|
Tried your solution, nice idea but for me at least it doesn't work. Under Windows XP, once the 200 is sent back, I can't EVER get a password prompt again. Closing browser windows doesn't help - I'd have to REBOOT!
|
I too have about 500,000 break in attempts today. None of the solutions I have heard about appeal to me.
I started writing a PHP custom login page today, and I was able to authenticate a user but got hung up. Turns out there is no way to pass the credentials on with a redirect; the user just gets asked for the username/password again. Almost considering doing that anyway; it would solve the problem. |
Quote:
header(Location: http://user:[email protected]/page.html); Just an example though (and a bad one at that). |
I believe that is incorrect. I tried exactly what you said many times today, and it didn't work. I then read an article that is is not possible to pass credentials in the header, at least not this way??
|
Here is a snip of what I tried - doesn't work, browsers still prompts for password:
<? $directory = "/members/" ; $uname = $_POST["name"] ; $upassword = $_POST["password"] ; // first, is this a good password??? // just testing here, later the "real" directory will be a random number $file = @ fopen ("http://$uname:$upassword@www.mysite.com$directory", "r"); if (!$file) { echo "<p>DEBUG Unable to open remote file.\n"; exit; } // if good password, just redirect to the section as expected header("Location: http://$uname:$upassword@www.mysite.com$directory/index.html"); ?> |
Ok, here is how Boldy's original idea worked great for me:
// Range of numbers $min = "1"; // Min number $max = "10"; // Max number mt_srand(time()); // mt_srand() is used to seed mt_rand() $RandomValue = mt_rand( $min, $max); if ($RandomValue == 10) { header("HTTP/1.0 200 OK"); //echo ( "fooey" ) ; } What this does now is only return the 200 OK 10% of the time. The other 90% of the time the user can hit the back key after they see a nice error page. I think I am going to change this to say, 1 ouf 20 and put in production now. Looks great in test... |
Quote:
This is not a port scanner. It's a huge db of proxies that is updated and added to.. A centralized db. We have it, we use it, it works great with no noticable server lag and no noticable extra cpu load. This is a good solution, and if you don't even bother to read how it works - how well have you evaluated it? Making assumptions is the mark of a newbie programmer. Cheers, Backov |
Could someone please brute force try to hack me? :mad: :mad:
I have implemented the "200 OK" idea (only 5% of the time though) and am dying to see it in action....:ak47: |
Quote:
|
Quote:
|
hi Boys,
Boldy is ill, he soon will be back again. |
Quote:
Reading est good. Comprehending is better. |
Quote:
That doesn't mean that SOMETIMES you won't get 2 10's in a row, but after a million runs you will have 100,000 10's, evenly distributed across the bell curve. |
Nice stuff guys! Ill implement the 10% thingie to ...
|
Quote:
http://www.proxypass.com/docs/proxypass_tech_faq.pdf :thumbsup Best regards, PxG |
For those who are interested i've add that 10% thingie to my 401.php
http://www.kimhollandcash.com/401.txt :thumbsup |
For bruteforce protection/deterrance we use MemLogin
(available from PaysitePowertools.com ) and use Iprotect (an apache module) for password abuse - though iprotect doesn't help much against proxy based attacks. Memlogin basically hides the real members URL from everyone except you & your members. If you set things up properly you won't ever be bothered by bruteforce traffic spikes again =] |
*bruteforce night bump*
|
| All times are GMT -7. The time now is 09:35 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123