security - How to defend excessive login requests? -


Our team has created a web application using rubies on Rails, it is not currently restricted to users due to excessive login requests Does. We want to ignore the user's login requests for some time after several unsuccessful attempts to automatically protect the robots.

These are my questions:

  1. How can one write a program or script that can make excessive requests on our website? I need this because it will help me test our web application.

  2. What is the method of restricting a user who made some unsuccessful login attempts within a period? Are there underlying solutions to identify Ruby on request of a requestor and to make a request to him recently? If not, is there a common way of identifying a requestor (not specific to the Ruby on Rail) and keep track of the requester's activities? Can I identify the user with IP address or cookies or any other information that I can collect from his machine? We also expect that we can distinguish between normal users (who make a singular request) from automated robots (which often request).

Thank you!

# 1, there are several automation tools that can simulate large amounts of posting in a given URL Are there. Depending on your platform, something as simple as wget may be; Or a complex (relatively speaking) script that asks the user to post a request multiple times in succession (again, depending on the platform, it can be easy, this work can be 1 May also be based on the language of choice).

In relation to # 2, manually firing several attempts in view of the low number of the first person; In such instances, usually a session is shared (on actual Web server sessions); You should be able to track the failed login based on these session IDs, if the volume of any unsuccessful attempts breaks some thresholds. I do not know any plug-ins or gems which are special, but even if there is not one, then this solution should be simple enough to make it.

If session ID does not work, then a combination of IP and useragent is also a very safe tool, though such people who use a proxy, do not know how to do this kind of practice (Whether it is an issue or not dependent on the needs of your business).

If the attacker is malicious, you may need to block their access when using firewall rules, because they are probably going: a) use a proxy (such as IP rotation ), B) Do not use cookies during testing, and c) Play Good with No UserAgent String.


Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more