RE: [PHP-DB] Wait Statement... ?

2004-07-21 Thread Daevid Vincent
 Uhmmm.. how effective is a brute force attack where you can 
 only try one 
 combination per second? It's going to take you a while to get through 
 that dictionary.

How determined are you ;-)

Our product has a brute force attacker in it, and for some protocols, we
have to wait a few seconds between each attempt b/c otherwise the protocol
blocks you as it considers it a DoS.

But the results can finish in several days or even weeks.

 You can still do this on top of the sleep() method. A one 
 second wait is 
 n't going to affect you when you log in to an application.

Sure. If you really want to sleep(1); then go nuts. I was only trying to
point out that the sleep(1) is not a really viable way to prevent crackers
from doing anything really. Just slow them down.

 The problem with reacting after three failed logins is that 
 it can then 
 be easy to lock other people out of their account. You just have to 
 figure out their username, which usually isn't that hard. Since IP 
 addresses can be spoofed or shared among users of certain 
 ISPs, relying  on them isn't adequate, either.

Well, you'd only get 3 attempts to guess a username from a given IP. 
It takes a lot more work to spoof an IP, and coordinate an attack with
several computers.

And most crackers aren't trying to lock people out of their account, they're
trying to gain access themselves. If I wanted to bring down a server, I'd
just DoS it, not waste time locking individual users out one at a time.

Daevid Vincent
Senior Engineer / Architect

two.zero.six.two.eight.five.eight.zero.eight.zero
 _   _   _ 
| |___   ___| | | | _  ___ __  
| |   / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ 
| |__| (_) | (__|(_| | (_) \ V  V /| | | |
|_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_|
x104   Networks.com

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP-DB] Wait Statement... ?

2004-07-21 Thread Daevid Vincent
I like this idea of longer sleeps for each fail in theory, 
but it becomes moot if you only allow 3 failed attempts. 

 -Original Message-
 From: Tim Van Wassenhove [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, July 20, 2004 3:37 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [PHP-DB] Wait Statement... ?

 Every time someone tries to authenticate, you count the number of
 failures in both queues. The larger the number, the longer the sleep
 will take. (removing old entries once in a while might speed 
 up things)

Daevid Vincent
Senior Engineer / Architect

two.zero.six.two.eight.five.eight.zero.eight.zero
 _   _   _ 
| |___   ___| | | | _  ___ __  
| |   / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ 
| |__| (_) | (__|(_| | (_) \ V  V /| | | |
|_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_|
x104   Networks.com

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-21 Thread Shah
Well, everyone is in big discussion about this, so i figure i'll toss in 
my worthless 2 cents.
   Say your users have a password of like 8 characters, Brutus (used 
for brute forcing) will tell someone trying to gain access that they'll 
have better luck asking the person.
So the only real threat is like dictionary attacks. So you add an eregi 
and ask your users to include at least 1 number and/or a special 
character.. or you have your own dictionary that you check the word 
against, if its in your dictionary then you tell the user to select 
another one. Brute forcing a password is pass or fail, if the person is 
determined enough they'll get in. Using a dictionary can work sometimes, 
script kiddies can whip those out pretty quick and try it. The main 
anti-passcrack would be a strong password. I usually use minimum of 8 
characters, 1 special character not at the end. And on top of this i 
also have a about 7,000 words/common passes in a MySql database that i 
reference. Of course, you have to remember that you're dealing with 
users.. as in users... who will make their password their initials and 
the last 2 digits of their birthday... or they'll make it 112233. The 
best way to learn about security on stuff like this is to sit down and 
try to break into your system, if you can do it locally then thats 
better, so that you can test it as if someone plugged in on your 
server's lan (highly unprobable) and anyone that tries to sell you a 
product for the anti-passcrack is really saying, you don't seem to want 
to write the 40 lines of code.. so i'll rip you on it.

Shah
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Ignatius Reilly
sleep( nb of seconds ) ;

_
- Original Message - 
From: ..: GamCo :.. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 20, 2004 9:44 AM
Subject: [PHP-DB] Wait Statement... ?


 Hi all,
 
 I would like to add a line of code in PHP that will execute a wait before
 executing the next set of code. How do i do that ?
 
 Regards,
 
 GM
 
 -- 
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 
 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread ..: GamCo :..
hhhmmm...

ok, i added the sleep() function in my page. what i'm basically doing is :-

i have a .php page where people log-in from. from there i send the form to
another .php page that actually checks the login and registers a session
with the username and password as session variables. then on the page that
actually does the validation, i have something that says : validating
login... sleep 1 funtion. then, i have another line that says validation
successfull... sleep 1 function and then i have another line that says
redirecting... with sleep 1 function and then header redirects to the actual
logged-in.php file. the redirect and validation works perfectly as well as
the sleep functions, but it now doesn't display the validating login... blah
blah blah stuff which is done in normal html code...

any idea ?

