Author |
Topic |
|
OJJE
Starting Member
Bahamas
15 Posts |
Posted - 27 May 2009 : 15:23:56
|
Hi,
I'm in big need of help to tackle some hacking attempts made by persons hiding behinde anonymous online proxys and trying to hack various user accounts on my forum by trying to guess the passwords.
My logfiles are full of unsuccessfull login attempts from various ip's. Is there a MOD or some code that I could implement in my snitz 3.4.06 forum so that the IP is Blocked (not the user account) from the forum after 3 failed login attempts?
I'm using MySql as the database..
<moved from="Help: General / Current Version (v3.4.xx)" by="Shaggy" /> |
Edited by - Shaggy on 29 May 2009 04:30:52 |
|
bobby131313
Senior Member
USA
1163 Posts |
Posted - 27 May 2009 : 15:44:36
|
It could likely be done but it's dangerous. If an AOL user screws up logging in you could automagically ban 100s of members. |
Switch the order of your title tags |
|
|
OJJE
Starting Member
Bahamas
15 Posts |
Posted - 27 May 2009 : 16:07:06
|
That's not a problem for us in this case. We only have members from the nordic countries and if a IP is banned, we have admins who will make a check and see if the IP is legitim or belongs to a proxy-server and the banned user has the possibility to send a request to have it unblocked.
We do not have ISP's that route their customers though a proxy-server so that they all share the same IP..
(checked my logfile now and the anonymous user is back trough a new proxyserver and pounding away at the login-page trying to hack..)
quote: Originally posted by bobby131313
It could likely be done but it's dangerous. If an AOL user screws up logging in you could automagically ban 100s of members.
|
Edited by - OJJE on 27 May 2009 16:13:49 |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 28 May 2009 : 09:31:40
|
Maybe less of a ban and more of some sort of rate-limiting?
While looking at a white paper on CAPATCHAs I randomly thought of your problem and this Coding Horror article. I don't have any code handy, nor do I have the time to write this up at the moment, but one avenue to look down would be to record the number of attempts on a given account and after x failed attempts pose a gatekeeper question or start progressively delaying the response time between submission and notification. Just a random thought.
Addendum: it may be easier to tie it into the existing flood control mechanisms... |
Edited by - AnonJr on 28 May 2009 09:33:32 |
|
|
OJJE
Starting Member
Bahamas
15 Posts |
Posted - 28 May 2009 : 12:28:51
|
A flood control would obe the perfect solution, so that the user has to wait 1 minute before he can try to login again. The use of regular cookies would not work because many of the online proxyservers block cookies, I'm thinking of using session cookies instead and make so sort of check with now() > last attempt or something, where in the code/file would be the best place to put the login flood control code?
|
|
|
cripto9t
Average Member
USA
881 Posts |
Posted - 28 May 2009 : 14:38:51
|
quote: I'm thinking of using session cookies instead and make so sort of check with now() > last attempt or something, where in the code/file would be the best place to put the login flood control code?
I read your post this morning and sessions came to my mind too. I got it working by using a sub routine in the chkUser function. I just need to know what to do with them once they reach the limit. My idea is to bypass the chkUser function once they reach the limit and a fake login process begins.
Here's what I have
Sub chkLoginSession()
dim intAttempts
dim strRedirect
dim blnCookie
'# number of attempts before being redirected
intAttempts = 3
'# url of redirct page
strRedirect = "default.asp"
'# set to 1 to drop a cookie
blnCookie = 1
'# do not edit below this line
'# do cookie things
if blnCookie = 1 then
if strSetCookieToForum = 1 then
Response.Cookies(strUniqueID & "login").Path = strCookieURL
else
Response.Cookies(strUniqueID & "login").Path = "/"
end if
end if
'# do session things
if trim(Session(strCookieURL & "login")) = "" then
Session(strCookieURL & "login") = 1
else
if isNumeric(Session(strCookieURL & "login")) = true then
Session(strCookieURL & "login") = cLng(Session(strCookieURL & "login")) + 1
else
Session(strCookieURL & "login") = 1
end if
end if
'# set cookie and redirect
if cLng(Session(strCookieURL & "login")) > intAttempts then
'if blnCookie = 1 then
'if trim(Request.Cookies(strUniqueID & "login")) <> "failed" then
'Response.Cookies(strUnique & "login") = "failed"
'end if
'end if
Response.Redirect(strRedirect)
end if
End Sub as you can see it redirects to a new page after the limit has been reached, I just want to redirect them to a "log in failed" page, so they think they are still trying to log in legitimately.
quote: The use of regular cookies would not work because many of the online proxyservers block cookies
grrrr... that was part of my plan.
Barring distractions, I should have something by tomorrow |
_-/Cripto9t\-_ |
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 28 May 2009 : 15:10:29
|
Why not use a database value. You could post a time of initial login failure, then a second time, then if a third time occurs within a specified period; redirect. No need for cookies at all.
If anyone sees something I've overlooked (or a better approach), please feel free.
This would require creating a table. Save the following in your forum directory as "dbs_hackbar.asp". Run it from the admin console (mod setup).
Append the following to the bottom of "inc_func_common.asp" above the "%>"
Note the portion in red. You'll need to add your own ban or redirect routine. You could lock the account, etc.
You would have to add one more line to "inc_func_common.asp".
|
Edited by - Carefree on 28 May 2009 15:52:25 |
|
|
OJJE
Starting Member
Bahamas
15 Posts |
Posted - 31 May 2009 : 09:13:36
|
thanks for the code Carefree! I will test it soons. I found something intresting yesterday.
I have the following Javascript-code in my header in my forum:
<script type="text/javascript">
if (top.location != self.location)
top.location = self.location;
</script>
The funny thing is that all of the online proxy servces I have tested today to try to login to my forum stops the user logging in trough the proxyserver.
The script reloads the login-page over and over again and stops the user who is surfing trough the proxy-service from even trying to login. Many of these proxy-services have the option to deactivade javascript, but it does not seems to deactive it on my forumpage...
Many of these free online proxy services show ads and ifram-pages and the scripts tries to break out the forumpage from the iframes..
|
Edited by - OJJE on 31 May 2009 09:25:51 |
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 31 May 2009 : 11:15:30
|
You're welcome. Please let me know if you have any problem. |
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 31 May 2009 : 11:19:04
|
You could go an additional step further with this idea. If you lock an account (for example) as a result of 3 failed login attempts, you could have the server automatically EMail the owner of the account advising him/her to change the password due to the attempted hack.
To include that as a feature, replace the sub routine (middle section of my earlier reply) with the following:
|
Edited by - Carefree on 31 May 2009 12:01:27 |
|
|
|
Topic |
|
|
|