Tokay Posted August 23, 2021 Share Posted August 23, 2021 Does it possible to add this kind of protection? Maybe someone know how to do it. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted August 23, 2021 Share Posted August 23, 2021 6 hours ago, Tokay said: Does it possible to add this kind of protection? Maybe someone know how to do it. Do you use a hash algorithm for passwords? Do You know all Passwords are visible like plaintext on Google Console ? Did You protect them from Google Console? Did You try this methods? : https://auth0.com/docs/attack-protection/brute-force-protection Good explanation of methods: https://portswigger.net/web-security/authentication/password-based Brute-Force Protection Brute-force protection, which safeguards against brute-force attacks that occur from a single IP address and target a single user account, is enabled by default for all connections. When triggered, brute-force protection will: - after some try to login (brute force attack) - log IP in BlockIPLIst - Send an email to the affected user. - Block the suspicious IP address for the user. If brute-force protection is triggered, it will be only be removed when: - The affected user clicks on the unblock link in the email notification (if configured). - The affected user changes their password (on all linked accounts). - An administrator removes the block. A good method is also, after the first attempt to show the user recaptcha. Create and apply methods used by kaspersky is a good start: https://www.kaspersky.com/resource-center/definitions/brute-force-attack Quote Link to comment Share on other sites More sharing options...
irigsoft Posted August 24, 2021 Share Posted August 24, 2021 I read about this kind of attack (I am not security expert) and there is some problems with protection from this: - if attacker use multiple IP addreses with bots! (GPU PC's from different Ip - this will enable more then 3000 try's per second from one IP address) - more like DDoS attack (use p.1,2,5,7) - if attacker use same user and different passwords on different sessions ! (use p.2,3,4,5) - if attacker use different users and different passwords on different sessions ! (use p.1,6,7) - if attacker know one correct user and password (inner brute force attack) ! (protection is useless) - You must change all passwords and accounts ! Maybe must change log in strategy. To catch this You must have some analytics methods. There are standart technics to slow down attacker: 1 - after some trys to login (brute force attack) - log IP in BlockIPLIst. Block IP of attacker 2 - using reCaptcha - prevents bot's (some reCaptcha is useless !) 3 - using strong passwords (more then 10 symbols) - slow down GPU calculations 4 - using hash of passwords - slow down GPU calculations 5 - disable user account - attacker must change user name 6 - using same error message for different login errors. - prevent to catching user name 7 - after every next try, slow down answer from server - this will slow down GPU calculations 8 - enable OneIpPerUser - this will block many session from one PC from here: https://portswigger.net/web-security/authentication/password-based "For example, you might sometimes find that your IP is blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. This means an attacker would simply have to log in to their own account every few attempts to prevent this limit from ever being reached. In this case, merely including your own login credentials at regular intervals throughout the wordlist is enough to render this defense virtually useless." 2 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted August 24, 2021 Share Posted August 24, 2021 Example of code here : Quote Link to comment Share on other sites More sharing options...
Tokay Posted August 26, 2021 Author Share Posted August 26, 2021 Oh, thank you! I'll look there. I could not find topic on the forum. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted August 26, 2021 Share Posted August 26, 2021 9 minutes ago, Tokay said: Oh, thank you! I'll look there. I could not find topic on the forum. I make some protection code based on the plan: 3 - using strong passwords (more then 10 symbols) 4 - using hash of passwords on the TUniServerModule.UniGUIServerModuleHTTPCommand TRY unIServerModule.Lock; If FileExists (ExtractFilePath(StartPath) + 'root\BlockedIPList.ini') then BlockedIPList.LoadFromFile (ExtractFilePath(StartPath) + 'root\BlockedIPList.ini'); - reload IP list FINALLY unIServerModule.UnLock; END; IF BlockedIPList.Count > 0 then begin if BlockedIPList.IndexOf (ARequestInfo.RemoteIP) > -1 then begin AResponseInfo.ContentText := '<h1>Access denied</h1>'; point 6 Handled := True; AResponseInfo.CloseSession; GOTO ENDALL; end; end; on the login form BtnLogin.onClick UniServerModule.Lock; try If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini') then unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini'); finally UniServerModule.UnLock; end; //block IP if uniMainModule.BruteForceTrys > 5 then begin - point 1 // block IP addres try UniServerModule.Lock; UniServerModule.BlockedIPList.Add (UniSession.RemoteIP); UniServerModule.BlockedIPList.SaveToFile (ExtractFilePath(UniServerModule.StartPath) + 'root\BlockedIPList.ini'); finally UniServerModule.UnLock; end; sleep (100); UniSession.Terminate ('<h1>Access denied</h1>'); - point 6 exit; end; UniGUIMainModuleCreate reload blocked Ip try UniServerModule.Lock; If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini') then unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini'); finally UniServerModule.UnLock; end; I added some extras, such as log for IP, which made 2 or more login errors (suspicious IP addresses) 7 - after every next try, slow down answer from server - add some timers to make to wait next login attemp ! 8 - enable OneIpPerUser - ServerLimits.SessionRestrict := srOnePerPC; ServerLimits.SessionRestrict := srOnePerIP; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.