How to add brute force protection to the login form of app?

[Tokay]

Does it possible to add this kind of protection? Maybe someone know how to do it.

[irigsoft]

6 hours ago, Tokay said:

Does it possible to add this kind of protection? Maybe someone know how to do it.

Do you use a hash algorithm for passwords?

Do You know all Passwords are visible like plaintext on Google Console ? Did You protect them from Google Console?

Did You try this methods? : https://auth0.com/docs/attack-protection/brute-force-protection

Good explanation of methods: https://portswigger.net/web-security/authentication/password-based

 

Brute-Force Protection
Brute-force protection, which safeguards against brute-force attacks that occur from a single IP address and target a single user account, is enabled by default for all connections. When triggered, brute-force protection will:

- after some try to login (brute force attack) - log IP in BlockIPLIst

- Send an email to the affected user.

- Block the suspicious IP address for the user.

If brute-force protection is triggered, it will be only be removed when:

 - The affected user clicks on the unblock link in the email notification (if configured).

 - The affected user changes their password (on all linked accounts).

 - An administrator removes the block.

 

A good method is also, after the first attempt to show the user recaptcha.

 

Create and apply methods used by kaspersky is a good start: https://www.kaspersky.com/resource-center/definitions/brute-force-attack

[irigsoft]

I read about this kind of attack (I am not security expert) and

there is some problems with protection from this:

  - if attacker use multiple IP addreses with bots! (GPU PC's from different Ip - this will enable more then 3000 try's per second from one IP address) - more like DDoS attack (use p.1,2,5,7)

  - if attacker use same user and different passwords on different sessions ! (use p.2,3,4,5)

  - if attacker use different users and different passwords on different sessions ! (use p.1,6,7)

  - if attacker know one correct user and password (inner brute force attack) ! (protection is useless) - You must change all passwords and accounts ! Maybe must change log in strategy. To catch this You must have some analytics methods.

There are standart technics to slow down attacker:

 1 - after some trys to login (brute force attack) - log IP in BlockIPLIst. Block IP of attacker

 2 - using reCaptcha - prevents bot's (some reCaptcha is useless !)

 3 - using strong passwords (more then 10 symbols) - slow down GPU calculations

 4 - using hash of passwords - slow down GPU calculations

 5 - disable user account - attacker must change user name

 6 - using same error message for different login errors. - prevent to catching user name

 7 - after every next try, slow down answer from server - this will slow down GPU calculations

 8 - enable OneIpPerUser - this will block many session  from one PC

 

from here: https://portswigger.net/web-security/authentication/password-based

"For example, you might sometimes find that your IP is blocked if you fail to log in too many times. In some implementations, the counter for the number of failed attempts resets if the IP owner logs in successfully. This means an attacker would simply have to log in to their own account every few attempts to prevent this limit from ever being reached.

In this case, merely including your own login credentials at regular intervals throughout the wordlist is enough to render this defense virtually useless."

[irigsoft]

Example of code here : 

 

 

[Tokay]

Oh, thank you! I'll look there. I could not find topic on the forum.

[irigsoft]

9 minutes ago, Tokay said:

Oh, thank you! I'll look there. I could not find topic on the forum.

I make some protection code based on the plan: 

3 - using strong passwords (more then 10 symbols)

4 - using hash of passwords

 

on the TUniServerModule.UniGUIServerModuleHTTPCommand

TRY
unIServerModule.Lock;
If FileExists (ExtractFilePath(StartPath) + 'root\BlockedIPList.ini') then
  BlockedIPList.LoadFromFile (ExtractFilePath(StartPath) + 'root\BlockedIPList.ini');   - reload IP list
FINALLY
  unIServerModule.UnLock;
END;

IF BlockedIPList.Count > 0 then begin
  if BlockedIPList.IndexOf (ARequestInfo.RemoteIP) > -1 then begin
    AResponseInfo.ContentText := '<h1>Access denied</h1>';            point 6
    Handled := True;
    AResponseInfo.CloseSession;
    GOTO ENDALL;
  end;
end;

 

on the login form BtnLogin.onClick

UniServerModule.Lock;
try
  If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini') then
    unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini');
finally
  UniServerModule.UnLock;
end;

//block IP

if uniMainModule.BruteForceTrys > 5 then begin     - point 1
  // block IP addres

try
    UniServerModule.Lock;
    UniServerModule.BlockedIPList.Add (UniSession.RemoteIP);
    UniServerModule.BlockedIPList.SaveToFile (ExtractFilePath(UniServerModule.StartPath) + 'root\BlockedIPList.ini');
finally
   UniServerModule.UnLock;
end;

    sleep (100);

    UniSession.Terminate ('<h1>Access denied</h1>');    - point 6

    exit;
end;

UniGUIMainModuleCreate

 

reload blocked Ip

try
  UniServerModule.Lock;
  If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini') then
    unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BlockedIPList.ini');

finally
   UniServerModule.UnLock;
end;

 

I added some extras, such as log for IP, which made 2 or more login errors (suspicious IP addresses)

 

7 - after every next try, slow down answer from server - add some timers to make to wait next login attemp !

 8 - enable OneIpPerUser -   ServerLimits.SessionRestrict := srOnePerPC;   ServerLimits.SessionRestrict := srOnePerIP;