Apache Friends Support Forum

[general.chaos]

Hi,

I've noticed my Ampache server will let you try to login as many times as you like. I'm not too worried, but this does create some security holes in my mind. How can I set the max number of password tries before it stops letting people attempt to log in?

Thanks!

[general.chaos]

Surely there has to be a way???

[PhQ]

What do you mean? How many max logins per IP ?

[general.chaos]

Yes. By default you can try as many username/password combinations as you want, it will just keep asking until you get it right.

I would like it to "ban" you after 3-5 wrong tries in a certain time frame.

Thanks.

[Nobbie]

I would like it to "ban" you after 3-5 wrong tries in a certain time frame.

That does not answer the question. What do you mean by "you" when you say "ban you"? How will you identify the client? How can you be sure, that really the same guy trys more than 3 times? Assume, two guys are sitting in the same LAN behind the same server and unfortunately they both try to login to your site at the same time. Both requests have the same public IP of the router - how will you (or Apache) decide, who trys wrong three times in a row. Who is it?

Or assume, there is huge Internet Proxy, many people are using this Proxy, all of them are having the same IP (the IP of the proxy). How can you identify, that one and the same user is going to fail 3 times in a row?

What is the criteria for Apache to find out, that a user/browser fails to login three times in a row? And what should happen after? The IP gets "blacklisted"? My neighbour fails to login and I will be blacklisted, due to the fact that we use the same router?

[general.chaos]

Yes, I Want it to block people by their IP's.

I don't care if it blocks multiple people behind the same router, no one should be "logging in" but me. The pages that are public have no password on them.

[Nobbie]

But there is no API for Apache to tell him to deny access after a certain number of requests.

You have to live with that security hole - but you are not alone, the whole world can live with that security hole.

[general.chaos]

You have to live with that security hole - but you are not alone, the whole world can live with that security hole.

I guess no one worries about Brute Force attacks anymore?

[Nobbie]

I guess no one worries about Brute Force attacks anymore?

You are simply wrong, as you obviously have no idea about "brute force".

Brute force does not mean a single person with a keyboard, which enters approx. 1 password per minute. Its your problem, that you dont understand that.

A brute force attack means, that someone has got the encrypted value of a password and runs his PC to find out (approx. 1.000.000.000.000 trys per second or more) the password, which fits to the encrypted value. Even that may take million of years, because the corresponding algorithm (Md32 or similar) knows more than 2 power 128 different values.

Someone with a keyboard is not a brute force, its a joke. And even if you replace the keyboard by a robot - the horrible bad response times of standard HTTP destroys any brute force attack before it starts.

[general.chaos]

You are simply wrong, as you obviously have no idea about "brute force".

Brute force does not mean a single person with a keyboard, which enters approx. 1 password per minute. Its your problem, that you dont understand that.

You're assuming I'm dealing with a single person and not botnet of attackers.
I suppose you are right and I should just throw caution to the wind. I'm just to used to IIS which actually had such security measures you could implement.


I'm truly sorry I came here looking for help. The whole "support forum" thing at the top of the page must have thrown me off.

BTW: http://en.wikipedia.org/wiki/Password_c ... rce_attack " In theory, if there is no limit to the number of attempts, a brute force attack will always be successful"

Again, I am sorry I came here looking for help.