Zubrag.com :: Forum

zubrag.com => Password Protect => Topic started by: tazar on March 26, 2017, 08:14:20 AM



Title: Brute force protection
Post by: tazar on March 26, 2017, 08:14:20 AM
Thank you for your password_protect.php great script!!

How would you integrate a brute force protection in this script?
I'm looking to add a little additional security, without using mysql db and on an hosted domain (ie, no php modules configurable), any suggestion?

I got following code from https://coderwall.com/p/sauviq/brute-force-protection-in-php (https://coderwall.com/p/sauviq/brute-force-protection-in-php) but can't figure out how to integrate it to your script... and maybe it is not the best way to do it??

Code:
<?php
  $apc_key 
"{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
  
$apc_blocked_key "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}";

  
$tries = (int)apc_fetch($apc_key);
  if (
$tries >= 10) {
    
header("HTTP/1.1 429 Too Many Requests");
    echo 
"You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.";
    exit();
  }

  
$success login($_POST['username'], $_POST['password']);
  if (!
$success) {
    
$blocked = (int)apc_fetch($apc_blocked_key);

    
apc_store($apc_key$tries+1pow(2$blocked+1)*60);  # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ...
    
apc_store($apc_blocked_key$blocked+186400);  # store number of times blocked for 24 hours
  
} else {
    
apc_delete($apc_key);
    
apc_delete($apc_blocked_key);
  }


Title: Re: Brute force protection
Post by: Breenda on September 06, 2017, 02:19:20 AM
thanks for your sharing, it helps me lot.