防止暴力攻击的最佳方法是什么? [英] What is the best method to prevent a brute force attack?
问题描述
我有我的登录页面,我当然想防止暴力攻击并减少用户登录时的延迟.
I have my login page and of course I want to prevent brute force attacks and cause less delay for the users when they are logging in.
当前,您输入用户名和密码登录.
Currently, you type in your username and password to log in.
我正在考虑实施 reCAPTCHA .但是,这在3次失败尝试后在登录时显示.
I am considering implementing a reCAPTCHA. However, this shows on login after 3 failed attempts.
我的问题是:
-
您以尝试为依据的是什么. IP地址?它总是可以隐藏的...用户名?如果他们正在尝试一个不存在的用户怎么办?
What do you base the attempt on. IP addresses? It can always be hidden... username? What if they're trying a user that doesn't exist?
计算失败登录尝试次数的最佳方法是什么?
What would be the best method to count the failed login attempts?
推荐答案
会话不可靠,因为它们依赖于cookie,因此验证码经常被破坏[包括ReCAPTCHA].唯一可靠的方法看似简单:问一个问题.不要使用数学问题,因为计算机出于某些原因令人惊讶地擅长解决这些问题.好的旧备用电池是这样的:
Sessions are unreliable because they rely on cookies, CAPTCHAs are regularly broken [including ReCAPTCHA]. The only reliable method is deceptively simple: ask a question. Don't use a math question because computers are surprisingly adept at solving those for some reason. Great old standbys are things like:
- What is the fourth word in the sixth paragraph on this page?
- What is the name of the author of this site? [hint]
这很容易实现,而且对于机器来说也很难解决.
This is stupid-easy to implement, and very difficult for a machine to solve.
对于强制实施,请尝试在用户表中添加两个字段:"first_failed_login" [INTEGER Unix时间戳或DATETIME]和"failed_login_count". [INTEGER]
As for bute-forcing, try adding two fields to your user table, 'first_failed_login' [INTEGER unix timestamp or DATETIME] and 'failed_login_count'. [INTEGER]
<?php
$bad_login_limit = 3;
$lockout_time = 600;
$first_failed_login, failed_login_count; // retrieve from DB
if(
($failed_login_count >= $bad_login_limit)
&&
(time() - $first_failed_login < $lockout_time)
) {
echo "You are currently locked out.";
exit; // or return, or whatever.
} else if( /* login is invalid */ ) {
if( time() - $first_failed_login > $lockout_time ) {
// first unsuccessful login since $lockout_time on the last one expired
$first_failed_login = time(); // commit to DB
$failed_login_count = 1; // commit to db
} else {
$failed_login_count++; // commit to db.
}
exit; // or return, or whatever.
} else {
// user is not currently locked out, and the login is valid.
// do stuff
}
这将使您的登录系统每10分钟仅识别每位用户3次登录尝试.
This will make your login system recognize only 3 login attempts per user every 10 minutes.
这篇关于防止暴力攻击的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
