[pmwiki-users] making brute force attacks more difficult #2

ThomasP pmwikidev at sigproc.de
Tue Aug 21 23:50:59 CDT 2007


Hello,

On Mon, August 20, 2007 21:26, Thomas Bley wrote:
> Code:
>
> // tb begin
> function getSessionIpAgent() {
>    $ip = "";
>    if (isset($_SERVER["REMOTE_ADDR"])) $ip .= $_SERVER["REMOTE_ADDR"];
>    if (isset($_SERVER["HTTP_CLIENT_IP"])) $ip .=
> $_SERVER["HTTP_CLIENT_IP"];
>    if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) $ip .=
> $_SERVER["HTTP_X_FORWARDED_FOR"];
>    if (isset($_SERVER["HTTP_USER_AGENT"])) $ip .=
> $_SERVER["HTTP_USER_AGENT"];
>    return $ip;
> }
>
> function badLogin() {
>    $ipagent = sha1(getSessionIpAgent());
>    mkdirp('temp');
>    $ipfile = "temp/_$ipagent";
>    if (file_exists($ipfile) && filemtime($ipfile) < time()-7200)
> @unlink($ipfile);
>    if ($fp = fopen($ipfile,'a')) {
>      fwrite($fp,'1');
>      fclose($fp);
>    }
> }
> // tb end
>
> function SessionAuth($pagename, $auth = NULL) {
>    global $AuthId, $AuthList, $AuthPw;
>    static $called;
>
>    @$called++;
>    if (!$auth && ($called > 1 || !@$_REQUEST[session_name()])) return;
> ...

This looks like a modification to the core, which would need at least good
planning.

In any case: It is highly likely that I will implement a similar mechanism
soon in UserAuth2.

I would propose a rule like "not more than 100 login attempts per any 30
days period from one IP", with both the limit and the duration adjustable.
(Even though the code for this would be slower I guess it is worth it.)

Besides, I think to prevent distributed attacks effectively, it will also
be useful to raise (additionally) a similar fence on a "per-username"
basis, i.e. "not more than ... for one login username".

ThomasP





More information about the pmwiki-users mailing list