Ban User after X number of failed login attempts.

NeXEA

Hello.

I have seen this in many places, but one of the ones that most pertains to what I need is here

It is What.CD's login form. I am wondering how I could duplicate this, as it gives you six attempts, and if you fail that many times, it bans you for 6 hours.

Any Idea on how to do this.

I was thinking of cookies for the six failed login attempts, and then having a table for the IP of the failed login attempts. And every time the script loads, it checks the time since the IP was inserted and if it is more than say 2 hours, then it deletes it allowing the user to login, but if it hasn't been that long, they receive an error giving them the number of minutes left.

Does this seem like a sensible way to do this, or is there better.

This is open for any and all idea's, but I would like for the most efficient way.

Thanks in advance for any idea's or submissions.

laserlight

As an example of how silly and frustrating IP address based banning can be, I checked the page that you linked to and found that my "IP is banned indefinitely". A possible reason is that another user from Singapore messed around with their system and they were not happy and decided to ban him by IP... but since Singaporeans have a very limited set of network providers with a very limited number of IP addresses for home users, that IP address happens to be my current IP address as well.

In fact, I once managed to block myself from logging into my own server after installing a script that blocks users by IP address based on failed login attempts - I forgot to put my own IP address on the list of addresses that should be ignored from blocking, and perhaps some script kiddie from my own country had been trying his luck on my server.

The good part of using IP addresses is that if an attacker has a different IP address from the legitimate user then a denial of service attack is not possible, but if not being denied access to the service for 6 hours can be very frustrating to a legitimate user.

Anyway, cookies will not cut it here since a malicious user will simply delete them. You have to keep track of everything serverside.

NeXEA

Well the IP ban has always been a problem with me just because of that reason. I have had this happen to me before where I was banned, and was very confused as to why.
About an hour later I got in, so im guessing some crazy man tried on them and some he had my same IP.

I also have been trying to get a setup that works server side. I am going to be working on it tomorrow and see what I can come up with, and post my code and db tables for some criticism. ;]

laserlight

You might also want to consider other approaches to the problem. For example, after say, one or two failed attempts, you could add a CAPTCHA so as to make an automated attack more difficult. You could slow down brute force attempts simply by adding a small, possibly random, delay before you feedback to the user that the login attempt failed.

NeXEA

I was definatly going to add a CAPTCHA, but how would I do a delay, like throwing in the script for PHP to sleep() for a few seconds and then telling the user they had a failed login attempt

laserlight

NeXEA wrote:
how would I do a delay, like throwing in the script for PHP to sleep() for a few seconds and then telling the user they had a failed login attempt

Yes, but you probably should not have it longer than a second or two since you do not want to appear to be lagging to a legitimate user (not to mention that a malicious user would probably guess what you are doing and have his/her script assume failure after a suspiciously long delay). Remember that there is network latency which will add to the delay.

ucffool

You could even throw in a 'temporary page' that displays
"Still trying to login, bear with me..." which gives feedback to legit users, but can continue to slow them down after each try. You will want to log the last attempt time and have a short timeframe for reducing the 'delay' to < 2 seconds, so a legit user doesn't end up with a 10 second delay.

dagon

log the user name and date stamp, on every login attempt see check how many times that user name has tried to log in (unsuccessfully) in the last X minutes. Never log the ip.

StevenJ

i am assuming that you are using MySQL to hold usernames and passwords?

I would also add a colum in the table for number of failed login attempts, and time that you wish to ban them until.

and then...........psuedo code of course

if ((user and password == OK) && ( failed login attempts < 6) && (time now  > time the user is banned until)
{
reset the number of failed logins to 0
set the time that the user is banned until as time now - essentially unbanning the user.
login normally
} else {
increment the failed login attempts
if (failed login == 6) { set time banned until to time now + 6hours }
redirect the user to a banned page, and maybe display the time that they are banned until?
}

laserlight

StevenJ wrote:
and then...........psuedo code of course

Wel... you do not actually have to bother changing the "time the user is banned until" on a successful login since by definition that parameter was passed 😉

The whole "suspend account after n number of failed logins" works well in a physical environment where an administrator is on call during office hours (and beyond). Additionally, an attempted denial of service attack would usually have to be done manually.

In a web based environment, this is different. A bot can perform the denial of service attack, and this may overwhelm an administrator who has to unban users manually, assuming that an administrator is even at hand to do so. A way out is to allow users to "clear their name" via a separate channel, e.g., they can request for an email with some "reactivation code" to be sent to them (or maybe just have them reset their password, since that is what a legitimate user who has forgotten his/her password will do after several failures to login with the wrong passwords).

I am not sure if a ban time in the range of hours makes sense either. A few minutes would be enough to slow down a bot sufficiently.