.htaccess alternative - GoFuckYourself.com

cafeaulait · 02-10-2003, 05:16 PM

Is their anything else better than .htaccess and a .htpasswd file?

I just got nine Pennywize blocked accounts in the last hour, that's over 40 breached accounts in the last 3 weeks!

I use forced random password so they can't be brute forcing, I just don't know how they are doing it!

Bastards are killing me!

Jimbo · 02-10-2003, 05:19 PM

make a login/pass form with a random verification code in a gif file on each load generated by PHP or other language.

I dunno if it has ever been done for paysites, but it would work to discourage password crackers

NetRodent · 02-10-2003, 05:22 PM

We use a token based authentication system based on perl accessing a mysql database. Brute force attacks are hard to carry off on our system, although sometimes they do get lucky. If you an individual ip address has too many login attempts in a given period of time, that ip is blocked temporarily. If a given username has too many login attempts in a given period of time, that username is blocked temporarily. Only one person can be logged in to the site at a time, if another person logs in, the first person is logged out. If there are too many different ip address ranges on a username, the password is changed and the owner is notified by email. We've thought about making the surfer enter a code with their login from a graphic (ala paypal / overture / etc) but we haven't done that yet. There's a lot you can do, but it takes a bit of custom coding.

boldy · 02-10-2003, 05:24 PM

http://www.gofuckyourself.com/showth...ght=solutio n

cafeaulait · 02-10-2003, 05:40 PM

Thanks guys, but all my passwords are 7 digit random generated so I don't see how they could be brute forcing their way in.

I really don't get that many hits either so it doesn't point towards brute force, its like they can get at my .htpasswd file or they're fucking with my billing processor's cgi directly - really weird and bloody annoying.

G

Ludedude · 02-10-2003, 06:49 PM

Quote:

Originally posted by cafeaulait
Thanks guys, but all my passwords are 7 digit random generated so I don't see how they could be brute forcing their way in.

I really don't get that many hits either so it doesn't point towards brute force, its like they can get at my .htpasswd file or they're fucking with my billing processor's cgi directly - really weird and bloody annoying.

G

If you process with CCBill, then that might be the answer. Many people report a weakness in the CCbill cgi script with passwords being added at will.

NetRodent · 02-10-2003, 06:52 PM

Quote:

Originally posted by cafeaulait
Thanks guys, but all my passwords are 7 digit random generated so I don't see how they could be brute forcing their way in.

I really don't get that many hits either so it doesn't point towards brute force, its like they can get at my .htpasswd file or they're fucking with my billing processor's cgi directly - really weird and bloody annoying.

G

I trust your .htpasswd file is not in a location where it is readable via the web.

directfiesta · 02-10-2003, 07:29 PM

Try to change the names of the cgi script, the password script, password files. Put all data on a non-web accessible folder ( mine are on a partition " T" ). This way, hackers that know the normasl parameters of protection will be fucked ...

Alky · 02-10-2003, 07:42 PM

Quote:

Originally posted by NetRodent

I trust your .htpasswd file is not in a location where it is readable via the web.

even so... apache defualts block access to files starting with .ht

NetRodent · 02-10-2003, 07:48 PM

Quote:

Originally posted by Alky
even so... apache defualts block access to files starting with .ht

Never assume someone is using the default config. He also might be using something other than apache.

richard · 02-10-2003, 08:11 PM

Quote:

Originally posted by NetRodent

He also might be using something other than apache.

Isn't htaccess an apache thing?

NetRodent · 02-10-2003, 08:39 PM

A few other webservers use the .htaccess format. For example:
Roxen
Zeus

Also, the venerable NCSA httpd uses them as well, although you could argue that it became apache.

cafeaulait · 02-11-2003, 12:48 PM

Thanks for all your comments guys:

Ludedude - I process with GloBill and I've never heard of any problems with this, plus my cgi-bin dir is not browsable and its not called globill.cgi or anything obvious like that (random digits), so how could they find it?

Netrodent - .htpasswd is not browsable from the web I just tried and got a 404 plus its not called ".htpasswd" its again random digits.

Direct Fiesta - I agree and have always called all my important files and cgi's by random digit combinations.

This is was it so god damn annoying about the whole thing - if it was Brute Force or poor setup I'd understand and accept but something else is going on here and I just don't know what

cafeaulait · 02-11-2003, 12:57 PM

What's interesting is that after I have logged in to the members area I can view the .htaccess file, its currently CHMOD to 644, I've tried lower permissions but then it doesn't work.

