Deny access after too many login attempts

JLW

I have a membership system that requires a username and password. I have been told to increase security I should only allow a set number of login attempts then block the person attempting to login for 15 minutes or so before they can attempt to login. Has anyone done this before? Where do I start?

leatherback

Hi,

I hav enever done this BUT you could fairly easily do this:

Create a table with IP_NR, Attempts, LastLog.

When somebody tries to log in, and is rejected, you store that persons IP number, set attempts to 1, and set lastlog to current time (Is actually an MySQL colum type which will auto-update when a record is updated)

THen, if the person tries again, and in the database an record exists for this user, and the time is less then set expire time you add one to the attempts colum, this untill you have the max attempts.. Reject his login no matter what, and post an error.

JLW

Thanks alot, that got me started! I want to try something like this: when a login attempt is made if the IP address is the database, then it gets the number of attempts and the time. if the time in the db is within say 30 minutes of the current time then I want to increase the number of attempts by one, if it is not I want to set the number of attempts back to one. (If I didn't then if they had attempted to login a few days before then it would still increase the attempts). How do I compare the time now to the time stored in the database? I am using date() (in this format $date= date("Y-m-d h:i:s"); ) to get the current time.

weevil

You can calculate the time in your select

SELECT * FROM failed_logins WHERE NOW() - 3000 > LastLog AND IP_NR='$ip_number'

mogster

You can use the timestamp fieldtype in mysql - just make sure that some other fields are updated, then this will automatically be updated.

I made a thing like this once, not for db but for files.
The gist of it is:
- one script with either auth content or login screen, depending on successful login
- before any auth exec (including login check for user/pass), open a text-file and write the count of login-attempts to it

## Check for erred logins - more than 3 (number more than 6 in $thisip.cnt-file), and user gets timer ##
$chk_hack = @file_get_contents("$countlogindir/$thisip^.cnt");
$chk_hack = trim($chk_hack);
## If more than 5 login-tries, include timeout ##
$time_out = time() - 300;
if($chk_hack > 6 && filemtime("$countlogindir/$thisip^.cnt") > $timeout) {
@touch("$countlogindir/$thisip^.cnt");
include("time_out.php");
exit;
} else {
if($rm_cnt == "y") {
## Check if the user tries to post to this state conciously ##
if($chk_hack <= 6) {
@touch("$countlogindir/$thisip^.cnt");
header("Location:login.php");
## Finally - if the timeout truly is endured: delete count and cleared for login ##
} else {
@unlink("$countlogindir/$thisip^.cnt");
header("Location:login.php");
}
}

The key of which to check for hack is the user-agent string ($thisip).
This code is placed on top of the script, before any significant happens - thus it exits if the user has to many.

Further down, I placed some code (in the login-switch) to write the counts to the file.

## Check for count file - and init count if not found ##
if (!file_exists("$countlogindir/$thisip^.cnt")) {
@touch("$countlogindir/$thisip^.cnt");
$cnt = "";
$cnt = "1";
$in_touch = fopen("$countlogindir/$thisip^.cnt", "w");
fputs($in_touch, $cnt);
fclose($in_touch);
## Count file present - set count = count + 1 ##
} else {
$instring = "";
$instring = file_get_contents("$countlogindir/$thisip^.cnt");
$instring = trim($instring);
$nstring = $instring + 1;
$in_upd = fopen("$countlogindir/$thisip^.cnt", "w");
fputs($in_upd, $nstring);
fclose($in_upd);
}

The script time_out.php is just a page with pain html, and a javascript counter to count down to login. Once counted down - the page is reloaded and the login-screen appears.

<script language=\"JavaScript\">
//configure refresh interval (in seconds)
var countDownInterval=180;
//configure width of displayed text, in px (applicable only in NS4)
var c_reloadwidth=200

</script>


<ilayer id=\"c_reload\" width=&{c_reloadwidth}; ><layer id=\"c_reload2\" width=&{c_reloadwidth}; left=0 top=0></layer></ilayer>

<script>

var countDownTime=countDownInterval+1;
function countDown(){
countDownTime--;
if (countDownTime <=0){
countDownTime=countDownInterval;
clearTimeout(counter)
window.location.replace('publicator.php?rm_cnt=y')
return
}
if (document.all) //if IE 4+
document.all.countDownText.innerText = countDownTime+\" \";
else if (document.getElementById) //else if NS6+
document.getElementById(\"countDownText\").innerHTML=countDownTime+\" \"
else if (document.layers){
document.c_reload.document.c_reload2.document.write('Timeout:<br><b id=\"countDownText\">'+countDownTime+' </b> seconds')
document.c_reload.document.c_reload2.document.close()
}
counter=setTimeout(\"countDown()\", 1000);
}

function startit(){
if (document.all||document.getElementById)
document.write('Timeout:<br><b id=\"countDownText\">'+countDownTime+' </b> seconds')
countDown()
}

if (document.all||document.getElementById)
startit()
else
window.onload=startit

</script>

Backslashed code! 😃

Never been tested against the real beeg bad guys, though.

knutm :-)

JLW

Thanks for all of your help!
Here is what I have it doing so far, the only problem I am having is the time:

//PHP variable to get ip address
$_SESSION['ip'] = $REMOTE_ADDR;
$ip = $_SESSION['ip'];


print("The IP Address is $ip<br>");

//check if IP Address is stored in db
$get_IP = mysql_query("SELECT * FROM log WHERE IP_address = '$ip'");

$check_IP = mysql_num_rows($get_IP);



if($check_IP > 0){

 //get number of Attempts
while($row = mysql_fetch_array($get_IP)){
	foreach( $row AS $key => $val){
		$$key = stripslashes($val);
	}
	session_register('Attempts');		
	}

//see if last login attempt was within 15 minutes ago
$get_time = mysql_query("SELECT * FROM log WHERE NOW() - 1500 > Time AND IP_address = '$ip'");

$check_time = mysql_num_rows($get_time);

//if last attempt was < 15 minutes ago
if($check_time > 0){

//if attempts exceeds five restrict access
if($Attempts >= 5){

print("You have exceeded the maximum number of login attempts<br>");
print("You must wait 15 minutes before you can login again<br>");
print("If you have forgotten your password go to the Password Retrieval form");
exit();
}

//if attempts is under 5 add 1 
elseif($Attemps < 5){
$Attempts = $Attempts+1;
$sql_attempts = mysql_query("UPDATE log SET Attempts='$Attempts' WHERE IP_address = '$ip'");

}
}

//last attempt was more than 15 minutes ago, start attempts over

elseif($check_time <= 0){
     $sql_update = mysql_query("UPDATE log SET Attempts='1' AND Time = NOW()");
	}

}

//IP address not in database
elseif($check_IP <= 0){

$sql_insert=mysql_query("INSERT INTO log (IP_address, Attempts, Time) VALUES('$ip', '1', NOW())");


}

If you or anyone has the time can you look this over?