多个不成功登录块请求的一段时间 [英] Block request for multiple unsuccessful logins for a period of time
问题描述
我有一个网站,我想阻止机器人请求,并试图蛮力登录到我的网站。
I have a web site and I want to block request from BOTs and attempt brute force login to my web site.
现在我用会话存储登录尝试,并显示验证码后,3次登录,但有将被删除一个problem.Session,如果用户关闭浏览器。
Now I'm using Session for storing login attempt and show captcha after 3 unsuccessful login but there is a problem.Session will be removed, if user closes the browser.
我应该考虑到$什么样的液P $ pvent 机器人和蛮力登录?什么性质的用户系统或浏览器的我应该存储管理他/她下次登录?
What kind of solution I should consider to prevent BOTs and brute force login? What property of user system or browser I should store to manage his/her next login?
编辑1)
我不使用ASP.NET成员资格提供程序。我用我自己的身份验证和授权类
I don't use ASP.NET Membership provider. I'm using my own authentication and authorization classes
推荐答案
您不能使用会话,因为它需要在客户端存储的cookie为您,并且攻击者是不会帮你的。您将需要一些全局状态。
You can't use session, as it requires the client to store a cookie for you, and an attacker is not going to help you out. You will need some global state.
您不必费心跟踪IP地址,作为一个坏蛋仅仅使用一个Anonymyzing代理。
You needn't bother tracking IP addresses, as a bad guy will just use an Anonymyzing Proxy.
不使用帐户锁定,除非你有(PCI要求),因为这只是让攻击者拒绝你的用户。
Don't use account lock-out unless you have to (PCI requirement), as this just lets the attacker DoS your users.
您也想避免通过你的服务器的DoS-ING自己做的工作太多了。
You also want to avoid DoS-ing yourself by making your server do too much work.
本作品:
一旦不成功验证,存储用户名全球州,计数一起。同步计数++ 若再不成功的身份验证与该用户名。我使用Redis的这一点。
Upon unsuccessful authentication, store username in global state, along with count. Synchronized count++ if more unsuccessful authentications with that username. I use redis for this.
如果计数> =阈值,然后继续操作之前需要解决的CAPTCHA值。显示登录屏幕上的验证码。
If count >= threshold, then demand solved CAPTCHA value before proceeding. Show CAPTCHA on login screen.
当的成功的认证,明确存储在全局状态的用户名。给用户信任用户代理HMAC'd 饼干,所以他们不必CAPTCHA在未来上UA。
Upon successful authentication, clear stored username in global state. Give user "trusted user agent" HMAC'd cookie, so they don't have to CAPTCHA in the future for that username on that UA.
您可以为密码做相同的,但可能具有较高的门槛。
You can do the same for passwords, but probably with a higher threshold.
如果你不喜欢CAPTCHA ,然后通过客户端计算需要工作证明,例如并提交大量的首要因素。
If you don't like CAPTCHA then demand Proof of Work, for example by making the client calculate and submit the prime factors of a very large number.
当你在它,确保您使用bcrypt哈希密码,而成本因素是足够高,它需要> = 250ms的哈希密码。这会减慢你的服务器也减慢攻击者。避免哈希,除非他们通过CAPTCHA(如果需要)。
While you're at it, make sure you are using bcrypt to hash your passwords, and that the cost factor is high enough that it takes >= 250ms to hash a password. This slows down your server but also slows down an attacker. Avoid hashing unless they pass the CAPTCHA (if required).
鼓励用户使用长的,复杂的,令人难忘的?密码,让他们难以穷举。
Encourage users to use long, complicated, memorable? passwords, so that they're harder to brute-force.
这篇关于多个不成功登录块请求的一段时间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