It just seems daft because they can immediately find the location of my .htpasswd file from this.

Would a my_sql DB be more secure than .htpasswd?

02-10-2003, 05:16 PM	#1
cafeaulait Confirmed User Industry Role: Join Date: Jun 2002 Posts: 587	.htaccess alternative Is their anything else better than .htaccess and a .htpasswd file? I just got nine Pennywize blocked accounts in the last hour, that's over 40 breached accounts in the last 3 weeks! I use forced random password so they can't be brute forcing, I just don't know how they are doing it! Bastards are killing me!

02-10-2003, 05:19 PM	#2
Jimbo Confirmed User Industry Role: Join Date: Oct 2001 Location: Montreal Posts: 3,989	make a login/pass form with a random verification code in a gif file on each load generated by PHP or other language. I dunno if it has ever been done for paysites, but it would work to discourage password crackers __________________ free sex videos

02-10-2003, 05:22 PM	#3
NetRodent Confirmed User Join Date: Jan 2002 Location: In the walls of your house. Posts: 3,985	We use a token based authentication system based on perl accessing a mysql database. Brute force attacks are hard to carry off on our system, although sometimes they do get lucky. If you an individual ip address has too many login attempts in a given period of time, that ip is blocked temporarily. If a given username has too many login attempts in a given period of time, that username is blocked temporarily. Only one person can be logged in to the site at a time, if another person logs in, the first person is logged out. If there are too many different ip address ranges on a username, the password is changed and the owner is notified by email. We've thought about making the surfer enter a code with their login from a graphic (ala paypal / overture / etc) but we haven't done that yet. There's a lot you can do, but it takes a bit of custom coding. __________________ "Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats." --H.L. Mencken

02-10-2003, 05:24 PM	#4
boldy Macdaddy coder Industry Role: Join Date: Feb 2002 Location: MacDaddy pimp coder Posts: 2,806	http://www.gofuckyourself.com/showth...ght=solutio n __________________ MacDaddy Coder.

02-10-2003, 08:39 PM	#12
NetRodent Confirmed User Join Date: Jan 2002 Location: In the walls of your house. Posts: 3,985	A few other webservers use the .htaccess format. For example: Roxen Zeus Also, the venerable NCSA httpd uses them as well, although you could argue that it became apache. __________________ "Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats." --H.L. Mencken

02-10-2003, 05:40 PM	#5
cafeaulait Confirmed User Industry Role: Join Date: Jun 2002 Posts: 587	Thanks guys, but all my passwords are 7 digit random generated so I don't see how they could be brute forcing their way in. I really don't get that many hits either so it doesn't point towards brute force, its like they can get at my .htpasswd file or they're fucking with my billing processor's cgi directly - really weird and bloody annoying. G

02-10-2003, 07:29 PM	#8
directfiesta Too lazy to set a custom title Industry Role: Join Date: Oct 2002 Location: Montreal, Quebec Posts: 29,680	Try to change the names of the cgi script, the password script, password files. Put all data on a non-web accessible folder ( mine are on a partition " T" ). This way, hackers that know the normasl parameters of protection will be fucked ...

02-11-2003, 12:48 PM	#13
cafeaulait Confirmed User Industry Role: Join Date: Jun 2002 Posts: 587	Thanks for all your comments guys: Ludedude - I process with GloBill and I've never heard of any problems with this, plus my cgi-bin dir is not browsable and its not called globill.cgi or anything obvious like that (random digits), so how could they find it? Netrodent - .htpasswd is not browsable from the web I just tried and got a 404 plus its not called ".htpasswd" its again random digits. Direct Fiesta - I agree and have always called all my important files and cgi's by random digit combinations. This is was it so god damn annoying about the whole thing - if it was Brute Force or poor setup I'd understand and accept but something else is going on here and I just don't know what

02-11-2003, 12:57 PM	#14
cafeaulait Confirmed User Industry Role: Join Date: Jun 2002 Posts: 587	What's interesting is that after I have logged in to the members area I can view the .htaccess file, its currently CHMOD to 644, I've tried lower permissions but then it doesn't work. It just seems daft because they can immediately find the location of my .htpasswd file from this. Would a my_sql DB be more secure than .htpasswd?