Stopping brute force attacks

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Stopping brute force attacks

Postby general.chaos » 29. January 2010 13:58

Hi,

I've noticed my Ampache server will let you try to login as many times as you like. I'm not too worried, but this does create some security holes in my mind. How can I set the max number of password tries before it stops letting people attempt to log in?

Thanks!
general.chaos
 
Posts: 6
Joined: 28. January 2010 19:43

Re: Stopping brute force attacks

Postby general.chaos » 15. March 2010 16:44

Surely there has to be a way???
general.chaos
 
Posts: 6
Joined: 28. January 2010 19:43

Re: Stopping brute force attacks

Postby PhQ » 15. March 2010 20:19

What do you mean? How many max logins per IP ?
PhQ
 
Posts: 5
Joined: 14. March 2010 21:51

Re: Stopping brute force attacks

Postby general.chaos » 17. March 2010 14:45

Yes. By default you can try as many username/password combinations as you want, it will just keep asking until you get it right.

I would like it to "ban" you after 3-5 wrong tries in a certain time frame.

Thanks.
general.chaos
 
Posts: 6
Joined: 28. January 2010 19:43

Re: Stopping brute force attacks

Postby Nobbie » 17. March 2010 15:06

general.chaos wrote:I would like it to "ban" you after 3-5 wrong tries in a certain time frame.


That does not answer the question. What do you mean by "you" when you say "ban you"? How will you identify the client? How can you be sure, that really the same guy trys more than 3 times? Assume, two guys are sitting in the same LAN behind the same server and unfortunately they both try to login to your site at the same time. Both requests have the same public IP of the router - how will you (or Apache) decide, who trys wrong three times in a row. Who is it?

Or assume, there is huge Internet Proxy, many people are using this Proxy, all of them are having the same IP (the IP of the proxy). How can you identify, that one and the same user is going to fail 3 times in a row?

What is the criteria for Apache to find out, that a user/browser fails to login three times in a row? And what should happen after? The IP gets "blacklisted"? My neighbour fails to login and I will be blacklisted, due to the fact that we use the same router?
Nobbie
 
Posts: 8779
Joined: 09. March 2008 13:04

Re: Stopping brute force attacks

Postby general.chaos » 18. March 2010 16:37

Yes, I Want it to block people by their IP's.

I don't care if it blocks multiple people behind the same router, no one should be "logging in" but me. The pages that are public have no password on them.
general.chaos
 
Posts: 6
Joined: 28. January 2010 19:43

Re: Stopping brute force attacks

Postby Nobbie » 18. March 2010 17:02

But there is no API for Apache to tell him to deny access after a certain number of requests.

You have to live with that security hole - but you are not alone, the whole world can live with that security hole.
Nobbie
 
Posts: 8779
Joined: 09. March 2008 13:04

Re: Stopping brute force attacks

Postby general.chaos » 18. March 2010 18:41

Nobbie wrote:You have to live with that security hole - but you are not alone, the whole world can live with that security hole.


I guess no one worries about Brute Force attacks anymore?
general.chaos
 
Posts: 6
Joined: 28. January 2010 19:43

Re: Stopping brute force attacks

Postby Nobbie » 18. March 2010 23:34

general.chaos wrote:I guess no one worries about Brute Force attacks anymore?


You are simply wrong, as you obviously have no idea about "brute force".

Brute force does not mean a single person with a keyboard, which enters approx. 1 password per minute. Its your problem, that you dont understand that.

A brute force attack means, that someone has got the encrypted value of a password and runs his PC to find out (approx. 1.000.000.000.000 trys per second or more) the password, which fits to the encrypted value. Even that may take million of years, because the corresponding algorithm (Md32 or similar) knows more than 2 power 128 different values.

Someone with a keyboard is not a brute force, its a joke. And even if you replace the keyboard by a robot - the horrible bad response times of standard HTTP destroys any brute force attack before it starts.
Nobbie
 
Posts: 8779
Joined: 09. March 2008 13:04

Re: Stopping brute force attacks

Postby general.chaos » 19. March 2010 18:44

You are simply wrong, as you obviously have no idea about "brute force".

Brute force does not mean a single person with a keyboard, which enters approx. 1 password per minute. Its your problem, that you dont understand that.


You're assuming I'm dealing with a single person and not botnet of attackers.
I suppose you are right and I should just throw caution to the wind. I'm just to used to IIS which actually had such security measures you could implement.


I'm truly sorry I came here looking for help. The whole "support forum" thing at the top of the page must have thrown me off.

BTW: http://en.wikipedia.org/wiki/Password_c ... rce_attack " In theory, if there is no limit to the number of attempts, a brute force attack will always be successful"

Again, I am sorry I came here looking for help.
general.chaos
 
Posts: 6
Joined: 28. January 2010 19:43


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 62 guests