Re: Password hacker killer

You can set a limit on the failed attempts coming from the same IP for a given user name. Say that after three failed attempts in the same 10 minutes, login attempts for the given username from the same IP are rejected for one hour. This way a legitimate user would only be hurt if he made a mistake on his own password several times in a row, and an attacker wouldn't be able to DOS a user unless he were also able to spoof the user's IP address.

Cheers

Antonio

The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket

Comment on Re: Password hacker killer

Replies are listed 'Best First'.
Re: Re: Password hacker killer by DrHyde (Prior) on Sep 07, 2003 at 20:20 UTC
It's for this task that I wrote Tie::Scalar::Decay, which implements scalars whose values change over time. For each failed attempt, I would increment a scalar. Every N amount of time the value would decrease by F. But if the value went above a particular value, I would assume an attack was underway and take action. Those options can be tweaked so that a real user who's forgotten his password won't be locked out, but an automated password-guessing bot will be locked out. Depending on your implementation, you may be able to use this module, but if you can't, then the basic idea of it is simple and should be easy to implement some other way. If you do have to reimplement it, I'd be glad to help or to accept suggestions or patches.	[reply]

Replies are listed 'Best First'.

Re: Re: Password hacker killer
by DrHyde (Prior) on Sep 07, 2003 at 20:20 UTC

Tie::Scalar::Decay

Depending on your implementation, you may be able to use this module, but if you can't, then the basic idea of it is simple and should be easy to implement some other way. If you do have to reimplement it, I'd be glad to help or to accept suggestions or patches.

[reply]