Protecting against brute force attacks

[desbest]

Does anyone have any tips on how to protect the user system against brute force attacks, so that I can disable logging in after 100 failed attempts?

I've tried this code below, but it doesn't work.

model/user.rb

  def self.authenticate(creds)

    username, password = creds['username'], creds['password']

    if creds['username'].nil? or creds['username'].empty?

      return false

    end

    # Let's see if there is a user for the given username.

    user = self[:username => username]

    # Validate the user. Note that while it may seem that the password is

    # compared as plain text this is not the case. The bcrypt class

    # automatically converts the given password to a bcrypt hash. If these

    # hashes are the same the specified password is correct.

    if !user.nil? and user.password == password #&& !flash[:fblogout] #user/pass login

      return user

    else

      @datenumber = Time.now.strftime("%Y-%m-%d")

      User.where(:username=>username).update(:faillogindatenumber=>@datenumber)

      return false

    end

  end

The orange lines are my additions, to write the date a failed login attempt is made, into the user's database row.

However it is not writing anything, though it should do.

Any advice?

[desbest]

Never mind this email. I've solved it.

[Mathias Hablützel]

On Sun, 14 Apr 2013 13:36:32 -0700 (PDT)
desbest <afanint...@gmail.com> wrote:

> Does anyone have any tips on how to protect the user system against
> brute force attacks, so that I can disable logging in after 100
> failed attempts?

/me cringes in pain.

Don't do this! What if I just bruteforce your account and then you're
blocked from logging in again? This means the admin has to re-activate
your account and then the game starts again. Perfect to annoy someone.

I'd rather block the originating IP for one hour to log in and not the
whole account.

See http://en.wikipedia.org/wiki/Fail2ban for what I mean.

Happy Coding
Mathias
--
In crypto we trust. The source we read. Knowledge we seek.

[tynamite]

I would block the whole account, as nowadays, hackers who brute force use multiple IPs.

[Michel Blanc]

On 16/04/2013 18:09, tynamite wrote:
> I would block the whole account, as nowadays, hackers who brute force
> use multiple IPs.
>

I suppose the response depends on many factors.
However, as a middle ground measure I would tarpit if possible or block
with fail2ban, while putting my IPs in a whitelist.

But I'd rather do that at the system level anyway.

M
--
Michel Blanc - netWorks
8A68 0871 747A 65B6 E87C 3BEA 187C 36BB 2CE5 68BD

[James Britt]

desbest wrote:
> Never mind this email. I've solved it.

Since you posted the original question I can guarantee that at some time
in the future someone with the same problem will find your initial post
via Google (or whatever) and will want to know *how* you solved it.

What did you do?


Thanks,


James

--

jamesbritt.com - Live curious
justthebestparts.com - Feed your head
neurogami.com - Hack your world

[tynamite]

Provided that you are using the built in authentication system for Ramaze (from the blog sample app)

 

You'll need this in your migrations.

Sequel.migration do
  up do
    add_column :users, :faillogindatenumber, String
    add_column :users, :faillogincount, Integer, :default=>0
  end
 
  down do
    drop_column :users, :faillogindatenumber
    drop_column :users, :faillogincount
  end
end

 

inside model/user.rb replace

    # Validate the user. Note that while it may seem that the password is
    # compared as plain text this is not the case. The bcrypt class
    # automatically converts the given password to a bcrypt hash. If these
    # hashes are the same the specified password is correct.
    if !user.nil? and user.password == password

      return user
    else
      return false
    end

 

with this

 

    # Validate the user. Note that while it may seem that the password is
    # compared as plain text this is not the case. The bcrypt class
    # automatically converts the given password to a bcrypt hash. If these
    # hashes are the same the specified password is correct.

    @datenumber = Time.now.strftime("%Y-%m-%d")

    if !user.nil? and user.password == password && user.faillogincount < 100 #&& !flash[:fblogout] #user/pass login
      return user
    elsif !user.nil? and user.password == password && user.faillogincount > 100 && user.faillogindatenumber != @datenumber

      return user
    else
      @datenumber = Time.now.strftime("%Y-%m-%d")

      @dauser = User.where(:username => username).first
      if @dauser.faillogindatenumber == @datenumber then @faillogincount = @dauser.faillogincount; @faillogincount = @faillogincount +1; else @faillogincount = 0; end
      User.where(:username=>username).update(:faillogindatenumber=>@datenumber, :faillogincount=>@faillogincount)
      return false
    end

 

 Do you want the code for Login With Facebook authentication as well?

--
You received this message because you are subscribed to a topic in the Google Groups "Ramaze" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/ramaze/vGcceX_IUbg/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ramaze+unsubscribe@googlegroups.com.
To post to this group, send email to ram...@googlegroups.com.

Visit this group at http://groups.google.com/group/ramaze.

For more options, visit https://groups.google.com/groups/opt_out.