Author |
Message |
Highway of Life Board Member
Joined: 19 Nov 2008
Posts: 3 Location: 127.0.0.1
|
Posted: Fri Feb 13, 2009 10:28 pm Post subject: Re: The end |
|
|
~Cowboy~ wrote: | Lets face it how many people mistype their password 4 times in a row? | I’ve done it before... I have several passwords that are similar to: UftzZ6f8gse20CJk8/c9t0bQF that I have memorised, but because I get into the habit of the rhythm of my fingers when I type it, on a bad-typing day, I can (and have) mis-typed my password 4 or 5 times in a row.
A password like that is really easy to make a mistake on. _________________ phpBB.com Modifications Team Member
Co-Founder phpBB Academy at StarTrekGuide |
|
Back to top |
|
|
roadhog Board Member
Joined: 18 Nov 2008
Posts: 96 Location: Central Texas
|
Posted: Fri Feb 13, 2009 10:51 pm Post subject: Re: The end |
|
|
Highway of Life wrote: | ~Cowboy~ wrote: | Lets face it how many people mistype their password 4 times in a row? | I’ve done it before... I have several passwords that are similar to: UftzZ6f8gse20CJk8/c9t0bQF that I have memorised, but because I get into the habit of the rhythm of my fingers when I type it, on a bad-typing day, I can (and have) mis-typed my password 4 or 5 times in a row.
A password like that is really easy to make a mistake on. |
I've done it too. |
|
Back to top |
|
|
~Cowboy~ Board Member
Joined: 08 Dec 2008
Posts: 297 Location: Chicago
|
Posted: Fri Feb 13, 2009 11:17 pm Post subject: Re: The end |
|
|
Then I would see you guys in a more careful typing mood in about 60 min Image link
But seriously.. If that happens and they don't want to wait an hour, you can let them in from the admin panel if they contact you via email. It happened on my board once last year. Image link
I have had it set up like that for 2 years and only had one complaint. _________________ Image link
We are not refugees we are trail blazers. |
|
Back to top |
|
|
drathbun Board Member
Joined: 24 Jul 2008
Posts: 729 Location: Texas
|
Posted: Sat Feb 14, 2009 2:26 am Post subject: Re: The end |
|
|
The lock-out can also be accellerated over time.
3 bad attempts, locked out for five minutes.
3 more bad attempts, locked out for 30 minutes.
3 more bad attempts, locked out for 24 hours.
3 more bad attempts, locked out for 72 hours.
3 more bad attempts, locked out for a week.
You get the idea. The more bad attempts there are in a row, the longer you're locked out. Some mail spam detection works that way. The more times a domain lookup fails, the longer the next attempt takes, until eventually the mail domain could end up banned. _________________ phpBBDoctor Blog |
|
Back to top |
|
|
~Cowboy~ Board Member
Joined: 08 Dec 2008
Posts: 297 Location: Chicago
|
Posted: Sat Feb 14, 2009 2:54 am Post subject: Re: The end |
|
|
Hey I like that idea. That could put an end to brute forcing with the pyramid effect. So the more they try the longer it takes before they can try again.
About the 15th failed try they would have to wait till next year to try it again. ROTFL
Of course they could use a dynamic Ip address to get around it, but it may take them a while to figure that out. _________________ Image link
We are not refugees we are trail blazers. |
|
Back to top |
|
|
Sylver Cheetah 53 Board Member
Joined: 17 Dec 2008
Posts: 426 Location: Milky Way
|
Posted: Sat Feb 14, 2009 7:57 am Post subject: Re: The end |
|
|
This is incorrect, actually. The most brute force programs use lots and lots of proxyes, a few hundreds. They rotate them, of course, and it could be confired to follow board's settings. Yes, if you put less login attemps, then more rotations, and less proxys to go untill go back from the first one, wich can still be block if block time is high. But like someone was saying, you'll only make the brute force process longer, the password can still be brake. There are even programs that, when you stop them, they stop at last tryed combination, and you can continue from what you left. The best defend is to put special characters (#@$%*) wich are almost never tryed (only if the attacker ads them manually). _________________ Image link
My Forum || My Blog
phpBB2 forever! |
|
Back to top |
|
|
Jim_UK Board Member
Joined: 19 Nov 2008
Posts: 656 Location: North West UK
|
Posted: Sat Feb 14, 2009 11:54 am Post subject: Re: The end |
|
|
I have had some bot like activity today from IP's in the range 84.235.73.* with several of those Ip's showing (Have bot mod so they appeared as guests) With so many in the same group there at once I Googled one of them and found that the range is from Saudi Arabia and they are associated with recent dictionary attacks on sites.
