Leaderboard

Hello, I think I found solution of this. on procedure TUniServerModule.UniGUIServerModuleHTTPCommand( just add this headers: AResponseInfo.CustomHeaders.AddValue('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate'); //HTTP 1.1 AResponseInfo.CustomHeaders.AddValue('Pragma','no-cache');////HTTP 1.0 AResponseInfo.CustomHeaders.AddValue('Expires', '0'); https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html this maybe will extend data transfer between Client and Server (will use more traffic)

Thank you so much IrigSoft. We are learning good things with you.

Here is list with Ip from link above: https://community.checkpoint.com/t5/Management/HowTo-Block-IoT-scanners-like-Shodan-Censys-Shadowserver-PAN/td-p/124612 Is not complete but get most of IP's from link WebScannersIpList.txt If someone want to add this in BlockedIpList

1. UniHiddenPanel1 -> UniCheckBox1 2. procedure TMainForm.UniFormReady(Sender: TObject); begin UniDBGrid1.JSInterface.JSCall('header.insert', [1, UniCheckBox1.JSControl]) end; 3. procedure TMainForm.UniCheckBox1Change(Sender: TObject); begin // end;

Hello everyone, There is a new security challenge here ! the plan: There are standart technics to slow down attacker: 1 - after some trys to login (brute force attack) - log IP in BlockIPLIst. Block IP of attacker 2 - using reCaptcha - prevents bot's (some reCaptcha is useless !) 3 - using strong passwords (more then 10 symbols) - slow down GPU calculations 4 - using hash of passwords - slow down GPU calculations 5 - disable user account - attacker must change user name 6 - using same error message for different login errors. - prevent to catching user name 7 - after every next try, slow down answer from server - this will slow down GPU calculations 8 - enable OneIpPerUser - this will block many session from one PC I make some protection code based on the plan: 3 - using strong passwords (more then 10 symbols) 4 - using hash of passwords on the TUniServerModule.UniGUIServerModuleHTTPCommand TRY unIServerModule.Lock; If FileExists (ExtractFilePath(StartPath) + 'root\BldIPList.config') then BlockedIPList.LoadFromFile (ExtractFilePath(StartPath) + 'root\BldIPList.config'); - reload IP list FINALLY unIServerModule.UnLock; END; IF BlockedIPList.Count > 0 then begin if BlockedIPList.IndexOf (ARequestInfo.RemoteIP) > -1 then begin AResponseInfo.ContentText := '<h1>Access denied</h1>'; point 6 Handled := True; AResponseInfo.CloseSession; GOTO ENDALL; end; end; on the login form BtnLogin.onClick UniServerModule.Lock; try If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config') then unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config'); finally UniServerModule.UnLock; end; //block IP if uniMainModule.BruteForceTrys > 5 then begin - point 1 // block IP addres try UniServerModule.Lock; UniServerModule.BlockedIPList.Add (UniSession.RemoteIP); UniServerModule.BlockedIPList.SaveToFile (ExtractFilePath(UniServerModule.StartPath) + 'root\BldIPList.config'); finally UniServerModule.UnLock; end; sleep (100); UniSession.Terminate ('<h1>Access denied</h1>'); - point 6 exit; end; UniGUIMainModuleCreate reload blocked Ip try UniServerModule.Lock; If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config') then unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config'); finally UniServerModule.UnLock; end; I added some extras, such as log for IP, which made 2 or more login errors (suspicious IP addresses) 7 - after every next try, slow down answer from server - add some timers to make to wait next login attemp ! 8 - enable OneIpPerUser - ServerLimits.SessionRestrict := srOnePerPC; ServerLimits.SessionRestrict := srOnePerIP;