Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Password hacker killer

by waswas-fng (Curate)
on Sep 08, 2003 at 18:45 UTC ( [id://289830]=note: print w/replies, xml ) Need Help??


in reply to Password hacker killer

Some of the more complicated password/hacking blocking tools will do the following.. Keep a running database of:

  • IP -> Username good auth
  • IP -> Username bad auth

  • Username -> Current session list


    • With these three time stamped pieces of information you can do the following:

  • Test for repeated usernames with bad auths from one IP, and tag the IP as a cracker for X minutes (you have to have a rolling target for this so you can set the weight limit high enough to get few false blocks -- meaning 5 bad user/pass combos with unique users in 30 seconds triggers a block while 5 bad auths over 5 minutes does not.)
  • Many same user bad auths with the same IP (or different as most password cracking software will use huge proxy lists to hide the source of the attack) can trigger a administrative lockout of the account -- You should give the user the ability to easily unlockout their account once every X minutes via another form or via customer support.
  • Test for multiple good auths from different IP addresses with unique session ids. This should take into account that the end user may have a few different computers live on the site at once -- but there is no reason to see 15 active sessions from 15 different IP addresses.

    Just make these test flexible enough to allow for normal allowed use of the site while catching blatant cracking attempts.


    -Waswas



    EDITED: Spelling mistakes fixed gogo dyslexia.

    • Replies are listed 'Best First'.
    Re: Re: Password hacker killer
    by theorbtwo (Prior) on Sep 08, 2003 at 19:29 UTC

      Note that the last one may hurt AOL users -- all AOL http requests come from one of several HTTP proxies at (psudo-)random.

      Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

    		[reply]

        Its also worth noting that WebTV users move between IPs for every page hit so you'd see the same session showing up on multiple IP addresses.

    		[reply]
        Test for multiple good auths from different IP addresses with unique session ids.

        I think you missread this, this means unique username <waswas-fng> from random IP addresses each with their own session going.
        <br 
        User:IP:Session
waswas-fng:10.128.172.10:000001
waswas-fng:10.128.172.10:000002
waswas-fng:10.128.172.10:000003
waswas-fng:10.128.172.10:000004
waswas-fng:10.128.172.10:000005
waswas-fng:10.128.172.12:000005
waswas-fng:192.168.66.11:000004

Would be "OK"
Where:
User:IP:Session
waswas-fng:12.128.172.10:000001
waswas-fng:231.128.172.1:000002
waswas-fng:12.128.172.10:000003
waswas-fng:231.128.172.1:000004
waswas-fng:192.168.52.1:000005

        [download]
        Would show many users using the same account with unique sessions on different networks (shared password or hacked access).

        -Waswas
    		[reply]
    [d/l]

    In Section Seekers of Perl Wisdom

    Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Domain Nodelet?

    www.com | www.net | www.org
    Node Status?
    node history
    Node Type: note [id://289830]
    help
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this?Last hourOther CB clients
    Other Users?
    Others about the Monastery: (4)
    As of 2024-04-24 22:29 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found