SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Guru TacMaf's Avatar
    Join Date
    Dec 2005
    Location
    Manchester, United Kingdom
    Posts
    663
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best brute force protection in PHP

    Hi,

    I'm adding brute force protection to a website and was trying to decide on the best way. Realistically, blocking the IP for 30 mins may not be the way as the system is for an entire office and they would all be blocked.

    As an alternative, I was thinking of locking a particular account following 3 failed login attempts.

    Would this be effective? My thinking is a dictionary attack my stumble upon a correct username, but the likelihood of the correct password being found in 3 attempts is slim to say the least.

    Has anyone had much experience with this, or could recommend a better option?

    Cheers,
    Rhys

  2. #2
    SitePoint Guru TacMaf's Avatar
    Join Date
    Dec 2005
    Location
    Manchester, United Kingdom
    Posts
    663
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alternatively I could add reCaptcha to the form after 3 unsuccessful attempts? This wouldn't bother the office so much.

  3. #3
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    So is this a publicly available website which has a password protected admin area, or is this on an intranet?

  4. #4
    SitePoint Guru TacMaf's Avatar
    Join Date
    Dec 2005
    Location
    Manchester, United Kingdom
    Posts
    663
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It was intranet, but it has been asked to be put online so it can be accessed elsewhere, but it is for company employees only.

  5. #5
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    If your company is relying on PHP to secure their systems, they need help. VPN would be a better solution...
    that said;

    A combination of systems may be better - use a blacklist for IP's (accompanied by a whitelist of 'do not block' for the company's internal IP's) based on account-name-guessing (along with an alarm system), and a lockdown on a given account failing the password check X times.

    Cant hurt to have two layers of protection if you're going to open your company's data.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Will you be asked to make access amenable to those logging in via mobile devices?

  7. #7
    SitePoint Member
    Join Date
    Aug 2011
    Location
    India
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    May be I am thinking all wrong, but sending a cookie to the offending m/c will let you identify that fellow( and stop him or whatever) even if they are using same IP.
    Blocking usernames(after 3 attempts) does not seem like appropriate solution. As the offender will have the power to deliberately try other people IDs and lock them.

  8. #8
    SitePoint Guru TacMaf's Avatar
    Join Date
    Dec 2005
    Location
    Manchester, United Kingdom
    Posts
    663
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replies. I didn't build the systems but they have been designed for online usage so the company can take an iPad to a meeting with a client and access all info there. I found a ridiculous level of security, passwords weren't even encrypted and file uploads were online, so navigating to them would give you access.
    So far I've encrypted passwords and made all files upload outside the htdocs directory and a force download for them if the user is logged in. Then I added brute force to block an ip for 30 mins after 3 failed attempts. VPN is required to use FTP or MySQL (or root access to server). Still plenty to do before I let it go live I think.
    I think the white/blacklist is a good idea and alarm system, probably built into the brute force system. I would personally prefer it to be hosted on their local servers and accessed via remote access when out and about. Oh and SSL is a big yes. No skimping there.
    I think forcing a password change every 30 days is a requirement too.

    In terms of the user being logged in, I remember years ago there was a way of "stealing" a user's session using a gif file? I think I got round it with
    PHP Code:
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); 
    It was many years ago so I'm not sure how good this would be now.

    A few things to get though yet.

    Cheers,
    Rhys


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •