Protectiong against password traders.

[spaceman73]

Hi everyone,

I am really happy to be a part of this board. The discussion are always interesthing and it's one of the most open and friendly board I have seen.

I just bought my first paysite lately and was looking into some password protection program to make sure my member zone is secure. I came across Password Sentry which seems really good.

Anyone here use it, and have some comments to share ?


Thanks.
Jon

[Sambuka]

That program might be good but Pennywize is some kickass software, I just updated to there new version and it works perfectly. Deleted 5 passes first day, 13 the next day and 3 today. I have lots of members And I think there new version blocks proxy dictionary attacks by accessdivers etc. (I think). Its a pretty cheap price too check it out.

www.pennywize.com

Sammy

[Shark]

Sammy,

I'm just wondering whats causing all these members to be deleted?
It seems to be a large amount, whats your ?threshold? of IP addresses set at ?

[Spoonie Luv]

Quote:

Originally posted by spaceman73
I am really happy to be a part of this board. The discussion are always interesthing and it's one of the most open and friendly board I have seen.

Are you sure you have the right board?

[daddynastee]

HAR!

[drunkdollars]

proxypass works good i hear

[spaceman73]

Thanks Sambuka, I had a look at Pennywise also. It seemed good, but I so far I had my eyes more on Password Sentry. But Pennywise seems really good also, I guess I'll decide based on the feedback I get here.

So far people seem to be using other programs. Thanks Drunk dollars, I'll check that one out, haven't heard of it as much.

Shark as I can see you have some experiences with that kind of program, which one do you use ? What threshold of IP adresses would you be setting usually ?

HAHAHAHA Spoonie Luv, you just prove to me that I am going to be part of this board much more from now on. It's things like that which make it so interesthing, interraction, teasing, and no-hold barred subject.

Thanks for these quick reply, more more...
Jon

[Danielle]

Stop That Hacker works great! http://www.stopthathacker.com

Plus it's on sale right now.

Hugs,
Danielle

[chupacabra]

i've used both packages, and have to say that pw sentry is tops in our book... aside from weirdness we've experienced w/ pennywize (crashing scripts, etc.) pw sentry is a much more solid solution we have found. dan will even install and tweak it on your server for you free of charge, and has never taken more than 8 hours to respond to any inquiries from us... when we emailed pennywize for support, it was over 30 hours before we even received a cursory response... ymmv, but i doubt it... pw sentry rocks all around..

[Cindyff]

Before you go signing up for a monthly service take a look at Bot Buster. We put this up on 10 sites and it works like a dream. Full control of IP addresses passwords members. I havent seen anything as good at the price.
Oh you can buy this for each site for around $150 per site thats around 3 monthly payments for these other programs?

http://www.botbuster.com

[Argoz]

Password Sentry or Pennywize ?

Hummmmmmmm





Pixhell

[chupacabra]

pw sentry does not have a monthly charge like pennywize does, it is a one-time payment..

[Argoz]

Yes, good point chupacabra !


Password Sentry = 2
Pennywize = 1
BotBusters = 1
Stop That Hacker = 1





Pixhell

[sweetcuties]

I use monster script/sentry for all my sites

[Argoz]

Thanks for you reply sweetcuties.

Password Sentry = 3
Pennywize = 1
BotBusters = 1
Stop That Hacker = 1



Pixhell

[hitman699]

I use password sentry and it works great.

[spaceman73]

Thanks for all your reply,
look like password sentry got a good reputation.
Thanks for all your recommendation, I like the one-off payment, and if it does the same as all the other, then it will be a good deal.
Thanks
Jon

[LBBV]

Whatever you get, make sure that it also stops brute force attacks. A brute force attack run from a fast connection will bring your server to it's knees.

I don't see anything about preventing brute force attack prevention on Password Sentry's site (doesn't mean that it doesn't do it though)

Most of our customers use Pennywize and are quite pleased with it. Their support sucks, but for our customers, that's not a problem because WE handle all the Pennywize support for our customer sites.

Another good one is IProtect. It's an apache module so it runs cleaner than a PERL script. Has less features than Pennywize though. Iprotect can be seen at http://www.digital-concepts.net/cgi-iprotect.html. They are extremely slow at answering their email though...

[some_idiot]

Use them to your advantage! Redirect the username in
you .htaccess to a pay per click program.

[spaceman73]

Thank you again everyone.

LBBV you just mentionned something that I heard from Pennywise also, about preventing Brute Force.
Look like this is an imprtant issue in my decision.

However, when I asked Password Sentry I get an answer saying that they don't provide protection against directory/brut force attacks. That they did before but found that such CGI-Perl based strategies were flawed, that it made the web server crash during intense attacks - especially when the cracker ("password guesser") spoofs (fakes) their IP address (often rotating through IPs every 3-5 guesses).
And that in this case it's also uneffective because their program just switch IP constantly. But they say that you can use other server-friendly strategies.

Also that you might even end up blocking good users or traffic that use IP's which varies dynamically. (AOL ect..)

So now I am probably more mess-up than before, but at less I start to understand better. What are peoples toughts on that?
With ot without Brutal Force protection ?

Thanks again to everyone.
Jon

[Petr]

Jon, definitely brute force protection. There is a way of how to recognize a legitimate proxy (like AOL, etc.).

BTW if anyone is interested, we are finishing up our own system - http://www.passprotector.com which combines a member area protection with a member are management (adding/removing members, etc.). All the software has been tested for the last two months on all our sites (http://everycent.com) with excellent results... I will save more info for the upcoming one-time announcement... ;)

[andi_germany]

IProtect is the most effective prog out there but only if you have full access to your server. It will be compiled into apache and therefore will not slow down your site at all.

http://www.digital-concepts.net/cgi-iprotect.html

It is 500 bucks and for a new paysite owner it might be a little steep but it is really cool. I use it since 98 and I actually submit to passwordsiters to get the additional traffic to send to toplists.

[LBBV]

Quote:

Originally posted by spaceman73
Thank you again everyone.

LBBV you just mentionned something that I heard from Pennywise also, about preventing Brute Force.
Look like this is an imprtant issue in my decision.

However, when I asked Password Sentry I get an answer saying that they don't provide protection against directory/brut force attacks. That they did before but found that such CGI-Perl based strategies were flawed, that it made the web server crash during intense attacks - especially when the cracker ("password guesser") spoofs (fakes) their IP address (often rotating through IPs every 3-5 guesses).
And that in this case it's also uneffective because their program just switch IP constantly. But they say that you can use other server-friendly strategies.

Also that you might even end up blocking good users or traffic that use IP's which varies dynamically. (AOL ect..)

So now I am probably more mess-up than before, but at less I start to understand better. What are peoples toughts on that?
With ot without Brutal Force protection ?

Thanks again to everyone.
Jon

Because so many brute force attacks use spoofed IP addresses, there is always the chance that legit IP addresses will be blocked. The fix for this is to run a cron job every 15 minutes that unblock all the blocked IPs. We have a program that we wrote in-house that we use to augment Pennywize's brute force prevention, and it works great. Basically, it watches the log file and does a route reject of any spoofed IP, and then the cron job removes the blocked IP every 15 minutes. Brute force attacks NEVER affect us now

[Sambuka]

Sammy,

I'm just wondering whats causing all these members to be deleted?
It seems to be a large amount, whats your ?threshold? of IP addresses set at ?

I have all my sites set at 10-12 subnets before blocking, it doesn't seem to block any real members just blocks posted passwords. Here is yesterdays stats : 4 members deleted.

User: slutters
Subnets : 17
Hits 1136
Bytes Downloaded : 4081307
Minutes online : 50
Detected 13 different subnets
DISABLED.


User: MrBrownXX
SUBNETS: 48
hits : 3047
Bytes : 11430960
Minutes : 140
Detected 13 different subnets
DISABLED.

obt 11 943 3743583 46 Detected 11 different subnets
Bisto 11 889 3100461 36 Detected 11 different subnets

Here are some others from 2 days ago

MrBrownXX 47 3594 13301232 154 Detected 13 different subnets

Hrmm, I haven't really had a good look through this in awhile and it seems like I have 3-4 passwords that are the exact same being deleted each day. I'll have to change the .htaccess so it goes to my own frontpages instead of the pennywize blank page. Should make me a few extra signups a day with 3000-4000 traffic hitting me each day. i'll let them continue to hack those same passes

Sammy

[pennywize_v3]

Hi Spaceman,

Steve from Pennywize here.

We have a big new launch on the 1st of November with Pennywize v3.0. We believe it is the best release yet, with a new brute force blocking method and much faster account detection and blocking.

Because we have gone through a period of fairly high growth, we are currently in the process of establishing dedicated support personnell to handle the growing amount of requests/installs we do.

Anyway Jon you can try Pennywize for FREE on your server and if you like it, great. If not then try something else, but you're lost nothing by at least trying Pennywize! I am confident once you try it you will be happy.

Thanks mate,


Steve
Pennywize.

[spaceman73]

Wow, I just can't believ how this board rocks. Thanks again everyone for your and great explanation.

Thanks andi_germany, I have full access to my server but at 500$ I'll have to wait a bit more, this expense was a bit unexpected, as I tought the previous owner would have had one already. But sounds really good, one day hopefully.

Thanks Petr, will it be launch soon. I have to decide in the next day or so?

Thanks again LLBV, your comments have been really appreciated so far. You in-house program sounds really really interething. IS it possible to get it even if I am hosted elsewhere ?

Thanks Steve, I"m definetely considering trying Pennywise, does your free trial include de Brute force protection ?

Thanks Everyone
Jon

[WmCgi]

Use Protector Pro ! It's the best !
full stats
automate block\unblock passes
ip zones limit
traffic limit
bruteforce attak's protect
unlimeted sites and unlimitet logins only for $33
i can get demo passes
just mail me : [email protected]

Link: Protector PRO

[LBBV]

Quote:

Originally posted by spaceman73
Wow, I just can't believ how this board rocks. Thanks again everyone for your and great explanation.

<-snip->

Thanks again LLBV, your comments have been really appreciated so far. You in-house program sounds really really interething. IS it possible to get it even if I am hosted elsewhere ?

Thanks Steve, I"m definetely considering trying Pennywise, does your free trial include de Brute force protection ?

Thanks Everyone
Jon

Unfortunately, our in-house add-on to Pennywize is only for our customers.

As for Pennywize, the only thing that the free trial does NOT do is it does NOT automatically block abused usernames. It does, however, send you an email so that you can block them manually...