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Jason Wong
On Tuesday 20 July 2004 16:56, ..: GamCo :.. wrote:

 ok, i added the sleep() function in my page. what i'm basically doing is :-

 i have a .php page where people log-in from. from there i send the form to
 another .php page that actually checks the login and registers a session
 with the username and password as session variables. then on the page that
 actually does the validation, i have something that says : validating
 login... sleep 1 funtion. then, i have another line that says validation
 successfull... sleep 1 function and then i have another line that says
 redirecting... with sleep 1 function and then header redirects to the
 actual logged-in.php file. the redirect and validation works perfectly as
 well as the sleep functions, but it now doesn't display the validating
 login... blah blah blah stuff which is done in normal html code...

WHy don't you just validate the login and be done with? Why wait 1 second, 
another second, ... ?

-- 
Jason Wong - Gremlins Associates - www.gremlins.biz
Open Source Software Systems Integrators
* Web Design  Hosting * Internet  Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
/*
There are no accidents whatsoever in the universe.
-- Baba Ram Dass
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread John W. Holmes
..: GamCo :.. wrote:
ok, i added the sleep() function in my page. what i'm basically doing is :-
i have a .php page where people log-in from. from there i send the form to
another .php page that actually checks the login and registers a session
with the username and password as session variables. then on the page that
actually does the validation, i have something that says : validating
login... sleep 1 funtion. then, i have another line that says validation
successfull... sleep 1 function and then i have another line that says
redirecting... with sleep 1 function and then header redirects to the actual
logged-in.php file. the redirect and validation works perfectly as well as
the sleep functions, but it now doesn't display the validating login... blah
blah blah stuff which is done in normal html code...
You are very confused. Read the manual page on header(). You can't have 
any output before you try to redirect with a header().

If you're trying to implement some sort of brute force protection by 
using sleep(), you're using it in the wrong method, anyhow. Your login 
processing script should sleep for a second or two whether the login is 
correct or not and it should be the first thing that it does (i.e. 
before any output or redirection). If you only sleep() on failures and 
redirect on good logins, brute force methods can pick up on that and 
adjust their methods to get around the wait time.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Daevid Vincent
Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)

The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.

 -Original Message-
 From: John W. Holmes [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, July 20, 2004 7:10 AM
 To: ..: GamCo :..
 Cc: [EMAIL PROTECTED]
 Subject: Re: [PHP-DB] Wait Statement... ?
 
 ..: GamCo :.. wrote:
  ok, i added the sleep() function in my page. what i'm 
 basically doing is :-
  
  i have a .php page where people log-in from. from there i 
 send the form to
  another .php page that actually checks the login and 
 registers a session
  with the username and password as session variables. then 
 on the page that
  actually does the validation, i have something that says : 
 validating
  login... sleep 1 funtion. then, i have another line that 
 says validation
  successfull... sleep 1 function and then i have another 
 line that says
  redirecting... with sleep 1 function and then header 
 redirects to the actual
  logged-in.php file. the redirect and validation works 
 perfectly as well as
  the sleep functions, but it now doesn't display the 
 validating login... blah
  blah blah stuff which is done in normal html code...
 
 You are very confused. Read the manual page on header(). You 
 can't have 
 any output before you try to redirect with a header().
 
 If you're trying to implement some sort of brute force protection by 
 using sleep(), you're using it in the wrong method, anyhow. 
 Your login 
 processing script should sleep for a second or two whether 
 the login is 
 correct or not and it should be the first thing that it does (i.e. 
 before any output or redirection). If you only sleep() on 
 failures and 
 redirect on good logins, brute force methods can pick up on that and 
 adjust their methods to get around the wait time.
 
 -- 
 ---John Holmes...
 
 Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
 
 php|architect: The Magazine for PHP Professionals - www.phparch.com
 
 -- 
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php
 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread John W. Holmes
Daevid Vincent wrote:
Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)
Uhmmm.. how effective is a brute force attack where you can only try one 
combination per second? It's going to take you a while to get through 
that dictionary.

The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.
You can still do this on top of the sleep() method. A one second wait is 
n't going to affect you when you log in to an application.

