I'm trying to secure my rails 3 app against brute force login guessing. I'm using authlogic. What's the best way to force a user (or bot) to fill out a captcha after a specific number of failed login attempts? Does authlogic have a built in mechanism for recording how many consecutive failed attempts came from the same ip? I'd appreciate any help.
views:
140answers:
1
+1
A:
Authlogic has a Authlogic::Session::BruteForceProtection module (you can find how it's implemented here). Basically, it blocks an account after N unsuccessful logins. From its documentation:
By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:
class UserSession < Authlogic::Session::Base
consecutive_failed_logins_limit 10
end
In order to enable this field your model MUST have a failed_login_count (integer) field.
You could activate this module and add your captcha mechanism in the controller.
Later edit: I have just seen the 'from the same IP' part.
If you need a 'from the same IP' protection (i assume you mean that the attacker is not interested in a particular account, so the purpose is not to crack a particular account, but a DOS attack), then in my opinion it shouldn't be done at this level (rails application server). This should be handled by your system administrator, on the front-end (proxy) server.
Vlad Zloteanu
2010-06-11 10:22:24
Note: You will still need to tell your app server that login failed, no?My only suggestion is invoking `being_brute_force_protected?` when trying to log in manually. If set to true then render the capcha, set the limit to 3 attempts, and the lockout time for 1 millisecond.
Dmitriy Likhten
2010-06-11 15:16:13