Paysite owners
 

I need a solution quick. I have tons of passwords hacked on our system everyday and it is starting to eat at the bottomline because legitimate subscribers cannot access the accounts they pay for.
We have pennywize in place and it blocks the brute force guys and kills passwords that are being accessed from more than a certain number of subnets in a 24 hour period.
How can i get something like this?
http://members.hardcoretraining.com/?lang=en
This seems to be the way to go.

get .htscess installed
I had the problem, but not really bad with passwords floating around at the crack sites.

Damn, why didn't we think of that!

anyone with a solid idea please post here

Hit me up on ICQ @ 5956902

bizzzump for a good q

ProxyPass does much better than Pennywize, but you still need to keep an eye if they get creative. It does block proxy attacks, and all the usual stuff pennywize does. Make sure your billing processors' software is the latest version. (Which processors?)

-doug

we have the same problem. after a certain level of members htaccess was crunched. so we set up a mysql db.... but now we are going to switch to generating the user/pass for the customer. this should help a lot against brute force attacks.

go with Password Sentry..it's better than Pennywize ...I've used it for 2 years now and wouldn't use anything else !

:thumbsup

Ivy

I like that... I'd be interested in something like that for my sites.

As already mentioned proxy pass is the way to go. I used to have pennywize and had a lot of problems, since I got proxie pass I haven't had a single break in in around 8 months.. with pennywize I was getting 1 a week.

Chris -- before you start randomly generating user/passes you should check out proxy pass.. will save your members a lot of hassle!

We have both password sentry and proxypass (I am suspenders and belt type of guy) . They have both been excellent for us and the password sentry guy is one of the nicest guys in the world .

You guys got a link for Proxy Pass?

Thanks.

None is 8 months? shit man..i have 60 hacked every day and i am am mysql and pennywize

What makes proxypass so much better than pennywize?

first you should identify how they get in the first place.

- some of them use bruteforce attacks to guess the logins.
- some of them find a backdoor to insert their own user logins into your user management system.

pennywize is good for detecting multiple uses of the same login but you need a solution that blocks brute force attacks at the server connection level as well, so they dont even get to apache.

I use pennywize and have anywhere from 20k-80k log-in attempts daily and I might have one leak a month. On your sign-up forms tell the visitor to use one uppercase and a number in their user/pass.

One small line will save ya tons of trouble.

does proxypass do this better than pennywize?

Proxypass doesn't do what he is talking about. His is server level and custom coded.

national-net has a custom solution for what i have mentioned, but other than that i havent looked around for any alternatives

Strongbox is a whole new approach that is WAY above and beyond
anything like Pennydumb.
Not only does it keep the hurlers from getting in, but it discourages
them from even continueing the attack and slowing your server.
It protects from hurlers (brute force attacks), password sites, and various
other evils.
Unlike PennyWize, Password Sentry, or other old fashioned approaches,
Strongbox is 100% compatible with the latest versions of Microsoft Media
Player.
That, and the price is definitely right.
Several of the well know members of this board, TLA's, and
GFY use it on all of their pay sites and swear by it.

For more information, see:
http://webmastersguide.com/?htaccess-cgi/strongbox/