[Phplogcon-dev] brute force password cracking prevention

Brian Shea bgshea at gmail.com
Wed Dec 7 18:45:14 CET 2005 

Yep, this all sound good, Lets put it on a TODO list.



On 12/7/05, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
>
> ok, so "f" should not grow larger than 50 (25.2 seconds sleep time).
>
> --Rainer
>
> > -----Original Message-----
> > From: phplogcon-dev-bounces at lists.adiscon.com
> > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > Michael Meckelein
> > Sent: Wednesday, December 07, 2005 5:35 PM
> > To: phplogcon-dev at lists.adiscon.com
> > Subject: Re: [Phplogcon-dev] brute force password cracking prevention
> >
> > Actually, maximum execution time is 30 seconds by default. Editable in
> > php.ini (max_execution_time).
> >
> > Michael
> >
> > > -----Original Message-----
> > > From: phplogcon-dev-bounces at lists.adiscon.com [mailto:phplogcon-dev-
> > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Wednesday, December 07, 2005 5:30 PM
> > > To: phplogcon-dev at lists.adiscon.com
> > > Subject: Re: [Phplogcon-dev] brute force password cracking
> > prevention
> > >
> > > OK, I propose to usleep((f/2)*1000000+200000) where f is
> > the number of
> > > failed logins. f should not be allowed to grow larger than
> > 60, because
> > I
> > > think we will get into trouble with php execution timeout (there is
> > one,
> > > isn't it? ;)) at some point. Please note that the +200000
> > handles the
> > > case of just one invalid login.
> > >
> > > How does this sound?
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: phplogcon-dev-bounces at lists.adiscon.com
> > > > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > > > Michael Meckelein
> > > > Sent: Wednesday, December 07, 2005 5:23 PM
> > > > To: phplogcon-dev at lists.adiscon.com
> > > > Subject: Re: [Phplogcon-dev] brute force password cracking
> > prevention
> > > >
> > > > > Is there something like a sleep() call in php?
> > > >
> > > > Of course, it is.
> > > > http://www.php.net/sleep
> > > >
> > > > Michael
> > > >
> > > >
> > > > > Sleep(), in most OS, is a
> > > > > way to tell the OS that the callig process has no interest in
> > being
> > > > > executed for the specified amount of time.
> > > > >
> > > > > If such a beast exists, we could sleep() a few ms for each
> > > > wrong login
> > > > > and maybe up to 30 seconds as the failures increase...
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: phplogcon-dev-bounces at lists.adiscon.com
> > > > > > [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of
> > > > > > Michael Meckelein
> > > > > > Sent: Wednesday, December 07, 2005 5:18 PM
> > > > > > To: phplogcon-dev at lists.adiscon.com
> > > > > > Subject: [Phplogcon-dev] brute force password cracking
> > prevention
> > > > > >
> > > > > > Brian wrote:
> > > > > > > Side note:
> > > > > > >  Maybe a good thing to slow it down in the case of
> > brute force
> > > > > > password
> > > > > > > cracking. (Users Table). (scripts can do this, not for
> > > > us to worry
> > > > > > about,
> > > > > > > yet).
> > > > > >
> > > > > > Rainer wrote:
> > > > > > > hehe... another low priority todo list item - tarpiting
> > > > > > attacks (after
> > > > > > > all, such a brute force may case the system to exhaust its
> > > > > > > ressources...)
> > > > > >
> > > > > > As a simply approach we can log failed login attempts. E.g.
> > > > > > if there are
> > > > > > more than three failed login attempts in a minute, we can
> > disable
> > > > the
> > > > > > login for this user for some minutes.
> > > > > >
> > > > > > Michael
> > > > > > _______________________________________________
> > > > > > Phplogcon-dev mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > > > >
> > > > > _______________________________________________
> > > > > Phplogcon-dev mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > > _______________________________________________
> > > > Phplogcon-dev mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > >
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> >
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>

More information about the Phplogcon-dev mailing list