On Mon, 20 Aug 2007 18:43:48 -0400 Peter Kay <[EMAIL PROTECTED]> wrote:
> Thomas Bley wrote: > > Hello, > > > > I propose two things: > > - bind the session to the remote ip address and the user agent > > - restrict a login from a remote ip address if there are more than 5 bad > > logins within the last 2 hours > > > > What do you think ? > > An alternative approach is to double a "sleep" for each time a login > fails. I'm not sure how good an idea having a webserver sleep is, tho. > > As someone who routinely forgets his passwords, I have to say that I'd > like a little more forgiving a way to do this :) > > --Peter sleep() is very bad for the server, i.e. it causes php threads to wait and the number of maximum threads on a machine is limited. IMO, 2 hours after 5 bad attempts is too much. It would be better to start acting only if there are more than 3-5 bad login attempts in one minute (from the same ip). And if there are, it would be reasonable to block access to the auth facility for ~3 minutes and reset bad attempts count. In such a case the attacker could never do more than ~75 passwords/h from the same ip, which is much better than 2000 passwords/h (which is what I have in my logs). -- Algardas _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
