All geek questions in one place

Relative advantages of blacklisting IP addresses and blocking accounts

We are developing a security system to prevent brute force attacks on your account.

One of the proposed options is an IP blacklist. If the IP address tries to log in too many times, any further attempts to this IP address will be blocked for a certain time.

Another option is to make a more traditional account lockout when too many attempts on this account lock the account until the password is reset.

The problem with the first approach is customer service - if a legitimate user calls to return, they just have to wait for it - their IP address is blacklisted for a period of time.

The problem in the second is that it launches a DoS attack, given the knowledge of the legitimate username, anyone can enter fake passwords to block them.

What experience have you had in different approaches to preventing brute force attacks on user accounts?

+3
source share
4 answers

-, , IP-, . , , IP , . , , .

IP- ( - . TOR/Proxy).

CR ( , )

captcha (http://www.theinquirer.net/inquirer/news/1040158/captchas-easily-hackable). , ? .

, , .

+2

- (YAPH). , THC-Hydra, - . , IP- , .

. , , . , , .

, , , capthca 5 . IP- . - 5 ip-, ip- capthca. 5 , captcha. , - , , . , capthca , "" - .

. , , .

+3

IP . Tor .

.

DoS- , .

if failed_attempts > 5
  if last_attempt < 30 seconds ago
    error("You must wait 30 seconds before your next login attempt")
  else
    authenticate(user,pass)

.

+1

, IP- - . : ( ) .

The problem with blocking the user is that someone can automate this type of attack to trigger DoS by denying all users access to the resource. Thus, without blocking IP addresses is not useful.

Btw, see http://www.ossec.net . It automates "active responses" based on any type of journal with a short waiting period (10 minutes) to avoid these problems.

+1
source

Source: https://habr.com/ru/post/1731475/

More articles:


All Articles