PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

In Case You Missed It... The Week of June 6th, 2005
Preventing Web Attacks with Apache
In Case You Missed It...The Week of July 4, 2005
In Case You Missed It...The Zend Conference 2005 Edition
Using PHP to Make Basic vCalendar/iCalendar Events

Re: [phplib] Disallowing infinite incorrect passwords From: Kristian Koehntopp (kris <email protected>)
Date: 04/27/00

Next message: Kristian Koehntopp: "Re: [phplib] How to add to PHPLIB"
Previous message: Kristian Koehntopp: "Re: [phplib] Requested test plus traceroute"
In reply to: Max A. Derkachev: "Re: [phplib] Disallowing infinite incorrect passwords"
Next in thread: Max A. Derkachev: "Re[2]: [phplib] Disallowing infinite incorrect passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In netuse.lists.phplib you write:
>Well, I guess this could be done, but the conditions would be very
>restrictive. How do You intend to catch a user (I mean a real world user
>- a human - not a login) who's trying to crack someone's password?

You are dealing with users who have not successfully
authenticated themselves here, so you cannot actually do
something with that users - they may not even be users in the
sense that they have a valid account on your system. The only
thing you have on your system is the account they try to break
into.

What you would do to implement this kind of security mechanism
is

- extend the auth_users table with a field "p_inv_login"
  or something, which you set to zero. Each time an
  authentication attempt succeeds for that login, you reset that
  field to zero. Each time an authentication attempt fails for
  that login, you increment that field. These operations have to
  be done in your Auth::auth_validatelogin() function.

- Auth::auth_validatelogin() will return false, if the
  p_inv_login is larger than a configureable limit and
  p_perm is not a special superuser permission (this is
  done so that administrator accounts cannot be locked
  out).

Implementing this mechanism opens you to denial of service
against all accounts where the account name is publicly known.

You will probably want to implement an alert mechanism which
sends mail to an administrator informing them about the account
locking as soon as some p_inv_login crosses the boundary.

Also, you will probably want to create a kind of wtmp table,
which can be used as an auditing trail for logins, recoding ip
numbers, user agent identifiers, times and other information
relevant to a user authentication.

Kristian

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

Next message: Kristian Koehntopp: "Re: [phplib] How to add to PHPLIB"
Previous message: Kristian Koehntopp: "Re: [phplib] Requested test plus traceroute"
In reply to: Max A. Derkachev: "Re: [phplib] Disallowing infinite incorrect passwords"
Next in thread: Max A. Derkachev: "Re[2]: [phplib] Disallowing infinite incorrect passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]