...

View Full Version : How do you guys preventing force hacking



devinmaking
01-26-2012, 01:13 PM
Hi guys,

i was wondering what is the best way for stopping force hacking through login areas etc.

At the moment i have a salt and pepper login area which saves the salt in md5, the password in sha256 and pepper is uncrypted random generated numbers.

So i think that is fairly secure regarding passwords etc

But as most of you know there are scripts out there that can generate millions of password combos within minutes and force hack a website within seconds sometimes.

Anyway i was wondering what is the best way of stopping this.

I was thinking of making it so that if the password is incorrect 3 times then it blocks the access but that would mean clients will be ringing me to make it live again.

How do you guys solve this?

Thanks

jmj001
01-26-2012, 01:34 PM
record failed login attempts and disable the script for the ip address of the visitor for a period of time

myfayt
01-26-2012, 02:17 PM
To add on to what jmj said. Have a maximum of 5 login attempts per email or username, and then shut down the login for that account for 30 minutes. Another thing that will stop them is after 3 attempts, make it where they have to fill out a captcha for each attempt after.

devinmaking
01-26-2012, 03:04 PM
To add on to what jmj said. Have a maximum of 5 login attempts per email or username, and then shut down the login for that account for 30 minutes. Another thing that will stop them is after 3 attempts, make it where they have to fill out a captcha for each attempt after.

i have a captcha in place, which generates random 6 digits from 1-100 and a-z

But as some will have heard, xbox has recently been hacked by forced entry and they have captchas in place.

You state about a lock down for 30 minutes, this unfortunately cant happen as the website i am building is for a restaurant with a ordering system which means 30 minutes could mean losing an order.

Is there not another way?

devinmaking
01-26-2012, 03:06 PM
record failed login attempts and disable the script for the ip address of the visitor for a period of time

not really useful as most hackers use proxy ip addresses so this would not stop a forced entry.

jmj001
01-26-2012, 03:17 PM
not really useful as most hackers use proxy ip addresses so this would not stop a forced entry.

actually it will....

a brute force hacker will have access to a limited number of proxies and if you give him only 5 attempts before blocking that proxy ip and he has to change it.. he won't bother with your site anymore, he'll move on to somewhere that let's him blast unlimited attempts at the login...

Fou-Lu
01-26-2012, 03:21 PM
No, flood control seems the best solution.
There is no reason you cannot provide a password reset AND an unlock feature. Link those both through email control, so if an actual user is to lock themselves out, then can unlock it by following a provided email link. If someone has control over anothers email, then there is nothing you can do there anyway since they can just reset the password directly.
I wouldn't lock for 30 minutes in the above scenario. I would lock permanently until its unlocked by an administrative user or the user has unlocked it themselves. Give a countdown notice on failed attempts as well, something simple like "You have used 1 of 4 login attempts. Subsequent login failures may result in the locking of this account".

jmj001
01-26-2012, 03:22 PM
i have a captcha in place, which generates random 6 digits from 1-100 and a-z

But as some will have heard, xbox has recently been hacked by forced entry and they have captchas in place.

You state about a lock down for 30 minutes, this unfortunately cant happen as the website i am building is for a restaurant with a ordering system which means 30 minutes could mean losing an order.

Is there not another way?

you can setup the form receiving script to only allow the $_POST from a specified ip address, eg; your site...

so when your html form submits to the receiving script it will only accept it if it's from the same or approved site/domain/ip

someone trying to break in may be sending form data direct to your script and not be actually filling out the form..

it won't stop all but it may help

you talk about it being an ordering script for a restaurant, so what are you protecting that people would bother trying to break in?

if there's stuff in there that need to be protected as well as the ordering then separate the 2 sections and leave the ordering process less strict than the rest of the site

Keleth
01-26-2012, 05:04 PM
One thing I'll throw in, as the advice above is the same I'd give...

Bare in mind, hackers going after the big names (you mentioned Xbox) do usually do the cost/return considerations. Now, don't get me wrong. No site I've built yet has been large enough or presented enough of a target to warrant mass hacking, yet I've gone through putting in the same security measures mentioned above. However, don't over think it either. Sometimes, you just wanna build the best security you can for what you'll face. Unless you think you're the next victim of Anonymous, the above security will suffice. And if a hacker is persistent enough, unless you're a former black hat or a grey hat analyst, you likely won't stop them.

Its about stopping them the best you can. Someone who's got a PC that can whip out a few million password attempts a second is someone who seems dedicated enough to get through regardless of security in place.

tangoforce
01-26-2012, 06:04 PM
you can setup the form receiving script to only allow the $_POST from a specified ip address, eg; your site...


Exceot that the $_POST data will not come from the sites IP address, it will come from the users :p

That said, I do use a similar method to this for one of my scripts, I use a dynamic DNS domain on my home connection. My script performs an IP lookup of that and then checks to see if $_SERVER['REMOTE_ADDR'] matches it. That won't work for large scale user bases though.

jmj001
01-27-2012, 01:49 AM
Exceot that the $_POST data will not come from the sites IP address, it will come from the users :p


You misunderstood me, or I didn't explain it clearly I guess.

I mean that you use $_SERVER['HTTP_REFERER'] to test where the submissions originate from, this should only be the site/page where the html form is sitting that the visitor fills in and submits.

Any requests not coming from this one specific page can be blocked.

myfayt
01-27-2012, 02:32 AM
Sorry I didn't know it was a restaurant ordering system. I would have changed my advice.

Fou-Lu
01-27-2012, 03:14 AM
You misunderstood me, or I didn't explain it clearly I guess.

I mean that you use $_SERVER['HTTP_REFERER'] to test where the submissions originate from, this should only be the site/page where the html form is sitting that the visitor fills in and submits.

Any requests not coming from this one specific page can be blocked.

Referrer is controlled by the client, not the server though, so I could mimic from either no location or from whatever location I want.
This alone goes to show you how much effort is actually involved in this all. Its a shame that http is stateless, otherwise sessions and logins would be a lot easier than they are :(

jmj001
01-27-2012, 04:01 AM
Referrer is controlled by the client, not the server though, so I could mimic from either no location or from whatever location I want.
This alone goes to show you how much effort is actually involved in this all. Its a shame that http is stateless, otherwise sessions and logins would be a lot easier than they are :(

Hmmm.. never really looked into it before.. you are 100% correct...

@OP - Please disregard what I said about the http_referrer, it's basically useless

Spookster
01-27-2012, 08:26 AM
Hi guys,

i was wondering what is the best way for stopping force hacking through login areas etc.



These aren't the logins you're looking for. <waves hand>

devinmaking
01-27-2012, 06:09 PM
thanks for the input from you guys.

I have gone with the 3 failed logins with a unlock captcha pin and password which only the client knows which is not saved on the website database or any other place on the site, it is saved in a file before the html directory.

The pin is random each time it is failed. I think this was the best solution for this.

This way client can always login even if someone has tried to force entry.

jmj001
01-28-2012, 04:16 AM
i think you may have misunderstood... the login lock is not meant to lock the entire site... just access to the specific visitor that had the failed logins...

nevertheless, if you have a workable solution now that is good.. cheers

devinmaking
01-29-2012, 01:56 PM
i think you may have misunderstood... the login lock is not meant to lock the entire site... just access to the specific visitor that had the failed logins...

nevertheless, if you have a workable solution now that is good.. cheers

No i dont mean lock the whole site down, just lock the admin user from logging in.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum