Node.js 蛮力预防 [英] Node.js brute force prevention

问题描述

我有一个在 Heroku 上运行的 MERN 堆栈项目，今天有人开始用许多登录请求(蛮力)淹没我的服务器.每个请求都有不同的 IP 地址，因此我无法阻止该 IP.这导致网站中断.

I have a MERN stack project running on Heroku, today someone has started to flood my server with many login requests (brute force). Every request has a different IP address so I cannot block the IP. This has caused a website outage.

那我怎样才能阻止它?如何只允许使用我的网站登录?

How can I block it then? How can I allow login only using my website?

推荐答案

您会看到许多登录页面使用的典型解决方案是需要类人交互且脚本难以复制的几种技术之一.

A typical solution you will see used by many login pages is one of several techniques that require human-like interaction and are hard for scripts to duplicate.

您肯定看到了验证码系统，它要求用户解释某些图像计算机分析起来并不容易或不实用.

You have, for sure, seen the captcha systems that ask the user to interpret some image that is not easy or practical for computers to analyze.

还有一个无验证码系统要求用户用鼠标单击屏幕上的特定位置，然后它会分析运动以查看它是否看起来像人类.这些通常显示为点击我不是机器人".

There is also a no-captcha system that asks the user to click a particular spot on the screen with the mouse and it analyzes the movement to see if it appears human-like. These are often shown as a click on "I'm not a robot".

许多网站(如一些美国航空公司和一些金融网站)现在要求用户设置挑战".问题(例如:你出生在哪里?"或你最喜欢的冰淇淋口味是什么?")，如果登录请求没有为该用户预先放置签名 cookie(或其他熟悉的浏览器检测指标)，那么在您甚至可以尝试登录之前都需要质询问题.

Many sites (like some U.S. airlines and a number of financial sites) now require the user to set up "challenge" questions (like: "Where were you born?" or "What's your favorite ice cream flavor?") and if a login request arrives without a previous placed signed cookie for this user (or other familiar browser detection metrics), then the challenge question is required before you can even attempt a login.

一种更严厉的方法(可能对最终用户产生更大的影响)是跟踪每个帐户的失败登录尝试，在达到一定数量后，您开始减慢响应速度(这会减慢攻击者系统的速度)) 并且在多次失败的响应之后，您会立即拒绝每个请求，并要求最终用户通过发送到其注册电子邮件地址的电子邮件消息来确认他们的登录请求.这给最终用户带来了不便，但可以防止在没有最终用户确认的情况下对任何个人帐户进行 N 次以上的猜测.一段时间后，您可以清除任何给定帐户的先前登录尝试次数，使其重新正常工作.

A more draconian approach (that could have more of an impact on the end-user) is to keep track of failed login attempts per account and after a certain number, you start slowing down the responses (this slows down the attackers systems) and after some higher number of failed responses, you immediately fail every request and require the end-user to confirm their login request via an email message sent to their registered email address. This is an inconvenience for the end-user, but prevents more than N guesses on any individual account without end-user confirmation. After some period of time, you can clear the prior login attempt numbers for any given account, freeing it up to work normally again.

这篇关于Node.js 蛮力预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！