Re: [PHP-DB] Wait Statement... ?

2004-07-21 Thread Shah
Well, everyone is in big discussion about this, so i figure i'll toss in 
my worthless 2 cents.
   Say your users have a password of like 8 characters, Brutus (used 
for brute forcing) will tell someone trying to gain access that they'll 
have better luck asking the person.
So the only real threat is like dictionary attacks. So you add an eregi 
and ask your users to include at least 1 number and/or a special 
character.. or you have your own dictionary that you check the word 
against, if its in your dictionary then you tell the user to select 
another one. Brute forcing a password is pass or fail, if the person is 
determined enough they'll get in. Using a dictionary can work sometimes, 
script kiddies can whip those out pretty quick and try it. The main 
anti-passcrack would be a strong password. I usually use minimum of 8 
characters, 1 special character not at the end. And on top of this i 
also have a about 7,000 words/common passes in a MySql database that i 
reference. Of course, you have to remember that you're dealing with 
users.. as in users... who will make their password their initials and 
the last 2 digits of their birthday... or they'll make it 112233. The 
best way to learn about security on stuff like this is to sit down and 
try to break into your system, if you can do it locally then thats 
better, so that you can test it as if someone plugged in on your 
server's lan (highly unprobable) and anyone that tries to sell you a 
product for the anti-passcrack is really saying, you don't seem to want 
to write the 40 lines of code.. so i'll rip you on it.

Shah
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP-DB] Wait Statement... ?

2004-07-21 Thread Daevid Vincent
I like this idea of longer sleeps for each fail in theory, 
but it becomes moot if you only allow 3 failed attempts. 

> -Original Message-
> From: Tim Van Wassenhove [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, July 20, 2004 3:37 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] Wait Statement... ?
>
> Every time someone tries to authenticate, you count the number of
> failures in both queues. The larger the number, the longer the sleep
> will take. (removing old entries once in a while might speed 
> up things)

Daevid Vincent
Senior Engineer / Architect

two.zero.six.two.eight.five.eight.zero.eight.zero
 _   _   _ 
| |___   ___| | | | _  ___ __  
| |   / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ 
| |__| (_) | (__|   < (_| | (_) \ V  V /| | | |
|_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_|
x104   Networks.com

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP-DB] Wait Statement... ?

2004-07-21 Thread Daevid Vincent
> Uhmmm.. how effective is a brute force attack where you can 
> only try one 
> combination per second? It's going to take you a while to get through 
> that dictionary.

How determined are you ;-)

Our product has a brute force attacker in it, and for some protocols, we
have to wait a few seconds between each attempt b/c otherwise the protocol
blocks you as it considers it a DoS.

But the results can finish in several days or even weeks.

> You can still do this on top of the sleep() method. A one 
> second wait is 
> n't going to affect you when you log in to an application.

Sure. If you really want to sleep(1); then go nuts. I was only trying to
point out that the sleep(1) is not a really viable way to prevent crackers
from doing anything really. Just slow them down.

> The problem with reacting after three failed logins is that 
> it can then 
> be easy to lock other people out of their account. You just have to 
> figure out their username, which usually isn't that hard. Since IP 
> addresses can be spoofed or shared among users of certain 
> ISPs, relying  on them isn't adequate, either.

Well, you'd only get 3 attempts to guess a username from a given IP. 
It takes a lot more work to spoof an IP, and coordinate an attack with
several computers.

And most crackers aren't trying to lock people out of their account, they're
trying to gain access themselves. If I wanted to bring down a server, I'd
just DoS it, not waste time locking individual users out one at a time.

Daevid Vincent
Senior Engineer / Architect

two.zero.six.two.eight.five.eight.zero.eight.zero
 _   _   _ 
| |___   ___| | | | _  ___ __  
| |   / _ \ / __| |/ / _` |/ _ \ \ /\ / / '_ \ 
| |__| (_) | (__|   < (_| | (_) \ V  V /| | | |
|_\___/ \___|_|\_\__,_|\___/ \_/\_/ |_| |_|
x104   Networks.com

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread John W. Holmes
Tim Van Wassenhove wrote:
In article <[EMAIL PROTECTED]>, John W. Holmes wrote:
Daevid Vincent wrote:
Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)
Uhmmm.. how effective is a brute force attack where you can only try one 
combination per second? It's going to take you a while to get through 
that dictionary.

