Comments on: Simple brute force protection with APC http://www.jasny.net/articles/simple-brute-force-protection-with-apc/ It's all about me, mysql and Einstein. Wed, 08 Sep 2010 17:54:42 +0100 http://wordpress.org/?v=2.8.4 hourly 1 By: xLight http://www.jasny.net/articles/simple-brute-force-protection-with-apc/comment-page-1/#comment-8028 xLight Sat, 22 Dec 2007 04:36:04 +0000 http://blog.adaniels.nl/?p=57#comment-8028 oh, a good idea . use APC as a cache oh, a good idea . use APC as a cache

]]> By: Andrew Magruder http://www.jasny.net/articles/simple-brute-force-protection-with-apc/comment-page-1/#comment-4714 Andrew Magruder Sun, 14 Oct 2007 00:30:54 +0000 http://blog.adaniels.nl/?p=57#comment-4714 You'll want to be careful with doing this thing just on IP basis, because once you get sufficient loading you'll essentially perma-block AOL customers (as one example ISP) because they all pretty much show up as a very small set of IPs. More information here: http://webmaster.info.aol.com/proxyinfo.html The net result is a moderate-to-high load implementation of this needs to support varying threshold levels on a per IP basis. Wikipedia has a good list of widely used ISP proxy IPs as well. They've managed to get most folks to set the XFF-Forwarded-For header but that's still a bit dicey to rely on. Another idea that I've seen used with some success is simply slowing down response times for IPs which have high failure rates, instead of outright blocking them. (You can cut their throughput by 3-4x without significant user experience issues.) Andrew You’ll want to be careful with doing this thing just on IP basis, because once you get sufficient loading you’ll essentially perma-block AOL customers (as one example ISP) because they all pretty much show up as a very small set of IPs. More information here: http://webmaster.info.aol.com/proxyinfo.html

The net result is a moderate-to-high load implementation of this needs to support varying threshold levels on a per IP basis. Wikipedia has a good list of widely used ISP proxy IPs as well. They’ve managed to get most folks to set the XFF-Forwarded-For header but that’s still a bit dicey to rely on.

Another idea that I’ve seen used with some success is simply slowing down response times for IPs which have high failure rates, instead of outright blocking them. (You can cut their throughput by 3-4x without significant user experience issues.)

Andrew

]]> By: Arnold Daniels http://www.jasny.net/articles/simple-brute-force-protection-with-apc/comment-page-1/#comment-4687 Arnold Daniels Sat, 13 Oct 2007 16:54:04 +0000 http://blog.adaniels.nl/?p=57#comment-4687 Yes I have that in my own code, but I failed to put it in this sniplet. Yes I have that in my own code, but I failed to put it in this sniplet.

]]> By: Jorrit Schippers http://www.jasny.net/articles/simple-brute-force-protection-with-apc/comment-page-1/#comment-4679 Jorrit Schippers Sat, 13 Oct 2007 14:38:17 +0000 http://blog.adaniels.nl/?p=57#comment-4679 Would it be an idea to clear the blocked count when a login has been successfull? Would it be an idea to clear the blocked count when a login has been successfull?

]]> By: Arnold Daniels http://www.jasny.net/articles/simple-brute-force-protection-with-apc/comment-page-1/#comment-4655 Arnold Daniels Sat, 13 Oct 2007 12:52:49 +0000 http://blog.adaniels.nl/?p=57#comment-4655 My friend and ex-employer <a href="http://www.bean-it.nl" rel="nofollow">Dirk Bonenkamp</a>, came with a slight improvement for this scheme. Blocking an IP might effect a whole office which can be annoying. Starting with a low timeout and increasing it each time an IP is blocked will help against it. I've changed to article to include this solution. My friend and ex-employer Dirk Bonenkamp, came with a slight improvement for this scheme. Blocking an IP might effect a whole office which can be annoying. Starting with a low timeout and increasing it each time an IP is blocked will help against it.

I’ve changed to article to include this solution.

]]>