The problem with reacting after three failed logins is that it can then 
be easy to lock other people out of their account. You just have to 
figure out their username, which usually isn't that hard. Since IP 
addresses can be spoofed or shared among users of certain ISPs, relying 
on them isn't adequate, either.

I'm not saying using sleep is the solution to security problems, but 
it can be one layer of your defense.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Ignatius Reilly
Why silly??
it just makes you wait one second on the login page BEFORE the validation
process, not on other  pages.
I use it everywhere.

Ignatius
_
- Original Message -
From: Daevid Vincent [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: '..: GamCo :..' [EMAIL PROTECTED]; 'John W. Holmes'
[EMAIL PROTECTED]
Sent: Tuesday, July 20, 2004 9:47 PM
Subject: RE: [PHP-DB] Wait Statement... ?


 Similarly, I could adjust my brute force attack to sleep() a
pre-determined
 amount of time too ;-)

 The whole 'sleep()' idea just seems silly. I agree with Jason. Just
validate
 and be done. A better way to stop attacks is to have a tally of failed
 logins if you really are that worried someone is going to brute-force you.
 Then after 3 fails, just don't let that IP connect or add other
intelligent
 handling. Maybe add them to a 'ban list' after x amount of failed tries.
You
 can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.

  -Original Message-
  From: John W. Holmes [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, July 20, 2004 7:10 AM
  To: ..: GamCo :..
  Cc: [EMAIL PROTECTED]
  Subject: Re: [PHP-DB] Wait Statement... ?
 
  ..: GamCo :.. wrote:
   ok, i added the sleep() function in my page. what i'm
  basically doing is :-
  
   i have a .php page where people log-in from. from there i
  send the form to
   another .php page that actually checks the login and
  registers a session
   with the username and password as session variables. then
  on the page that
   actually does the validation, i have something that says :
  validating
   login... sleep 1 funtion. then, i have another line that
  says validation
   successfull... sleep 1 function and then i have another
  line that says
   redirecting... with sleep 1 function and then header
  redirects to the actual
   logged-in.php file. the redirect and validation works
  perfectly as well as
   the sleep functions, but it now doesn't display the
  validating login... blah
   blah blah stuff which is done in normal html code...
 
  You are very confused. Read the manual page on header(). You
  can't have
  any output before you try to redirect with a header().
 
  If you're trying to implement some sort of brute force protection by
  using sleep(), you're using it in the wrong method, anyhow.
  Your login
  processing script should sleep for a second or two whether
  the login is
  correct or not and it should be the first thing that it does (i.e.
  before any output or redirection). If you only sleep() on
  failures and
  redirect on good logins, brute force methods can pick up on that and
  adjust their methods to get around the wait time.
 
  --
  ---John Holmes...
 
  Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
 
  php|architect: The Magazine for PHP Professionals - www.phparch.com
 
  --
  PHP Database Mailing List (http://www.php.net/)
  To unsubscribe, visit: http://www.php.net/unsub.php
 

 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Tim Van Wassenhove
In article [EMAIL PROTECTED], John W. Holmes wrote:
 Daevid Vincent wrote:
 
 Similarly, I could adjust my brute force attack to sleep() a pre-determined
 amount of time too ;-)
 
 Uhmmm.. how effective is a brute force attack where you can only try one 
 combination per second? It's going to take you a while to get through 
 that dictionary.

You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate... 

I'd suggest to have 2 queues for failed authentication attempts.
One containing (ip - timestamp) pairs,
the other containing (username - timestamp) pairs.

Every time someone tries to authenticate, you count the number of
failures in both queues. The larger the number, the longer the sleep
will take. (removing old entries once in a while might speed up things)

-- 
Tim Van Wassenhove http://home.mysth.be/~timvw

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread John W. Holmes
Tim Van Wassenhove wrote:
In article [EMAIL PROTECTED], John W. Holmes wrote:
Daevid Vincent wrote:
Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)
Uhmmm.. how effective is a brute force attack where you can only try one 
combination per second? It's going to take you a while to get through 
that dictionary.

You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate... 
That's still only 50 guesses a second compared to thousands when your 
server gives an immediate good or bad response. Like I said, this is 
just another layer you can add in addition to what you have below. It 
doesn't hurt anything if implemented correctly and it only serves to 
hassle those abusing the system. Defense in depth. :)

I'd suggest to have 2 queues for failed authentication attempts.
One containing (ip - timestamp) pairs,
the other containing (username - timestamp) pairs.
Every time someone tries to authenticate, you count the number of
failures in both queues. The larger the number, the longer the sleep
will take. (removing old entries once in a while might speed up things)

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals  www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php