Announcement

Collapse
No announcement yet.

Security Module Password attack

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Module Password attack

    Hi to all,

    Is there any information about if the security module in SC8 has any protection against "password retry attack" other than the CAPTCHA ??
    I mean if the CAPTCHA is not activated and someone tries wrong password many many times, can he/she go on trying ?

    Thanks,
    caga

  • #2
    Originally posted by cagabit View Post
    Hi to all,

    Is there any information about if the security module in SC8 has any protection against "password retry attack" other than the CAPTCHA ??
    I mean if the CAPTCHA is not activated and someone tries wrong password many many times, can he/she go on trying ?

    Thanks,
    caga
    I am sure it wouldn't be too hard

    And a field to user table for bad logins and in the onvalidate failure increase the number on each failure

    Reset it to
    Zero on a onvalidate success

    When you want the count of passwords to your count just set the account to inactive


    Kev

    Comment


    • #3
      Well the general answer is No, but you can change any generated module to meat your specs.
      Albert Drent
      aducom software netherlands
      scriptcase partner, reseller, support and (turn-key) development
      www.scriptcase.eu / www.scriptcase.nl

      Comment


      • #4
        My approach is a bit different.

        I maintain a table of failed attempts that contains a timestamp and ip address of the client. ( Always use $_SERVER['REMOTE_ADDR'], never use $_SERVER['HTTP_CLIENT_IP'] )
        When the number of failed attempts within a (configurable) period exceeds the (configurable) maximum, my login app will issue a shell_exec() to linux to block the ip address in iptables (linux firewall).

        In my experience, when somebody is trying to hack, they try several different userIDs, so tracking failed attempts by userID alone is futile, and ends up blocking too many legitimate users. It is much more appropriate to block an ip address that is perhaps trying many userID-password combinations.

        If you want more specific details on how to do this, let me know and I will give more details.

        Dave
        Last edited by daveprue; 12-08-2014, 04:30 AM.
        Dave Prue
        Code Whisperer
        Lahar International Corp
        www.lahar.net

        Comment


        • #5
          Thank you Kdriscoll, very good roadmap, will try.

          Comment


          • #6
            That's a nice approach indeed. We are running on a Windows configuration so I'll look if there are similar possibilities. A programmatic way would be that hackers will do attempts within a short period of time. So besides the logonattempts it's pretty easy to count the failed IP addresses. Then you can make a blacklist within your SC application.
            Albert Drent
            aducom software netherlands
            scriptcase partner, reseller, support and (turn-key) development
            www.scriptcase.eu / www.scriptcase.nl

            Comment

            Working...
            X