Comments (10)
Yep a counter could work in that case, and having it reset to zero when you correctly login. But then you would also need a mechanism to have it reset after a bit of time.
Packages like django-defender and django-axes do this for you.
from dwitter.
I mean, we store a list of users in the database, so we'd just implement it into that. Like:
User: kipkat
Blah: bleh
Whatever: whatever
Login_attempts: 2
Right? We don't need the IP... Just the number of login attempts for each user on the site.
from dwitter.
If I think a little bit, an attacker can spam an incorrect password all the day and that will make the account impossible to access by anyone if it's blocked. (based on that last engine you said)
from dwitter.
That's also an important point kipkat. Gotta be careful when throttling that we don't create a denial of service opportunity.
Attackers can change IP often, but I doubt they have the 1,000,000 proxies needed for brute-force.
In my APIs I use this approach:
-
A cooldown mechanism which allows 20 initial guesses for free, but after that max 2 per minute
-
But actually, it's a separate cooldown monitor for each IP address (attacker can only DOS himself)
-
Occasionally, clean up any cooldown monitors which have gone cold (to prevent memory/DB leaks)
-
Optional: Do it all in memory rather than DB (avoids race condition if 30 requests are made in parallel; for multiple API servers could maybe use a redis cache?)
The cooldown mechanism itself works like this:
-
Store the last known temperature, and the last time the temperature was read
-
Max temperature (aka overheat) is 20 degrees
-
Each guess causes +1 degree warming (or is rejected if overheated, with no warming)
-
Cooldown rate is -2/60 degrees per second
-
Apply (interpolate) any uncounted cooling just before reading the temperature (to avoid having to iteratively update temperatures every second)
Here is the cooldown monitor code. But the cache of IP->CooldownMonitor is not there.
Now I read Stian's comment about some existing solutions for django! :)
from dwitter.
I assume you'd need some sort of localstorage value that tracks the number of incorrect attempts and then implement some logic around that in the login form. I'll see if I can give it a go when I get home in about 3 hours, but of course you're free to implement this before then if you want to...
from dwitter.
If you want this kind of security, I would implement it on the backend in django, and not in the frontend, where it's relatively easy to bypass.
from dwitter.
Well I mean, that's a good point. Now that I think about it, we could just add an entry to the database with the count of incorrect logins for each user, then use that. Then it'd be entirely backend as well...
I'm not at all good with databases though 😂
from dwitter.
Yes but what computer info must we register into the DB? The IP? Using an attack tool with dynamic proxies can change ip for every password in the wordlist.
from dwitter.
Oh, good point.
from dwitter.
I implemented something like this for the web portal for my employer
Basically, you have a login_attempts table which counts logins with latest timestamp for both IP and username, and won't allow more than one in 3 minutes after 5 failed logins. After 10 the account is locked.
There is another option - use fail2ban on the server - it generally blocks all kinds of DDos attempts by scanning web logs and changing the firewall rules.
I use this on my personal websites on digitalocean
from dwitter.
Related Issues (20)
- should trigger load of dweet list before reaching the absolute bottom of the current buffer HOT 4
- Adding Dockerfile/instructions HOT 1
- Redirection vulnerability HOT 5
- A #spoiler suggestion HOT 3
- Suggestion: howto section HOT 2
- Suggestion: add the ability to list dweets by length HOT 3
- Initial character count is off HOT 1
- Bug when links in comments contain anchors
- Delete a comment HOT 1
- Twitter bot for dweets
- gif record not working HOT 1
- Automatic decompression HOT 15
- 1 Remixes? HOT 4
- Search bar?
- New concept for eliminating compression (280 byte limit) HOT 22
- Reset password email doesn't correctly display the reset link
- On beta site's random page, all dweets load with just 1 awesome HOT 1
- data URLs are blocked by CORS
- Eslint issue on running project
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dwitter.