I wish the internet was a safer place and then I could spend more time doing what I want on my site instead of standing guard over it.
Jim |
|
Back to top |
|
|
~Cowboy~ Board Member
Joined: 08 Dec 2008
Posts: 297 Location: Chicago
|
Posted: Sat Feb 14, 2009 11:58 am Post subject: Re: The end |
|
|
@ Sylver Cheetah 53,
That's why I mentioned the dynamic ips
~Cowboy~ wrote: | Of course they could use a dynamic Ip address to get around it, but it may take them a while to figure that out. |
_________________ Image link
We are not refugees we are trail blazers. |
|
Back to top |
|
|
drathbun Board Member
Joined: 24 Jul 2008
Posts: 729 Location: Texas
|
Posted: Sat Feb 14, 2009 2:44 pm Post subject: Re: The end |
|
|
Changing an IP address has nothing to do with this. It's logging attempts to log in, not attempts per IP address. You could use a different IP every time, and it still wouldn't matter.
The primary problem with that is it can be used maliciously. Someone could simulate a brute-force attack against a legitimate member and lock them out. _________________ phpBBDoctor Blog |
|
Back to top |
|
|
~Cowboy~ Board Member
Joined: 08 Dec 2008
Posts: 297 Location: Chicago
|
Posted: Sat Feb 14, 2009 4:13 pm Post subject: Re: The end |
|
|
I never even thought about that.
I don't think I ever ran across that issue before. _________________ Image link
We are not refugees we are trail blazers. |
|
Back to top |
|
|
Sylver Cheetah 53 Board Member
Joined: 17 Dec 2008
Posts: 426 Location: Milky Way
|
Posted: Sat Feb 14, 2009 5:22 pm Post subject: Re: The end |
|
|
~Cowboy~ wrote: | That's why I mentioned the dynamic ips
~Cowboy~ wrote: | Of course they could use a dynamic Ip address to get around it, but it may take them a while to figure that out. |
|
It's not the same thing. I have dynamic IP, but it would be very hard changing IP every 1 second to get arroung login attemps block. And I would have to do it manually + I could get my IP range blocked. Proxy servers are far more dangerous then just an dynamic IP.
drathbun wrote: | Changing an IP address has nothing to do with this. It's logging attempts to log in, not attempts per IP address. You could use a different IP every time, and it still wouldn't matter.
The primary problem with that is it can be used maliciously. Someone could simulate a brute-force attack against a legitimate member and lock them out. |
I didn't know that. I've tested right now, and you are right. The user is blocked, and not the IP. This is strange... Why not IP block? _________________ Image link
My Forum || My Blog
phpBB2 forever! |
|
Back to top |
|
|
cherokee red Board Member
Joined: 19 Nov 2008
Posts: 19 Location: Airdrie, UK
|
Posted: Sat Feb 14, 2009 5:46 pm Post subject: Re: The end |
|
|
IP blocking is useless these days. With the amount of proxy servers available and the number of people who use Dynamic IP's, it causes more for for the administrator. Trust me when I say I know about this
I will only block an IP if I can narrow it down to a very small range. More often I will go for username/email. It takes longer to create a new throw away email than it does to shift IP. _________________ phpBB MODs // My Music // Romance Designs :: coming soon
Former phpBB Moderator
Are you a musician in the Glasgow area interested in acoustic events? The ArtBox |
|
Back to top |
|
|
drathbun Board Member
Joined: 24 Jul 2008
Posts: 729 Location: Texas
|
Posted: Sun Feb 15, 2009 11:19 am Post subject: Re: The end |
|
|
If I block an IP address, I block it at the server level.
Basically you can block it at the application (phpBB2), at the web server (apache), or at the operating system. The further back you go, the more efficient it is. Using the "iptables" command lets me drop any traffic (or requests for traffic) before they even hit apache, much less phpbb. _________________ phpBBDoctor Blog |
|
Back to top |
|
|
|