Possible solution to brute force password hacking our member area's (code inside)

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • cat
    Registered User
    • Feb 2002
    • 493

    #51
    hi Boys,

    Boldy is ill, he soon will be back again.

    Comment

    • Backov
      Confirmed User
      • Mar 2001
      • 1600

      #52
      Originally posted by Dragon Curve


      Uhm, I'd like to see on their page where it says they use a database of proxies.
      http://www.proxypass.com/ppass.php?page=solutions

      Reading est good. Comprehending is better.
      <embed src="http://banners.spotbrokers.com/button.swf" FlashVars="clickURL=http://banners.spotbrokers.com" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="120" height="60"></embed>

      Comment

      • strainer
        Confirmed User
        • Oct 2002
        • 418

        #53
        Originally posted by Dragon Curve


        Note that that won't give you a 10%. For all you know you could get RandomValue equaling 10 every single time. Unlikely, but possible. Doesn't really matter tho.
        Actually it does work perfectly; I have tested it. Once seeded and started, a proper working random generator like this will indeed produce a 10 almost precisely 10% of the time.

        That doesn't mean that SOMETIMES you won't get 2 10's in a row, but after a million runs you will have 100,000 10's, evenly distributed across the bell curve.

        Comment

        • boldy
          Macdaddy coder
          • Feb 2002
          • 2806

          #54
          Nice stuff guys! Ill implement the 10% thingie to ...
          MacDaddy Coder.

          Comment

          • PxG
            Confirmed User
            • Feb 2002
            • 105

            #55
            Originally posted by Dragon Curve
            ProxyPass - doesn't sound like a very good idea to me. Obviously this will be checking for open 80/8080/1080 or what not ports on the incoming host. This poses many problems. For starters, clearly you need a timeout to verify the ports are open/closed. This will drastically slow down your response time for servers which I wouldn't consider a good thing AT ALL especially in this industry.

            Secondly, if it were just open ports, then that's a very poor method of checking if the server is an open proxy (I doubt it would be done like this). Some sort of verification (especially for port 80) would have to be done - again, taking x amount of time to do.

            "(4) Detection and denial of requests from multiple (non-proxy) IP addresses sending high numbers of unsuccessful authentication requests for the same username. This implies a distributed network attack."

            I would very much like to know how you could ever possibly hope to protect against something like that and not give users downtime.

            "In addition, the authentication portions of Apache were written in relatively poor manner. "

            I'd like to see info that could back that up =P

            There is no real protection against brute force attacks like this that I can see that will guarantee your users uptime.
            Please Get Educated about our product. Here's a link to oue technical FAQ:!
            http://www.proxypass.com/docs/proxypass_tech_faq.pdf



            Best regards,
            PxG
            Kill Password Hackers Now!
            Kill Hit-Botters Now!
            _____________________________

            Comment

            • boldy
              Macdaddy coder
              • Feb 2002
              • 2806

              #56
              For those who are interested i've add that 10% thingie to my 401.php

              http://www.kimhollandcash.com/401.txt

              MacDaddy Coder.

              Comment

              • goBigtime
                Confirmed User
                • Nov 2002
                • 7761

                #57
                For bruteforce protection/deterrance we use MemLogin
                (available from PaysitePowertools.com )

                and use Iprotect (an apache module) for password abuse - though iprotect doesn't help much against proxy based attacks.

                Memlogin basically hides the real members URL from everyone except you & your members. If you set things up properly you won't ever be bothered by bruteforce traffic spikes again =]
                Last edited by goBigtime; 12-08-2002, 02:14 AM.

                Comment

                • boldy
                  Macdaddy coder
                  • Feb 2002
                  • 2806

                  #58
                  *bruteforce night bump*
                  MacDaddy Coder.

                  Comment

                  Working...