Shoutbox

SHADOWNIGHT5150: I like big reverb and i cannot lie
241 days ago

SHADOWNIGHT5150: Bank accounts are a scam created by a shadow government
241 days ago

sysmalakian: TODAY IS MY BIRTHDAY!
228 days ago

dp: dude
209 days ago

Bango_Rilla: Shout Bananas!!
164 days ago

BillyBlastOff: See you kiddies at the Convention!
148 days ago

GDW: showman
99 days ago

Emilien03: https://losg...
21 days ago

Pyronauts: Happy Tanks-Kicking!!!
14 days ago

glennmagi: CLAM SHACK guitar
40 minutes ago

Please login or register to shout.

Current Polls

No polls at this time. Check out our past polls.

Current Contests

No contests at this time. Check out our past contests.

Donations

Help us meet our monthly goal:

100%

100%

Donate Now

Cake December Birthdays Cake
SG101 Banner

SurfGuitar101 Forums » SurfGuitar101 Website »

Permalink Rate limiting login & registration attempts

StickyNew Topic
Page 1 of 1

So I've been paying attention to the server logs for some time and it is quite frightening. The analogy is every 10 or 20 minutes some stranger comes up to your house, tries the locks, tries to open a window or two, then rings the doorbell and when you say "who is it?", he just tries random names trying to guess the names of your friends and family. Shocked

So in order to reduce their chances of getting in, I've implemented rate limiting on login and registration attempts. If you try to login or register and fail 6 times in 10 minutes, the server will block your IP address for 10 minutes. There is also a special 2 week ban, but it should be VERY difficult to accidentally trigger that one if you are using a normal browser.

I've been doing this for a while but I just thought I would warn everyone. If you forget your password and fail a few attempts, just click the reset password link. Or go get a beer and wait a few minutes. Sorry about this but you can't believe the bots out there that just sit around and try to guess passwords.

If you have questions or concerns just email or PM me (brian at surfguitar101 dot com). Thanks.

Site dude - S3 Agent #202
Need help with the site? SG101 FAQ - Send me a private message - Email me

"It starts... when it begins" -- Ralf Kilauea

This totally and utterly blew my brain cell! Eyes w-i-d-e!
http://youtu.be/VNIGQL8s2eM

10 minutes is pretty generous- at my workplace, I used that denyhosts script for FTP users (I think you actually recommended it way back), and I had it blocking people permanently after about 10 unsuccessful attempts... that is, until they wrote in and I would whitelist them, at least. There were a LOT more people getting locked out than I anticipated though, and had to ease up on it. No

Mike
http://www.youtube.com/morphballio

I'm using fail2ban now.

I debated about 10 minutes. But after watching the logs, these guys have a whole bunch of IP addresses at their disposal. So one fails to register or login and then a few minutes later I see a similar attempt from another IP. I'm afraid if I made it too high it would impact real users who accidentally locked themselves out.

Site dude - S3 Agent #202
Need help with the site? SG101 FAQ - Send me a private message - Email me

"It starts... when it begins" -- Ralf Kilauea

crumble wrote:

This totally and utterly blew my brain cell! Eyes w-i-d-e!
http://youtu.be/VNIGQL8s2eM

Yeah it's crazy. I'll have to find some time to watch all this. I did read about that guy they profile in the first 5 minutes who lost all his accounts across multiple devices in the space of an hour.

Site dude - S3 Agent #202
Need help with the site? SG101 FAQ - Send me a private message - Email me

"It starts... when it begins" -- Ralf Kilauea

Page 1 of 1
Top