You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate... 
That's still only 50 guesses a second compared to thousands when your 
server gives an immediate good or bad response. Like I said, this is 
just another layer you can add in addition to what you have below. It 
doesn't hurt anything if implemented correctly and it only serves to 
hassle those abusing the system. Defense in depth. :)

I'd suggest to have 2 queues for failed authentication attempts.
One containing (ip - timestamp) pairs,
the other containing (username - timestamp) pairs.
Every time someone tries to authenticate, you count the number of
failures in both queues. The larger the number, the longer the sleep
will take. (removing old entries once in a while might speed up things)

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: Re[2]: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Jason Wong
On Wednesday 21 July 2004 05:00, Pablo M. Rivas wrote:

>sleep() is the brute deffense of the brute force attack...
>You can make a script that opens simultaneous attacks

One thing to bear in mind is that sleep() will hog resources and can lead to 
DOS.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
/*
He's dead, Jim.
-- McCoy, "The Devil in the Dark", stardate 3196.1
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Tim Van Wassenhove
In article <[EMAIL PROTECTED]>, John W. Holmes wrote:
> Daevid Vincent wrote:
> 
>> Similarly, I could adjust my brute force attack to sleep() a pre-determined
>> amount of time too ;-)
> 
> Uhmmm.. how effective is a brute force attack where you can only try one 
> combination per second? It's going to take you a while to get through 
> that dictionary.

You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate... 

I'd suggest to have 2 queues for failed authentication attempts.
One containing (ip - timestamp) pairs,
the other containing (username - timestamp) pairs.

Every time someone tries to authenticate, you count the number of
failures in both queues. The larger the number, the longer the sleep
will take. (removing old entries once in a while might speed up things)

-- 
Tim Van Wassenhove 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re[2]: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Pablo M. Rivas
Hello John,

   sleep() is the brute deffense of the brute force attack...
   You can make a script that opens simultaneous attacks

JWH> I'm not saying using sleep is "the solution" to security problems, but
JWH> it can be one layer of your defense.


-- 
Best regards,
 Pablo

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Ignatius Reilly
Why silly??
it just makes you wait one second on the login page BEFORE the validation
process, not on other  pages.
I use it everywhere.

Ignatius
_
- Original Message -
From: "Daevid Vincent" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "'..: GamCo :..'" <[EMAIL PROTECTED]>; "'John W. Holmes'"
<[EMAIL PROTECTED]>
Sent: Tuesday, July 20, 2004 9:47 PM
Subject: RE: [PHP-DB] Wait Statement... ?


> Similarly, I could adjust my brute force attack to sleep() a
pre-determined
> amount of time too ;-)
>
> The whole 'sleep()' idea just seems silly. I agree with Jason. Just
validate
> and be done. A better way to stop attacks is to have a tally of failed
> logins if you really are that worried someone is going to brute-force you.
> Then after 3 fails, just don't let that IP connect or add other
intelligent
> handling. Maybe add them to a 'ban list' after x amount of failed tries.
You
> can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.
>
> > -Original Message-
> > From: John W. Holmes [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, July 20, 2004 7:10 AM
> > To: ..: GamCo :..
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [PHP-DB] Wait Statement... ?
> >
> > ..: GamCo :.. wrote:
> > > ok, i added the sleep() function in my page. what i'm
> > basically doing is :-
> > >
> > > i have a .php page where people log-in from. from there i
> > send the form to
> > > another .php page that actually checks the login and
> > registers a session
> > > with the username and password as session variables. then
> > on the page that
> > > actually does the validation, i have something that says :
> > validating
> > > login... sleep 1 funtion. then, i have another line that
> > says validation
> > > successfull... sleep 1 function and then i have another
> > line that says
> > > redirecting... with sleep 1 function and then header
> > redirects to the actual
> > > logged-in.php file. the redirect and validation works
> > perfectly as well as
> > > the sleep functions, but it now doesn't display the
> > validating login... blah
> > > blah blah stuff which is done in normal html code...
> >
> > You are very confused. Read the manual page on header(). You
> > can't have
> > any output before you try to redirect with a header().
> >
> > If you're trying to implement some sort of brute force protection by
> > using sleep(), you're using it in the wrong method, anyhow.
> > Your login
> > processing script should sleep for a second or two whether
> > the login is
> > correct or not and it should be the first thing that it does (i.e.
> > before any output or redirection). If you only sleep() on
> > failures and
> > redirect on good logins, brute force methods can pick up on that and
> > adjust their methods to get around the wait time.
> >
> > --
> > ---John Holmes...
> >
> > Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
> >
> > php|architect: The Magazine for PHP Professionals - www.phparch.com
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread John W. Holmes
Daevid Vincent wrote:
Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)
Uhmmm.. how effective is a brute force attack where you can only try one 
combination per second? It's going to take you a while to get through 
that dictionary.

The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.
You can still do this on top of the sleep() method. A one second wait is 
n't going to affect you when you log in to an application.

The problem with reacting after three failed logins is that it can then 
be easy to lock other people out of their account. You just have to 
figure out their username, which usually isn't that hard. Since IP 
addresses can be spoofed or shared among users of certain ISPs, relying 
on them isn't adequate, either.

I'm not saying using sleep is "the solution" to security problems, but 
it can be one layer of your defense.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Daevid Vincent
Similarly, I could adjust my brute force attack to sleep() a pre-determined
amount of time too ;-)

The whole 'sleep()' idea just seems silly. I agree with Jason. Just validate
and be done. A better way to stop attacks is to have a tally of failed
logins if you really are that worried someone is going to brute-force you.
Then after 3 fails, just don't let that IP connect or add other intelligent
handling. Maybe add them to a 'ban list' after x amount of failed tries. You
can get the $_SERVER['REMOTE_ADDR'] or use the session id or whatever.

