[pmwiki-users] making brute force attacks more difficult #2
Algardas
alglt at yahoo.com
Tue Aug 21 06:26:25 CDT 2007
On Mon, 20 Aug 2007 18:43:48 -0400
Peter Kay <petya_98 at yahoo.com> wrote:
> Thomas Bley wrote:
> > Hello,
> >
> > I propose two things:
> > - bind the session to the remote ip address and the user agent
> > - restrict a login from a remote ip address if there are more than 5 bad
> > logins within the last 2 hours
> >
> > What do you think ?
>
> An alternative approach is to double a "sleep" for each time a login
> fails. I'm not sure how good an idea having a webserver sleep is, tho.
>
> As someone who routinely forgets his passwords, I have to say that I'd
> like a little more forgiving a way to do this :)
>
> --Peter
sleep() is very bad for the server, i.e. it causes php threads to wait and the number of maximum threads on a machine is limited.
IMO, 2 hours after 5 bad attempts is too much. It would be better to start acting only if there are more than 3-5 bad login attempts in one minute (from the same ip). And if there are, it would be reasonable to block access to the auth facility for ~3 minutes and reset bad attempts count. In such a case the attacker could never do more than ~75 passwords/h from the same ip, which is much better than 2000 passwords/h (which is what I have in my logs).
--
Algardas
More information about the pmwiki-users
mailing list