RE: [PHP-DB] Wait Statement... ?
Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary. How determined are you ;-) Our product has a brute force attacker in it, and for some protocols, we have to wait a few seconds between each attempt b/c otherwise the protocol blocks you as it considers it a DoS. But the results can finish in several days or even weeks. You can still do this on top of the sleep() method. A one second wait is n't going to affect you when you log in to an application. Sure. If you really want to sleep(1); then go nuts. I was only trying to point out that the sleep(1) is not a really viable way to prevent crackers from doing anything really. Just slow them down. The problem with reacting after three failed logins is that it can then be easy to lock other people out of their account. You just have to figure out their username, which usually isn't that hard. Since IP addresses can be spoofed or shared among users of certain ISPs, relying on them isn't adequate, either. Well, you'd only get 3 attempts to guess a username from a given IP. It takes a lot more work to spoof an IP, and coordinate an attack with several computers. And most crackers aren't trying to lock people out of their account, they're trying to gain access themselves. If I wanted to bring down a server, I'd just DoS it, not waste time locking individual users out one at a time. Daevid Vincent Senior Engineer / Architect two.zero.six.two.eight.five.eight.zero.eight.zero _ _ _ | |___ ___| | | | _ ___ __ | | / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ | |__| (_) | (__|(_| | (_) \ V V /| | | | |_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_| x104 Networks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Wait Statement... ?
I like this idea of longer sleeps for each fail in theory, but it becomes moot if you only allow 3 failed attempts. -Original Message- From: Tim Van Wassenhove [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 3:37 PM To: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Wait Statement... ? Every time someone tries to authenticate, you count the number of failures in both queues. The larger the number, the longer the sleep will take. (removing old entries once in a while might speed up things) Daevid Vincent Senior Engineer / Architect two.zero.six.two.eight.five.eight.zero.eight.zero _ _ _ | |___ ___| | | | _ ___ __ | | / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ | |__| (_) | (__|(_| | (_) \ V V /| | | | |_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_| x104 Networks.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
Well, everyone is in big discussion about this, so i figure i'll toss in my worthless 2 cents. Say your users have a password of like 8 characters, Brutus (used for brute forcing) will tell someone trying to gain access that they'll have better luck asking the person. So the only real threat is like dictionary attacks. So you add an eregi and ask your users to include at least 1 number and/or a special character.. or you have your own dictionary that you check the word against, if its in your dictionary then you tell the user to select another one. Brute forcing a password is pass or fail, if the person is determined enough they'll get in. Using a dictionary can work sometimes, script kiddies can whip those out pretty quick and try it. The main anti-passcrack would be a strong password. I usually use minimum of 8 characters, 1 special character not at the end. And on top of this i also have a about 7,000 words/common passes in a MySql database that i reference. Of course, you have to remember that you're dealing with users.. as in users... who will make their password their initials and the last 2 digits of their birthday... or they'll make it 112233. The best way to learn about security on stuff like this is to sit down and try to break into your system, if you can do it locally then thats better, so that you can test it as if someone plugged in on your server's lan (highly unprobable) and anyone that tries to sell you a product for the anti-passcrack is really saying, you don't seem to want to write the 40 lines of code.. so i'll rip you on it. Shah -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
sleep( nb of seconds ) ; _ - Original Message - From: ..: GamCo :.. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 9:44 AM Subject: [PHP-DB] Wait Statement... ? Hi all, I would like to add a line of code in PHP that will execute a wait before executing the next set of code. How do i do that ? Regards, GM -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
hhhmmm... ok, i added the sleep() function in my page. what i'm basically doing is :- i have a .php page where people log-in from. from there i send the form to another .php page that actually checks the login and registers a session with the username and password as session variables. then on the page that actually does the validation, i have something that says : validating login... sleep 1 funtion. then, i have another line that says validation successfull... sleep 1 function and then i have another line that says redirecting... with sleep 1 function and then header redirects to the actual logged-in.php file. the redirect and validation works perfectly as well as the sleep functions, but it now doesn't display the validating login... blah blah blah stuff which is done in normal html code... any idea ? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
On Tuesday 20 July 2004 16:56, ..: GamCo :.. wrote: ok, i added the sleep() function in my page. what i'm basically doing is :- i have a .php page where people log-in from. from there i send the form to another .php page that actually checks the login and registers a session with the username and password as session variables. then on the page that actually does the validation, i have something that says : validating login... sleep 1 funtion. then, i have another line that says validation successfull... sleep 1 function and then i have another line that says redirecting... with sleep 1 function and then header redirects to the actual logged-in.php file. the redirect and validation works perfectly as well as the sleep functions, but it now doesn't display the validating login... blah blah blah stuff which is done in normal html code... WHy don't you just validate the login and be done with? Why wait 1 second, another second, ... ? -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- /* There are no accidents whatsoever in the universe. -- Baba Ram Dass */ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
..: GamCo :.. wrote: ok, i added the sleep() function in my page. what i'm basically doing is :- i have a .php page where people log-in from. from there i send the form to another .php page that actually checks the login and registers a session with the username and password as session variables. then on the page that actually does the validation, i have something that says : validating login... sleep 1 funtion. then, i have another line that says validation successfull... sleep 1 function and then i have another line that says redirecting... with sleep 1 function and then header redirects to the actual logged-in.php file. the redirect and validation works perfectly as well as the sleep functions, but it now doesn't display the validating login... blah blah blah stuff which is done in normal html code... You are very confused. Read the manual page on header(). You can't have any output before you try to redirect with a header(). If you're trying to implement some sort of brute force protection by using sleep(), you're using it in the wrong method, anyhow. Your login processing script should sleep for a second or two whether the login is correct or not and it should be the first thing that it does (i.e. before any output or redirection). If you only sleep() on failures and redirect on good logins, brute force methods can pick up on that and adjust their methods to get around the wait time. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Wait Statement... ?
Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-) The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate and be done. A better way to stop attacks is to have a tally of failed logins if you really are that worried someone is going to brute-force you. Then after 3 fails, just don't let that IP connect or add other intelligent handling. Maybe add them to a 'ban list' after x amount of failed tries. You can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever. -Original Message- From: John W. Holmes [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 7:10 AM To: ..: GamCo :.. Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Wait Statement... ? ..: GamCo :.. wrote: ok, i added the sleep() function in my page. what i'm basically doing is :- i have a .php page where people log-in from. from there i send the form to another .php page that actually checks the login and registers a session with the username and password as session variables. then on the page that actually does the validation, i have something that says : validating login... sleep 1 funtion. then, i have another line that says validation successfull... sleep 1 function and then i have another line that says redirecting... with sleep 1 function and then header redirects to the actual logged-in.php file. the redirect and validation works perfectly as well as the sleep functions, but it now doesn't display the validating login... blah blah blah stuff which is done in normal html code... You are very confused. Read the manual page on header(). You can't have any output before you try to redirect with a header(). If you're trying to implement some sort of brute force protection by using sleep(), you're using it in the wrong method, anyhow. Your login processing script should sleep for a second or two whether the login is correct or not and it should be the first thing that it does (i.e. before any output or redirection). If you only sleep() on failures and redirect on good logins, brute force methods can pick up on that and adjust their methods to get around the wait time. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals - www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
Daevid Vincent wrote: Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-) Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary. The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate and be done. A better way to stop attacks is to have a tally of failed logins if you really are that worried someone is going to brute-force you. Then after 3 fails, just don't let that IP connect or add other intelligent handling. Maybe add them to a 'ban list' after x amount of failed tries. You can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever. You can still do this on top of the sleep() method. A one second wait is n't going to affect you when you log in to an application. The problem with reacting after three failed logins is that it can then be easy to lock other people out of their account. You just have to figure out their username, which usually isn't that hard. Since IP addresses can be spoofed or shared among users of certain ISPs, relying on them isn't adequate, either. I'm not saying using sleep is the solution to security problems, but it can be one layer of your defense. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
Why silly?? it just makes you wait one second on the login page BEFORE the validation process, not on other pages. I use it everywhere. Ignatius _ - Original Message - From: Daevid Vincent [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: '..: GamCo :..' [EMAIL PROTECTED]; 'John W. Holmes' [EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 9:47 PM Subject: RE: [PHP-DB] Wait Statement... ? Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-) The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate and be done. A better way to stop attacks is to have a tally of failed logins if you really are that worried someone is going to brute-force you. Then after 3 fails, just don't let that IP connect or add other intelligent handling. Maybe add them to a 'ban list' after x amount of failed tries. You can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever. -Original Message- From: John W. Holmes [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 7:10 AM To: ..: GamCo :.. Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Wait Statement... ? ..: GamCo :.. wrote: ok, i added the sleep() function in my page. what i'm basically doing is :- i have a .php page where people log-in from. from there i send the form to another .php page that actually checks the login and registers a session with the username and password as session variables. then on the page that actually does the validation, i have something that says : validating login... sleep 1 funtion. then, i have another line that says validation successfull... sleep 1 function and then i have another line that says redirecting... with sleep 1 function and then header redirects to the actual logged-in.php file. the redirect and validation works perfectly as well as the sleep functions, but it now doesn't display the validating login... blah blah blah stuff which is done in normal html code... You are very confused. Read the manual page on header(). You can't have any output before you try to redirect with a header(). If you're trying to implement some sort of brute force protection by using sleep(), you're using it in the wrong method, anyhow. Your login processing script should sleep for a second or two whether the login is correct or not and it should be the first thing that it does (i.e. before any output or redirection). If you only sleep() on failures and redirect on good logins, brute force methods can pick up on that and adjust their methods to get around the wait time. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals - www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
In article [EMAIL PROTECTED], John W. Holmes wrote: Daevid Vincent wrote: Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-) Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary. You're mistaken here. Every kiddie knows he has to fork 50 concurrent threads that try to authenticate... I'd suggest to have 2 queues for failed authentication attempts. One containing (ip - timestamp) pairs, the other containing (username - timestamp) pairs. Every time someone tries to authenticate, you count the number of failures in both queues. The larger the number, the longer the sleep will take. (removing old entries once in a while might speed up things) -- Tim Van Wassenhove http://home.mysth.be/~timvw -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Wait Statement... ?
Tim Van Wassenhove wrote: In article [EMAIL PROTECTED], John W. Holmes wrote: Daevid Vincent wrote: Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-) Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary. You're mistaken here. Every kiddie knows he has to fork 50 concurrent threads that try to authenticate... That's still only 50 guesses a second compared to thousands when your server gives an immediate good or bad response. Like I said, this is just another layer you can add in addition to what you have below. It doesn't hurt anything if implemented correctly and it only serves to hassle those abusing the system. Defense in depth. :) I'd suggest to have 2 queues for failed authentication attempts. One containing (ip - timestamp) pairs, the other containing (username - timestamp) pairs. Every time someone tries to authenticate, you count the number of failures in both queues. The larger the number, the longer the sleep will take. (removing old entries once in a while might speed up things) -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php