防止暴力登录网站 [英] Preventing Brute Force Logins on Websites

问题描述

作为对最近推特劫持和Jeff 关于字典攻击的帖子，保护您的网站免受暴力攻击的最佳方法是什么登录攻击?

As a response to the recent Twitter hijackings and Jeff's post on Dictionary Attacks, what is the best way to secure your website against brute force login attacks?

Jeff 的帖子建议为每次尝试登录增加延迟，并且评论中的建议是在第二次尝试失败后添加验证码.

Jeff's post suggests putting in an increasing delay for each attempted login, and a suggestion in the comments is to add a captcha after the 2nd failed attempt.

这两个似乎都是好主意，但是您怎么知道尝试次数"是多少呢?您不能依赖会话 ID(因为攻击者每次都可以更改它)或 IP 地址(更好，但容易受到僵尸网络的攻击).简单地根据用户名记录它，使用延迟方法，可以锁定合法用户(或至少使他们的登录过程非常缓慢).

Both these seem like good ideas, but how do you know what "attempt number" it is? You can't rely on a session ID (because an attacker could change it each time) or an IP address (better, but vulnerable to botnets). Simply logging it against the username could, using the delay method, lock out a legitimate user (or at least make the login process very slow for them).

想法?建议?

推荐答案

我认为给定帐户(1-5 分钟)的数据库持久锁定期是处理此问题的唯一方法.数据库中的每个 userid 都包含一个 timeOfLastFailedLogin 和 numberOfFailedAttempts.当 numbeOfFailedAttempts > 时X 你锁定了几分钟.

I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts. When numbeOfFailedAttempts > X you lockout for some minutes.

这意味着您将有问题的 userid 锁定一段时间，但不是永久锁定.这也意味着您要为每次登录尝试更新数据库(当然，除非它被锁定)，这可能会导致其他问题.

This means you're locking the userid in question for some time, but not permanently. It also means you're updating the database for each login attempt (unless it is locked, of course), which may be causing other problems.

亚洲至少有一个国家进行了 NAT，因此 IP 不能用于任何用途.

There is at least one whole country is NAT'ed in asia, so IP's cannot be used for anything.

这篇关于防止暴力登录网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！