|
Hey Sleepy,
>Does your method allow even one user/pass to be guessed >through a proxy ? ..... because, if you allow even one guess the >hacker still gets to guess and it's useless.
>1 Guess times 90,000 proxies = 90,000 guesses
You cannot simply block ALL guesses. This would mean that nobody can log in. Also, when you first click on a members section button with your browser, you are generating one incorrect login right there (with no username/password) which Apache rejects with a 401, and then your browser pops up the familiar username/password box.
The new Pennywize uses two pieces of limiting technology -:
a) Per second blocks
b) Per minute blocks
If the number of FAILED login attempts per ip address exceeds the per second or per minute thresholds, the ip is immediately blocked. By being 'blocked' all future requests are immediately invalidated.
BTW, beware of other products which may artificially delay a response back to the user to slow them down (ie. pause for 1 second), because this takes up one valuable slot of your web server, and can lead to a Denial-Of-Service effectively.
Thanks,
Steve
|