Blocking a Computer
Hi,
I am running a rather large online game... with some real pranks playing... The problem is that some people hack other peoples accounts (brute forcing the passwords).
Anyway, I would make a restriction so taht 20 wrong attempts at a password blocks the computer.
I know several ways.. but they are easy to get around:
Cookies. Would work in the beginning, but people would soon find out to delete them anyway
IP block. Would help some, but people can get through a proxi
and thats about all!
I have heard of a mac-addy... As far as I know it is unique to each computer, and cannot be changed... I don't know if that is tru.
Anyway, can anyone tell me and help me find the best way to keep an eye on computers, and block them?
I really hope you can.
Thanks in advance.
~Casper
Peter J. Boettcher posted this at 19:52 — 22nd August 2001.
They have: 812 posts
Joined: Feb 2000
If you can force people to use cookies then I would use Sessions.
Add a counter on the Session_OnStart, example:
Sub Session_OnStart
Session("LoginCounter") = 0
End Sub
In your login handler page just increment as needed:
If Login = false Then Session("LoginCounter") = Session("LoginCounter") + 1
Then just build in the logic in the login form to deny any attepmts after a certain number:
If Session("LoginCounter") < 5 Then
Display Login form
Else
Response.Write "Exceeded valid login attempts"
End If
You could also record the IP number and disable it for 30 minutes or something, would make it more of a pain for the hackers since they would have to use a new IP for at least 30 minutes.
If you can't force cookies then maybe use hidden form fields and increment them as necessary.
You can't rely on IP since any serious hacker can spoof.
PJ | Are we there yet?
pjboettcher.com
hotcut posted this at 19:55 — 22nd August 2001.
They have: 133 posts
Joined: Sep 2000
Yes, I see your point...
My entire site relies on sessions, and therefore also cookies... The problem is that any real hacker will easily be able to simply delete those cookies!
Banning the IP aint good either... If someone for instance tryes to hack an account from a school, I would be blocking that whole complex for 30 minnutes
I believe that as of this cookies is the best thing... However, isn't there a better way? Hasn't every computer gotten other ways of being found than using the IP?
Again... I have heard a lot of this mac-addy... is that by any´chance something you know anything about?
Thanks for your help thus far
VCasper
Peter J. Boettcher posted this at 20:29 — 22nd August 2001.
They have: 812 posts
Joined: Feb 2000
I don't really see any way around this unless you do one of the following:
1) Setup a client certificate that is required to login.
2) Make your login page use a client-side active-x control.
The MAC/Physical address is not available in the Server Variables.
Your best bet is just to make it as much of a pain to hack as possible. Use hidden form fields, and only give them 3 or so attempts.
PJ | Are we there yet?
pjboettcher.com
lurch posted this at 13:59 — 29th August 2001.
They have: 7 posts
Joined: Feb 2001
Why don't you just disallow any attempts to log in with that particular username after, say, 6 attempts or so... don't even bother checking where they're from.. just don't let anybody log in with that username for an hour or something. Maybe you could log whatever information about the attempted login that you can get so you can try and find patterns and track whoever is doing that stuff...
just some thoughts!
you rang???
hotcut posted this at 14:57 — 29th August 2001.
They have: 133 posts
Joined: Sep 2000
Good idea.. However people likes to ruin it for others! They wouyld simply start disabling each others accounts
The IP blocking might be the best as of now...
Thanks for your help everyone!!
~casper
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.