防止网站上的暴力破解登录 [英] Preventing Brute Force Logins on Websites

问题描述

对最近的 Twitter劫持和 Jeff的Dictionary Attacks帖子，确保网站免受暴力攻击的最佳方法是什么登录攻击?

As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?

Jeff的帖子建议每次尝试登录都要增加延迟，注释中的建议是在第二次尝试失败后添加验证码.

Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt.

这两个都是好主意，但是您怎么知道它是什么尝试号码"呢?您不能依赖会话ID(因为攻击者每次都可以更改它)或IP地址(更好，但容易受到僵尸网络的攻击).使用delay方法，仅使用用户名登录就可以锁定合法用户(或者至少使他们的登录过程很慢).

Both these seem like good ideas, but how do you know what "attempt number" it is? You can't rely on a session ID (because an attacker could change it each time) or an IP address (better, but vulnerable to botnets). Simply logging it against the username could, using the delay method, lock out a legitimate user (or at least make the login process very slow for them).

有什么想法吗?有建议吗?

Thoughts? Suggestions?

推荐答案

我认为给定帐户的数据库持久的短锁定期(1-5分钟)是解决此问题的唯一方法.数据库中的每个userid都包含一个timeOfLastFailedLogin和numberOfFailedAttempts. numbeOfFailedAttempts > X锁定几分钟后.

I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts. When numbeOfFailedAttempts > X you lockout for some minutes.

这意味着您要锁定有问题的userid一段时间，但不能永久锁定.这也意味着您将为每次登录尝试更新数据库(当然，除非它被锁定)，否则可能会导致其他问题.

This means you're locking the userid in question for some time, but not permanently. It also means you're updating the database for each login attempt (unless it is locked, of course), which may be causing other problems.

在亚洲至少有一个国家进行了NAT转换，因此IP不能用于任何用途.

There is at least one whole country is NAT'ed in asia, so IP's cannot be used for anything.

这篇关于防止网站上的暴力破解登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！