Test my security!

Chippiewill · 30-09-2007, 03:09 PM

one sec ill check i think i turned it off for a script i dont use

edit: turned magic quotes on ;D

Decode · 30-09-2007, 03:24 PM

Originally Posted by =gamemaster=

Ive editted... I look in members and the account is rank: member

Im sure you can geuss the pass for ADMIN... lol

I couldnt guess it, Use a brute

Chippiewill · 30-09-2007, 04:24 PM

oh no a brute will get it nooooooooooooooooo

lol im gonna add some extra security

im gonna add the 3 rong password lock out feature muhahahaha

ps new url

http://usersystem.habbies.com

Naruto! · 30-09-2007, 05:01 PM

URL doesn't work..

Janet Snakehole · 30-09-2007, 05:08 PM

Yeah, link doesn't work.
-.-

Chippiewill · 30-09-2007, 05:57 PM

really?

edit: woops

http://usersystem.thehabbies.com

srry keep on forgetting the 'The' part of 'The habbies'

Chippiewill · 30-09-2007, 06:28 PM

sorry couldnt edit

Notice:

There will be a lil down time for login

Chippiewill · 04-10-2007, 07:46 PM

Hmm bit of an update

Working again

Auto redirect fixed

Ive been thinking of how to protect from a brute force attack on the admin accounts so here is what i think I will do

Step 1) Make all admin functions only accesable to localhost
Step 2) When admin logs in he will be redirected to a .htaccess protected proxy on localhost
Step 3) He will be then taken to another login page which will have a different passowrd and will not use normal password box but will use selcetion boxs (the round ones)
Step 4) They will be redirected to the admin section of the user system

The session will last a maximum of 5 minutes for admin

Is this a good way to protect from a brute force?

Tomm · 04-10-2007, 07:59 PM

No.

You have to gauge between usability and security. Plus it is highly unlikely that the admin will be logging in from localhost anyway since that would require physical access or remote desktop access to that server (Assuming the server has the means to view internet pages as well).

Currently you have the administrator logging in three times before being granted access to the control panel, only to find our he has to re-login again after five minutes. If I was an administrator using this software I would be quite annoyed and frustrated by now.

I recommend you always re-authenticate the user after logging in before granting access to the admin control panel. If you plan to release it then leave the htaccess option to the end user as the end user may not want this additional delay to access the control panel or the user may not be using Apache as their webserver software.

The drop down menu pin-style login is totally un-needed. If you were to include it and release it to other people then I recommend you leave it disabled by default, but allow the end user to re-enable it is he so wishes.

Plus none of what you specified will actually prevent a brute force attack, only delay it. If you wish to prevent a brute force attack then you need some sort of detection to detect automated login attempts. Lets say the user gets the password wrong two times in a row. I would recommend that you delay the login by about 3-5 seconds - make it wait. This would slow down the brute force program tremendously as the whole idea of automated attacks is that its very fast. Next, after about five failed attempts, you should lockout the account for around ten minutes and use email or whatever to notify an administrator if the account that is locked out is another administrator. If you continue to get failed login attempts from the same IP address then I recommend you block that IP address for around 1 to 2 hours and, as above, notify the administrator.

Originally Posted by 00chips

Hmm bit of an update

Working again

Auto redirect fixed

Ive been thinking of how to protect from a brute force attack on the admin accounts so here is what i think I will do

Step 1) Make all admin functions only accesable to localhost
Step 2) When admin logs in he will be redirected to a .htaccess protected proxy on localhost
Step 3) He will be then taken to another login page which will have a different passowrd and will not use normal password box but will use selcetion boxs (the round ones)
Step 4) They will be redirected to the admin section of the user system

The session will last a maximum of 5 minutes for admin

Is this a good way to protect from a brute force?

Chippiewill · 04-10-2007, 08:38 PM

Urm I dont think you quite understood,

this is a script for personal use that I needed testing for security

it is self hosted so localhost thing good!

Also I meant 5 minutes no action b4 session ends not 5minutes then stop

plus your idea was what I was originnly going to do but I had a problem that If somone tried the Admin to much then I wont be able to access for about ten mins

plus i didint know the that all brute forcers were cabable of filling in the circular selection box?

Thread: Test my security!

Thread Tools

Posting Permissions