On 8/16/07, Bill Moseley <[EMAIL PROTECTED]> wrote: > I'm looking for ideas on how to implement a way to detect and block > dictionary attacks. This is not a question of how to implement strong > passwords, but rather the act of limiting logins when too many failed > passwords have been attempted in some period of time. [...] > Anyone doing something like this already? Suggestions? Caveats?
Yes, there's a plugin that Sam Tregar developed for CGI::Application: http://search.cpan.org/~samtregar/CGI-Application-Plugin-RateLimit-1.0/RateLimit.pm This was used in Krang (http://krangcms.com/) for exactly what you're describing: limiting login attempts. You could adapt that design. It uses a database for storage, which ought to be fine unless you have massive traffic hitting this login page, but I don't see any reason your memcached idea wouldn't work. I also did one of these years ago just to limit the number of hits to a URL from a specific client within a window of time. It was based on Randal's code here: http://www.stonehenge.com/merlyn/LinuxMag/col17.html I modified it to use a (verified) cookie instead of an IP if possible and to count hits rather than CPU. It just returned a Forbidden error when people exceeded the limit. At the time, it was a neat design because it just used tightly packed data in files, so no locking was needed and no database. Today I would use a database instead. - Perrin _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
