Are there some good resources tutorials or anyone has tried to implement a Capcha on devise when user enters x wrong passwords?
The idea is that the capcha shows up on to many requests to prevent bots or other bad guys out and limit the number of requests on the devise signing page.
I can think of doing that in two ways:
The first one is based on failed_attempts attribute (so you should increment it after each unsuccesful login). To use it on Devise, you may create your own FailureApp overriding the respond method to update to do an increment on the failed_attempt attribute on the user. When the user reaches the captcha limit, you may set a the flash attribute to signalize about this and thus, you decide on your controller about the captcha. But there is a problem with this way: as it logs for users, it won't work for an user trying different logins.
The second one is based on the IP: for each unsuccessful login, you keep record of IPs and unsuccessful attempts and when an IP reaches a limit you set the already mentioned flash attribute to signalize that the request number from that IP have already reached the limit and you can show the captcha. You can use ActiveRecord and a relational database or even something lightweight like Redis to do that. You may also think about ways to remove old data from this database.
Related
We have a site that uses a "one-time" login process for password resets which are not initiated by the user themselves. (for instance, a password reset that is initiated by an admin or another employee) A URL is sent to the user via email which can then be used to reset their password. The URL can only be visited one time. (there's more to this for security-sake but I'll keep it simple) Recently, some users have complained that when they visit the link, it has already expired. The end result is that they can't reset their passwords using this feature. We discovered that the users in question have a spam filter or "link checker" in their environment that they do not have access to. This device visits the one-time link before the user is able to, to make sure its safe.
I'm trying to solve this issue and was wondering if there's a way I can detect these type of devices on the web server when the request is made? When the spam filter visits the link, is there something in the http request that would stand apart from a regular browser? Maybe they all use a specific custom HTTP header? Or maybe there's a regex I could use on the user agent? I haven't been able to catch one of these yet, so I'm not sure what the request looks like coming from a spam filter.
Anyone know of a way to detect spam filters of any vendor by looking at the http requests? I know it's a long shot but maybe they all use a specific header for reasons such as this?
I got approval to modify the design to remove the one-time aspect of the URL. This solves the issue and saves me the headache. Thanks for the suggestion, #PeeHaa
Brief
I have been trying to write rules to protect a website from DoS attacks and the website have only one page /index.php. However, each user is identified by an unique token like this /index.php?a=abcdef. This page sends a lot of ajax calls that gets and posts information, periodically, as long as the user is active in the page.
Problem
During a DoS attack, I need to block only the specific user using the token ?a=abcdef, which is dynamic. And the actual length of the token is around 45 characters, consisting of [a-zA-Z0-9]. The website is visited by either a single user or user group (more than 10 users) from an IP address. The problem is, during a DoS attack, when blocking the user, I need to take the token into consideration. However, as far as I understand, unless I use a dynamic variable like, tx.dos_counter_%{ARGS_GET}=+1, I may not be able to identify an user uniquely. But when I reference the variable like this,%{tx.dos_counter_%{ARGS_GET}} to retrieve the value of the dynamic variable, it returns null.
Questions
Is it possible to use dynamic variables, as mentioned above, in ModSecurity?
Is there any other way to handle this problem?
Miscellaneous
This website runs on LAMP stack (Ubuntu) with ModSecurity.
Please help me solve this issue.
Many thanks in advance.
Thanks,
Daniel
It seems to be common practice to lock user accounts after enough failed attempts in a particular time window.
I am wondering how you prevent denial-of-service attacks since a malicious user who had the username of someone he wished to DoS could simply rapidly make logon attempts.
Is the remedy to lock the account for only the IP address of the user who exceeded the logon attempt count+window ?
Is there any better way?
EDIT:
I don't want to make my users solve a captcha on each login attempt.
You shouldn't block the user by its IP, because maybe it is a real user that forgot his pass and did the retries manually.
The worst thing (business-wise) is that a real user will not be able to access your service.
So, your problem is actually "How do I know that the user is not a robot?".
One of the most popular ways to deal with this is to use a different mechanism for multiple login attempts.
For instance, Google uses Captcha after about 3 trials,
so an automatic bot will get stuck on this stage.
Of course it is possible to get the bot to read the captcha, but it's a start.
You can read more about captcha implementation in their official site: http://www.captcha.net/
Other alternative ideas here: http://econsultancy.com/il/blog/63144-six-alternatives-to-using-the-dreaded-captcha-images
I am thinking for ways to implement a mechanism which enables a user to vote,without logging any of his details. Each user has a set of attributes that enable him to vote. For eg. Id,name,email-id.
Using these attributes we must guarantee that the user can vote for the first time. During this time,complete anonymity is guaranteed.
But if the user comes for a second time to vote,he should not be allowed to vote. Is this remotely possible?We are not storing any of the information related to the user.No ip adddress,email-id or student id. They are just used as a means of authentication.
I read many research papers for this but not able to find anything specific.
a mechanism which enables a user to vote,without logging any of his
details
Sure you can. Just don't log anything. But you do need to store information about which user has voted. You actually need info of the user not even the machine the user used as the user could vote from another machine.
I'm creating a Rails 3.2 app at the moment and I'm trying to make it so that it's as simple as possible for a user to log in, preferably only using a 4 digit-code.
I was thinking about creating a subdomain for each user, and then just limiting the password to four digits and make it numerical only (which I guess would work).
However, I don't really need such a complicated set up, all the users will see roughly the same thing, and there's no private information between users, it's simply to save time logging in, so they don't need to bother with a username.
Does anyone have any suggestion about how I could do this and then implement it?
Any help is greatly appreciated.
Why not just use there email address on login? I wouldn't not limit how complex the password is. This should be very easy with devise.
Another point that is should be made is that a 4 digit number is not secure at all. There is only 10,000 passwords to choose from. Very easy to crack with the proper software.
The solution: Just use email and password. Simple to do and a Internet standard.