> -Original Message-
> From: John W. Holmes [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, July 20, 2004 7:10 AM
> To: ..: GamCo :..
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] Wait Statement... ?
> 
> ..: GamCo :.. wrote:
> > ok, i added the sleep() function in my page. what i'm 
> basically doing is :-
> > 
> > i have a .php page where people log-in from. from there i 
> send the form to
> > another .php page that actually checks the login and 
> registers a session
> > with the username and password as session variables. then 
> on the page that
> > actually does the validation, i have something that says : 
> validating
> > login... sleep 1 funtion. then, i have another line that 
> says validation
> > successfull... sleep 1 function and then i have another 
> line that says
> > redirecting... with sleep 1 function and then header 
> redirects to the actual
> > logged-in.php file. the redirect and validation works 
> perfectly as well as
> > the sleep functions, but it now doesn't display the 
> validating login... blah
> > blah blah stuff which is done in normal html code...
> 
> You are very confused. Read the manual page on header(). You 
> can't have 
> any output before you try to redirect with a header().
> 
> If you're trying to implement some sort of brute force protection by 
> using sleep(), you're using it in the wrong method, anyhow. 
> Your login 
> processing script should sleep for a second or two whether 
> the login is 
> correct or not and it should be the first thing that it does (i.e. 
> before any output or redirection). If you only sleep() on 
> failures and 
> redirect on good logins, brute force methods can pick up on that and 
> adjust their methods to get around the wait time.
> 
> -- 
> ---John Holmes...
> 
> Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
> 
> php|architect: The Magazine for PHP Professionals - www.phparch.com
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread John W. Holmes
..: GamCo :.. wrote:
ok, i added the sleep() function in my page. what i'm basically doing is :-
i have a .php page where people log-in from. from there i send the form to
another .php page that actually checks the login and registers a session
with the username and password as session variables. then on the page that
actually does the validation, i have something that says : validating
login... sleep 1 funtion. then, i have another line that says validation
successfull... sleep 1 function and then i have another line that says
redirecting... with sleep 1 function and then header redirects to the actual
logged-in.php file. the redirect and validation works perfectly as well as
the sleep functions, but it now doesn't display the validating login... blah
blah blah stuff which is done in normal html code...
You are very confused. Read the manual page on header(). You can't have 
any output before you try to redirect with a header().

If you're trying to implement some sort of brute force protection by 
using sleep(), you're using it in the wrong method, anyhow. Your login 
processing script should sleep for a second or two whether the login is 
correct or not and it should be the first thing that it does (i.e. 
before any output or redirection). If you only sleep() on failures and 
redirect on good logins, brute force methods can pick up on that and 
adjust their methods to get around the wait time.

--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Jason Wong
On Tuesday 20 July 2004 16:56, ..: GamCo :.. wrote:

> ok, i added the sleep() function in my page. what i'm basically doing is :-
>
> i have a .php page where people log-in from. from there i send the form to
> another .php page that actually checks the login and registers a session
> with the username and password as session variables. then on the page that
> actually does the validation, i have something that says : validating
> login... sleep 1 funtion. then, i have another line that says validation
> successfull... sleep 1 function and then i have another line that says
> redirecting... with sleep 1 function and then header redirects to the
> actual logged-in.php file. the redirect and validation works perfectly as
> well as the sleep functions, but it now doesn't display the validating
> login... blah blah blah stuff which is done in normal html code...

WHy don't you just validate the login and be done with? Why wait 1 second, 
another second, ... ?

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
--
/*
There are no accidents whatsoever in the universe.
-- Baba Ram Dass
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread ..: GamCo :..
hhhmmm...

ok, i added the sleep() function in my page. what i'm basically doing is :-

i have a .php page where people log-in from. from there i send the form to
another .php page that actually checks the login and registers a session
with the username and password as session variables. then on the page that
actually does the validation, i have something that says : validating
login... sleep 1 funtion. then, i have another line that says validation
successfull... sleep 1 function and then i have another line that says
redirecting... with sleep 1 function and then header redirects to the actual
logged-in.php file. the redirect and validation works perfectly as well as
the sleep functions, but it now doesn't display the validating login... blah
blah blah stuff which is done in normal html code...

any idea ?

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP-DB] Wait Statement... ?

2004-07-20 Thread Ignatius Reilly
sleep( nb of seconds ) ;

_
- Original Message - 
From: "..: GamCo :.." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 20, 2004 9:44 AM
Subject: [PHP-DB] Wait Statement... ?


> Hi all,
> 
> I would like to add a line of code in PHP that will execute a wait before
> executing the next set of code. How do i do that ?
> 
> Regards,
> 
> GM
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP-DB] Wait Statement... ?

2004-07-20 Thread ..: GamCo :..
Hi all,

I would like to add a line of code in PHP that will execute a wait before
executing the next set of code. How do i do that ?

Regards,

GM

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php