Brian
Joined: Feb 25, 2006
Posts: 19277
Des Moines, Iowa, USA
|
Posted on Sep 01 2013 01:26 PM
So I've been paying attention to the server logs for some time and it is quite frightening. The analogy is every 10 or 20 minutes some stranger comes up to your house, tries the locks, tries to open a window or two, then rings the doorbell and when you say "who is it?", he just tries random names trying to guess the names of your friends and family.
So in order to reduce their chances of getting in, I've implemented rate limiting on login and registration attempts. If you try to login or register and fail 6 times in 10 minutes, the server will block your IP address for 10 minutes. There is also a special 2 week ban, but it should be VERY difficult to accidentally trigger that one if you are using a normal browser.
I've been doing this for a while but I just thought I would warn everyone. If you forget your password and fail a few attempts, just click the reset password link. Or go get a beer and wait a few minutes. Sorry about this but you can't believe the bots out there that just sit around and try to guess passwords.
If you have questions or concerns just email or PM me (brian at surfguitar101 dot com). Thanks.
— Site dude - S3 Agent #202
Need help with the site? SG101 FAQ - Send me a private message - Email me
"It starts... when it begins" -- Ralf Kilauea
|
crumble
Joined: Sep 09, 2008
Posts: 3158
Guildford England
|
Posted on Sep 01 2013 04:02 PM
This totally and utterly blew my brain cell! Eyes w-i-d-e!
http://youtu.be/VNIGQL8s2eM
|
morphball
Joined: Dec 23, 2008
Posts: 3324
Pittsboro, NC
|
Posted on Sep 01 2013 04:14 PM
10 minutes is pretty generous- at my workplace, I used that denyhosts script for FTP users (I think you actually recommended it way back), and I had it blocking people permanently after about 10 unsuccessful attempts... that is, until they wrote in and I would whitelist them, at least. There were a LOT more people getting locked out than I anticipated though, and had to ease up on it.
— Mike
http://www.youtube.com/morphballio
|
Brian
Joined: Feb 25, 2006
Posts: 19277
Des Moines, Iowa, USA
|
Posted on Sep 01 2013 04:25 PM
I'm using fail2ban now.
I debated about 10 minutes. But after watching the logs, these guys have a whole bunch of IP addresses at their disposal. So one fails to register or login and then a few minutes later I see a similar attempt from another IP. I'm afraid if I made it too high it would impact real users who accidentally locked themselves out.
— Site dude - S3 Agent #202
Need help with the site? SG101 FAQ - Send me a private message - Email me
"It starts... when it begins" -- Ralf Kilauea
|
Brian
Joined: Feb 25, 2006
Posts: 19277
Des Moines, Iowa, USA
|
Posted on Sep 01 2013 04:32 PM
crumble wrote:
This totally and utterly blew my brain cell! Eyes w-i-d-e!
http://youtu.be/VNIGQL8s2eM
Yeah it's crazy. I'll have to find some time to watch all this. I did read about that guy they profile in the first 5 minutes who lost all his accounts across multiple devices in the space of an hour.
— Site dude - S3 Agent #202
Need help with the site? SG101 FAQ - Send me a private message - Email me
"It starts... when it begins" -- Ralf Kilauea
|