SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast Ckeren's Avatar
    Join Date
    Jun 2001
    Location
    AU
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Can PHP prevent brute force attack?

    Trying to find out if you guys know how to write in php code to prevent the brute force attack(something to deal with ip address I believe and a bit configuration on httpd.conf).
    Last edited by Ckeren; Jun 26, 2001 at 09:23.

  2. #2
    SitePoint Enthusiast Jack@dwd.com's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You mean people HTTP requesting your server about 2 million times in 20 minutes or something stupid like that (DoS)? Or just direct password hacking?

    First one is impossible to defend against, there are massive networks of 'l33t-hax0rs' who run little programs that receive info and spam individual servers with pings. With say 1000 people on different IPs this can bring your server down in minutes. I believe amazon.com and yahoo.com were both forced to close down last year temporarily because of these kind of organised attacks.

    Second one What kind of authentication are you using? You may be able to set a session variable which counts up to a maximum of 5 and then says "Sorry, you may not attempt to logon again in this session". If your not familiar with PHP i'm sure some good person will write the code out for you in a minute

  3. #3
    SitePoint Member
    Join Date
    Jun 2001
    Location
    CA
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    function protect(){
    global $REMOTE_ADDR;
    $time_limit = 10; // seconds
    $check = mysql_query("SELECT * FROM protect WHERE id='0'");
    $check_ip = mysql_fetch_array($check);
    if(($check_ip[ip] == $REMOTE_ADDR) && ((time() - $check_ip[time]) < $time_limit)){
    echo"You must wait $time_limit seconds before trying again.";
    return 0;
    } else{
    return 1;
    }
    }

    Then each time they do somthing that you want to track:

    $time = time();
    $change_protect = mysql_query("UPDATE protect SET ip='$REMOTE_ADDR', time='$time' WHERE id='0'");

    With the table

    CREATE TABLE protect (
    id tinyint(4) DEFAULT '0' NOT NULL,
    ip varchar(255) NOT NULL,
    time int(11) DEFAULT '0' NOT NULL
    );

    And you can change that so they only have x number of times before it blocks their class A IP block, or nuke em with somthing like browser crashes. Ya know, have fun with em.
    Last edited by Ripped_Edge; Jun 26, 2001 at 16:09.
    Ripped_Edge
    ripped_edge@hotmail.com
    http://www.452productions.com
    World Domination on a Global Scale (TM)

  4. #4
    SitePoint Enthusiast Ckeren's Avatar
    Join Date
    Jun 2001
    Location
    AU
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well right now DOS(denial of service) can be prevented and it is possible. But what I mean for brute force attack is actually a person deliberately trying to enter username and password for accessing the protected directory, using kind of hacker software which could generate thousands of fake username and password, check if it match with the one in your password database.

    The method has better chance of accessing the protected directory if the password database has thousands of username.

    This will result server idleness or even makes your server very slow in responding. And on top of that it will actually eat up your bandwidth end up for some people in bankruptcy(Can't afford to pay $$$$$ of bandwidth expenses).

    Authentication.
    What I'm trying now is actually dealing with .htaccess and instead gets the list of users in the old way which is txt document the new attempt is actually have my .htaccess deal with MySQL which is faster for accessing data and quicker in execution time(Thanx to MySQL for such a nice and free software).

    Wish newer version of apache has this kind of functionality by default.

    About the brute force attack. What I want is actually each user has lets say 5 grace logins once they exceed its limit then block this user ip address and prevent it from further try. The php will be able to deal with htaccess and give the negative response to (I dont really know where) so that the server will forbid the login attampt by the user ip address
    That's what my pseudo code after all.

    Now the problem is how to implement it in very efficient way.

    Ripped_Edge
    Thanx for your splendid piece of code you've written there.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •