2

I have a website with protected content and I've recently started getting a lot of email alerts about unsuccessful logins. It gets really annoying, about one attempt in a minute or two on average.

Because I host the website on a dedicated Windows box and I log the IPs, I realized that these requests are not coming from regular visitors to my site (because statcounter doesn't record the IPs), but from automated scripts from many different IP addresses (mostly from Ukraine, but mainly Reverse DNS cannot locate them).

I created a blocking rule in Windows Firewall and started to add all the addresses I found in the log file, but they are many. I already added probably 50 (5 times by 10 IPs) and this is stopping them only for few hours and then new IPs start coming around.

I am actually a software programmer and managing a real server is not my best side. Are there any tools that I can use to prevent these attacks?

Sam
  • 7,252
  • 16
  • 46
  • 65
Goran
  • 93
  • 1
  • 9
  • 1
    Why do you have email alerts for unsuccessful logins? – SLaks Sep 14 '11 at 17:34
  • Because I wrote the code myself and wanted to know when someone have problems logging in and this was useful at the beginning. – Goran Sep 14 '11 at 17:38
  • If you know who your regular users are (and there aren't many) I would add firewall rules to let them in and keep everyone else out. This may not be desirable for a public facing website but can be considered for corporate behind the firewall websites. – Deep Kapadia Sep 14 '11 at 17:45
  • Can you not have a "forgot password" or "having problems logging in" link like most other websites do? This is such an odd way to mitigate login issues. – Deep Kapadia Sep 14 '11 at 17:52
  • @Deep Kapadia: the problem is that these users are never loading the login.aspx page, they just POST to it. I am certain these are not users at all but scripts. – Goran Sep 14 '11 at 17:57
  • Yes that is fine. But I am talking about the fact that you get an email message on every unsuccessful login is probably an overkill. If your users have issues, provide them with a link to report the issue is all I am trying to say. This is not going to help you with the hackers but will help you with your email not getting spammed with unsuccessful login messages. – Deep Kapadia Sep 14 '11 at 17:59
  • Got you now. The thing is, I am managing several websites and found email alerts useful on several occasions (particular after an update). This doesn't happen only on login, but in general on an exception and is a way of finding bugs in my software while not constantly monitoring the logs. – Goran Sep 14 '11 at 20:01

2 Answers2

4

You should implement a rate limiter in your code.

If you get more than (for example) 4 failed login requests from the same IP in 5 minutes, require a CAPTCHA for the next login.
Google Accounts login pages do exactly this.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • This will work but one needs to understand that if a lot of your users are behind a single subnet and people are constantly logging in, most of the users will see the captcha. Nothing wrong with it. Just making sure that OP is aware of this. – Deep Kapadia Sep 14 '11 at 17:42
  • @Deep: You're right; I should have said **failed** login requests. – SLaks Sep 14 '11 at 17:43
  • Well, if I think this way, I could even write the code that if there was no GET on the login.aspx in the same session, I can just ignore the POST. – Goran Sep 14 '11 at 17:47
  • @Goran: You mean to use something like a CSRF token, requiring a unique token from the GET for each login POST. Note that the attacker might modify his code to do the GET and find the token. – SLaks Sep 14 '11 at 17:49
  • This is good, but may not work – It sounds like whoever is hitting the server is doing so with spoofed IPs or zombies. You might consider a (hidden) fake captcha-like field entry – something that would only be visible through the HTML. Then check if it contains a value first on submission. If it does, deny the login and return. **edit** Alternative, view this: http://blog.phpmoz.org/php-tutorial-secure-your-login-form-using-tokens/ – stslavik Sep 14 '11 at 17:49
  • @stslavik: your suggestions seems pretty easy to add, I'll probably try it, thanks! – Goran Sep 14 '11 at 17:55
  • Just remember: Security is all about making your site less appealing than another. Locks (or, in this case, login scripts) only keep honest people out. There's still 50 other ways for them to break in – you just have to make it not worth their time/effort. If they're just trying to crack passwords to your site, the easiest solution to make your login less penetrable is to increase the requirements during registration – increased bits of entropy in passwords will help with that too. – stslavik Sep 14 '11 at 18:02
  • I implemented this with a static token in a hidden field, let's see what will happen. Thank you all guys! – Goran Sep 14 '11 at 18:56
  • Much better now, no email more than half an hour. I am checking the token and if it is not the fixed one in the html I just return "Invalid credentials" without accessing the DB or logging anything. I believe it will stop them at least for awhile. Thanks to all. – Goran Sep 14 '11 at 20:05
1

It's not a tool but one practice that might be useful is to not include the word "Login" on your page and don't name your aspx page "Login". This might help to prevent crawlers that are looking for common keywords associated from finding your login page.

Doing something like replacing a Text link that contains "Login" with an image that looks just like the text and changing the name of your login form might go a long way to prevent crawlers from even finding your login page.

Example:

<a href="li.aspx"><img src="li.png" /></a>
Abe Miessler
  • 82,532
  • 99
  • 305
  • 486