I'm trying to secure my rails 3 app against brute force login guessing. I'm using authlogic. What's the best way to force a user (or bot) to fill out a captcha after a specific number of failed login attempts? Does authlogic have a built in mechanism for recording how many consecutive failed attempts came from the same ip? I'd appreciate any help.
views:
140answers:
1Authlogic has a Authlogic::Session::BruteForceProtection module (you can find how it's implemented here). Basically, it blocks an account after N unsuccessful logins. From its documentation:
By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:
class UserSession < Authlogic::Session::Base
consecutive_failed_logins_limit 10
end
In order to enable this field your model MUST have a failed_login_count (integer) field.
You could activate this module and add your captcha mechanism in the controller.
Later edit: I have just seen the 'from the same IP' part.
If you need a 'from the same IP' protection (i assume you mean that the attacker is not interested in a particular account, so the purpose is not to crack a particular account, but a DOS attack), then in my opinion it shouldn't be done at this level (rails application server). This should be handled by your system administrator, on the front-end (proxy) server.