1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Brute force attack

Discussion in 'C#' started by nari, Jun 25, 2006.

  1. #1
    Hi there,
    How can I protect the username & password fields against brute force attack in ASP page?

    Thank you
    SEMrush
     
    nari, Jun 25, 2006 IP
    SEMrush
  2. pher

    pher Well-Known Member

    Messages:
    403
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    125
    #2
    Possibly the best way to prevent brute force attacks on your login screen is to do an account lockout after x failed attempts. You can block on IP or on account.

    Also, its wise to sanitize your inputs to prevent SQL injection.
    (read me) if you care.
     
    pher, Jun 25, 2006 IP
  3. nari

    nari Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    With many thanks for your reply. Is there any script or tutorial in this regard?
     
    nari, Jun 26, 2006 IP
  4. pher

    pher Well-Known Member

    Messages:
    403
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    125
    #4
    Here's a good article describing brute force attacks in general and the pros and cons of locking out an account:

    https://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php

    It should give you ideas on alternative methods as well.

    As far as implementation, I don't know of any samples or pre-existing code. You can search google for that. But I can give you a basic idea of what you can do (just an option).

    1. Cleanse all your data before it is submitted. You can do this with functions in your ASP code. Make sure your usernames and passwords are X amount of characters and either numeric or non numeric.

    2. When a visitor tries to login, grab their IP address and store that into a temporary Sessions table. On each login failure, store the IP address in that temp table. After x failed attempts, move that IP into a new table for locked accounts. If the login attempt is successful, then clear the records on the temp table.

    3. Once an account is banned, you can simply disable access to the login portion of the site.

    You can add code to clear out bans after a certain duration.

    Hope this helps. Good luck.
     
    pher, Jun 26, 2006 IP
  5. nari

    nari Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    The points you mentioned were effective and very useful for me.
    Your help is highly appreciated.
     
    nari, Jun 26, 2006 IP
  6. vectorgraphx

    vectorgraphx Guest

    Messages:
    545
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    0
    #6
    blocking via IP address has advantages and disadvantages. for example, i wrote a script for our vendors to use to log in and check their order status/tender a new order etc., and there are several people in my building (corporate hq with over 600 employees) who access the internet via a single connection. i think it's a T3. anyway, the way they have it set up, to the outside world, we all look like we've got the same IP addresses. to make a long and most likely duller-by-the-word story short, anytime ONE person in the building got their account "locked out", everyone in the building got "locked out" as well, which as you can imagine, posed significant problems, as I myself found.... myself (austin powers flashback there) locked out as well unfortunately and had to go directly to the DB to reset the flag on the IP address and let myself back in.

    So if you're going to do this, you MAY (or may not, consider your specific needs and client base) need to consider locking out a combination of username AND IP address. Also, seriously consider a 3-strikes you're out type thing, as well as a 15 minute (arbitrary amount, make it 10 or 30 or whatever) until the account is automagically "unlocked". that way you're not having to wake up at 3 am and let your boss in to the system (why do bosses always do their work at 3 am?) a 10-15 minute delay in the auto-re-enabling the account will protect you from brute force attacks. Brute force attacks = several thousand attempts a minute. Whereas 3 tries every 15 minutes will take a LONG DAMN TIME to crack the code, even for Dan Brown. ESPECIALLY if Ron Howard is directing it.

    HTH

    VG
     
    vectorgraphx, Jun 27, 2006 IP