[pmwiki-users] making brute force attacks more difficult
Christophe David
pmwiki at christophedavid.org
Mon Aug 20 08:37:04 CDT 2007
Looking at the logfiles I suspect someone is trying a brute force
attack to get the admin password one of my PmWiki fields, sending many
requests at a time and loading the server quite a lot.
If I understand correctly, as $DefaultPasswords['admin'] is normally
always defined, there is no need for an attacker to bother with the
AuthUser or LDAP aspects.
So trying SiteAdmin.Whatever?action=edit repeatedly with the HTTP POST
method and setting the authpw variable to the guessed value should
work if enough time is spent.
I was wondering is it would not be a good idea to save the remote IP
address and a timestamp for every failed authentication (ideally
whatever the method used - AuthUSer, LDAP, etc.), and to deny access
without any other control if the same address tried less than n
seconds earlier. This would make brute force attacks too long to be
practical.
Is there already something available or did someone alreday think
about how to implement such a feature efficiently, if possible in a
way that is independent of the authetication method ?
Thank you in anticipation.
Christophe
More information about the pmwiki-users
mailing list