PHP:防洪/垃圾邮件系统 [英] PHP: Anti-Flood/Spam system

问题描述

我实际上正在一个PHP项目中，该项目将具有用户系统(登录，注册，将丢失的密码发送给电子邮件，..)，我认为这可能很容易受到蛮力攻击和/或垃圾邮件的攻击(将密码发送到某人的电子邮件，例如1000次，等等.使用您的幻想)

I'm actually working on a PHP project that will feature a user system (Login,Register,Send lost password to email,..) and I think that this may be very vulnerable to Brute-Force attacks and/or Spam (Send a password to someone's email like 1000 times, etc. use your fantasy) .

• 当今的网络服务器(Apache，IIS)是否具有针对Brute-Force的内置防御功能?

• 实现防垃圾邮件/洪水系统的最佳方法是什么，例如:我希望某个页面每分钟不能被调用两次以上，但是另一个页面可能最多被调用一次每分钟100次左右.

• Do today's webservers (Apache, IIS) have some sort of built-in defense against Brute-Force?

• What would be the best way to implement an Anti-Spam/Flood system, if I e.g.: want a page not be able to be called more than two times a minute, however another page may be called up to 100 times a minute or so.

• 我肯定必须存储IP地址，他们上次访问页面的时间以及某处的访问次数-但是将其存储在文本文件/数据库(MySQL)中是否足够有效?

• I would definitely have to store IP adresses, the time when they last visited a page and the number of visits somewhere - but would it be efficient enough storing it in a text-file/database (MySQL)

我应该使用验证码来注册/恢复丢失的密码吗?

Should I use captchas for things like registering/recovering lost passwords?

文字"验证码可行吗? (类似于"5加9减2是什么?")

Are "text" captchas viable? (Something like "What is 5 plus 9 minus 2? ")

该页面不会被那么多用户(100-200)使用，我真的必须实现所有这些东西吗?

The page won't be used by that many users (100-200), do I actually have to implement all these things?

推荐答案

关于验证码:我建议不要使用验证码，除非您确实需要.为什么?

Regarding CAPTCHAs: I would recommend against using CAPTCHAs unless you really need it. Why?

1. 这很丑.
2. 这对您的用户来说很烦.您不应该让他们跳入箍来使用您的网站.

有些替代方法非常简单，非常有效，并且对 _{(几乎所有)} 用户是完全透明的.

There are some alternatives which are very simple, can be very effective and are entirely transparent to _{(almost all)} users.

1. 蜜罐字段:使用通用名称(例如网站")向表单中添加一个字段.在它旁边，添加一个标签，说明请勿在此框中书写".使用Javascript隐藏输入和标签.收到表单提交后，如果该字段中有任何内容，请拒绝输入.

1. Honeypot fields: add a field to your forms with a common name like "website". Beside it, add a label saying something to the effect of "don't write in this box". Using Javascript hide the input and label. When you receive a form submission, if there's anything in the field, reject the input.

使用JS的用户将不会看到它，并且会很好.没有JS的用户将只需要遵循简单的说明. Spambots会为之倾倒并展现自己.

Users with JS won't see it and will be fine. Users without JS will just have to follow the simple instruction. Spambots will fall for it and reveal themselves.

自动仿造CAPTCHA :与上面的类似.添加带有标签的输入字段，其标签为 写'Alex'" (例如).使用Javascript(并知道大多数自动垃圾邮件机器人都不会运行JS)，隐藏该字段，并在其中填充"Alex".如果提交的表单中没有魔术字，请忽略它.

Automatic faux-CAPTCHA: This is similar to the above. Add an input field with a label saying "Write 'Alex'" (for example). Using Javascript (and knowing that most automated spam bots won't be running JS), hide the field and populate it with 'Alex'. If the submitted form doesn't have the magic word there, then ignore it.

使用JS的用户将不会看到它，并且会很好.没有JS的用户将只需要遵循简单的说明. Spambots不知道该怎么办，您可以忽略他们的输入.

Users with JS won't see it and will be fine. Users without JS will just have to follow the simple instruction. Spambots won't know what to do and you can ignore their input.

这将使您免受99.9％的自动垃圾邮件机器人的攻击.即使有丝毫的改变，它也不会保护您免受有针对性的攻击.有人可以自定义其漫游器以避免蜜罐或始终填写正确的值.

This will safeguard you from 99.9% of automated spam bots. What it won't do, even in the slightest, is safeguard you against a targeted attack. Someone could customise their bot to avoid the honeypot or always fill in the correct value.

关于蛮力阻止:很明显，服务器端解决方案是唯一可行的方法.对于我当前的项目之一，我实施了蛮力保护系统，该系统与您所描述的非常相似.它基于用于CakePHP的 Brute Force Protection插件.

Regarding Brute Force blocking: A server-side solution is the only viable way to do this obviously. For one of my current projects, I implemented a brute force protection system very similar to what you describe. It was based on this Brute Force Protection plugin for CakePHP.

该算法非常简单，但一开始有点令人困惑.

The algorithm is fairly simple, but a little confusing initially.

1. 用户请求某些操作(例如，重置密码)
2. 运行:DELETE * FROM brute_force WHERE expires < NOW()

3. 运行:

1. User requests some action (reset password, for example)
2. Run: DELETE * FROM brute_force WHERE expires < NOW()

3. Run:

SELECT COUNT(*) FROM brute_force 
WHERE action = 'passwordReset'
AND ip = <their ip address>

如果计数大于X，请告诉他们等待一段时间.

否则，运行:

If the count is greater than X then tell them to wait a while.

Otherwise, run:

INSERT INTO brute_force (ip, action, expires)
VALUES (<their ip address>, 'passwordReset', NOW() + Y minutes)

继续使用重置密码功能.

这将允许用户仅在Y分钟内尝试X次重置密码.根据需要调整这些值.也许5分钟内3次重置?此外，每个动作可能具有不同的值:对于某些事情(例如，生成PDF)，您可能希望在10分钟内将其限制为10.

This will allow users to only try resetting a password X times in Y minutes. Tweak these values as you see fit. Perhaps 3 resets in 5 minutes? Additionally, you could have different values for each action: for some things (eg: generate a PDF), you might want to restrict it to 10 in 10 minutes.

这篇关于PHP:防洪/垃圾邮件系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！