Hi to all,
Is there any information about if the security module in SC8 has any protection against “password retry attack” other than the CAPTCHA ??
I mean if the CAPTCHA is not activated and someone tries wrong password many many times, can he/she go on trying ?
Thanks,
caga
[QUOTE=cagabit;30097]Hi to all,
Is there any information about if the security module in SC8 has any protection against “password retry attack” other than the CAPTCHA ??
I mean if the CAPTCHA is not activated and someone tries wrong password many many times, can he/she go on trying ?
Thanks,
caga[/QUOTE]
I am sure it wouldn’t be too hard
And a field to user table for bad logins and in the onvalidate failure increase the number on each failure
Reset it to
Zero on a onvalidate success
When you want the count of passwords to your count just set the account to inactive
Kev
Well the general answer is No, but you can change any generated module to meat your specs.
My approach is a bit different.
I maintain a table of failed attempts that contains a timestamp and ip address of the client. ( Always use $_SERVER[‘REMOTE_ADDR’], never use $_SERVER[‘HTTP_CLIENT_IP’] )
When the number of failed attempts within a (configurable) period exceeds the (configurable) maximum, my login app will issue a shell_exec() to linux to block the ip address in iptables (linux firewall).
In my experience, when somebody is trying to hack, they try several different userIDs, so tracking failed attempts by userID alone is futile, and ends up blocking too many legitimate users. It is much more appropriate to block an ip address that is perhaps trying many userID-password combinations.
If you want more specific details on how to do this, let me know and I will give more details.
Dave
Thank you Kdriscoll, very good roadmap, will try.
That’s a nice approach indeed. We are running on a Windows configuration so I’ll look if there are similar possibilities. A programmatic way would be that hackers will do attempts within a short period of time. So besides the logonattempts it’s pretty easy to count the failed IP addresses. Then you can make a blacklist within your SC application.