0

I know that there are already a lot of questions about this but I didn't find any answers that suits me...

I am creating a site where you can identify yourself to access a specific page. I am doing the authentication with Angular (so, by calling a REST API). I'm planning to use SSL to avoid sniffing but I'd like to prevent a user to make a tons of call to the REST API to find the password of someone (using brute force for example).

So I told myself that I could simply put a maximum number of attempt by 15' for a specified account, but I don't want an account to be blocked for the real user because someone else is trying to hack it. So I'd like to identify attempts with the IP address of the user but apparently, the only IP I can trust is $_SERVER["REMOTE_ADDR"] but I also read that if the user uses a proxy, the IP will be the proxy one so it's not really what I want. I guess that a good hacker could easily change its proxy IP and then be able to resume his attack...

So what would be the best way to prevent that ?

Oluwafemi
  • 14,243
  • 11
  • 43
  • 59
ssougnez
  • 5,315
  • 11
  • 46
  • 79
  • Instead of 15 login attempts from a IP, why not just simply 15 logins at a username? If the username has failed to login 15 times, prevent that username from logging in completely. – Epodax Aug 25 '15 at 09:48
  • Let's imagine I want to find the password of "Mike". I'm trying 15 times to find it and it fails the 15 times. It's quite clear that this is an hack attempt, so, with your idea, the account gets blocked for 10 minutes, but what would happen if the real Mike wanted to log in ? He gets rejected because I'm trying to hack him ? In this case, we are in the DDOS, because what prevent me to keep trying to log in ? Once the 10' delay is expired, the hack will resume and the account will be blocked again => Mike will never be able to log in. – ssougnez Aug 25 '15 at 10:00
  • Then upon 15 tries and mike is "banned" send Mike a email that his user has been attempted hacked and that he is banned, tell him to change his password and/or verify himself by his e-mail. Lots of ways to do this. – Epodax Aug 25 '15 at 10:02
  • Yeah, I understand that, but the problem is still there... What happend if I don't stop the process that keeps on trying to log in ? Once Mike verified himself though the mail, his account will get blocked directly. That's why I'm looking for a reliable way to identify the user who makes the request. – ssougnez Aug 25 '15 at 10:23

0 Answers0