, is a
> > > way to tell the OS that the callig process has no interest in
being
> > > executed for the specified amount of time.
> > >
> > > If such a beast exists, we could sleep() a few ms for each
> > wrong login
> > > and maybe up to 30 seconds as the failures increase...
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: phplogcon-dev-bounces at lists.adiscon.com
> > > > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > > > Michael Meckelein
> > > > Sent: Wednesday, December 07, 2005 5:18 PM
> > > > To: phplogcon-dev at lists.adiscon.com
> > > > Subject: [Phplogcon-dev] brute force password cracking
prevention
> > > >
> > > > Brian wrote:
> > > > > Side note:
> > > > > Maybe a good thing to slow it down in the case of brute force
> > > > password
> > > > > cracking. (Users Table). (scripts can do this, not for
> > us to worry
> > > > about,
> > > > > yet).
> > > >
> > > > Rainer wrote:
> > > > > hehe... another low priority todo list item - tarpiting
> > > > attacks (after
> > > > > all, such a brute force may case the system to exhaust its
> > > > > ressources...)
> > > >
> > > > As a simply approach we can log failed login attempts. E.g.
> > > > if there are
> > > > more than three failed login attempts in a minute, we can
disable
> > the
> > > > login for this user for some minutes.
> > > >
> > > > Michael
> > > > _______________________________________________
> > > > Phplogcon-dev mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > >
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> >
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
More information about the Phplogcon-dev
mailing list