+ Post New Thread
Results 1 to 14 of 14
Home Access Plus+ Thread, Limiting Login Attempts in Projects:; Hello , I've browsed the posts but can't find this mentioned. We recently had a brute force attack on our ...
  1. #1

    Join Date
    Jun 2009
    Posts
    28
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Limiting Login Attempts

    Hello , I've browsed the posts but can't find this mentioned.

    We recently had a brute force attack on our hap server so I have been asked to limit login attempts. Our firewall is supposed to detect DOS attacks but didn't see this as a problem ( probably because of the HTTPS bypass rule I had to use ) so i was wondering if there is any code built in or that could be added to enable a 3 try minimum followed by a 10/20 min cooldown.

    Any ideas ?

    Rick.

  2. #2
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,540
    Thank Post
    38
    Thanked 504 Times in 435 Posts
    Rep Power
    114
    I can look into it for you

  3. #3
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,540
    Thank Post
    38
    Thanked 504 Times in 435 Posts
    Rep Power
    114
    Give this DLL a try

  4. #4
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    316
    Thank Post
    35
    Thanked 21 Times in 19 Posts
    Blog Entries
    1
    Rep Power
    10
    Sounds like a really good idea

    Can we also log failed login attempts - with the username tried and IP address? I have a couple of people who have issues getting past the login page.. i know it's user error, but it'd be handy to have access to some proof that they have even tried!

    From a security perspective, I'd be keen to see if kids are trying out staff logins!

  5. #5
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,540
    Thank Post
    38
    Thanked 504 Times in 435 Posts
    Rep Power
    114
    This dll now logs after 4 failed attempts so you can see persistent failures (in the Web Tracker, Event Viewer is slightly less info)

  6. #6
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    316
    Thank Post
    35
    Thanked 21 Times in 19 Posts
    Blog Entries
    1
    Rep Power
    10
    Wow, thanks for this @nickbro

    However, i am getting a error on loading the login page:

    The url is beta/login.aspx?ReturnUrl=%2fbeta

    Code:
    Server Error in '/beta' Application.
    
    Sequence contains no matching element
    
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
    
    Exception Details: System.InvalidOperationException: Sequence contains no matching element
    
    Source Error: 
    
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
    
    Stack Trace: 
    
    (InvalidOperationException: Sequence contains no matching element)
       System.Linq.Enumerable.Single(IEnumerable`1 source, Func`2 predicate) +4472766
       HAP.Web.Login.Page_Load(Object sender, EventArgs e) in n:\Visual Studio 2010\Projects\CHS Extranet\HAP.Web\Login.aspx.cs:23
       System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
       System.Web.UI.Control.LoadRecursive() +71
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3064
    Matt

  7. #7
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,540
    Thank Post
    38
    Thanked 504 Times in 435 Posts
    Rep Power
    114
    Ok try this one

  8. #8

    Join Date
    Jun 2009
    Posts
    28
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Brilliant, thanks Nick.

    Erm, this for version 8 ? I'm still on 7.
    Last edited by Mr_Jolly; 14th December 2012 at 12:05 PM.

  9. #9
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    316
    Thank Post
    35
    Thanked 21 Times in 19 Posts
    Blog Entries
    1
    Rep Power
    10
    Really really nice - Such an important addition - thanks @Mr_Jolly for the suggestion and thanks @nickbro for the speedy addition!!
    It works a treat!

    4th failed login generates the ban event and hides the login button for that Browser session (though a different browser from the same machine seems to work).

    14 December 2012 12:02 Logon.Banned 172.16.109.163 FakeUsername Chrome 23.0 WinNT Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11

  10. #10
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    316
    Thank Post
    35
    Thanked 21 Times in 19 Posts
    Blog Entries
    1
    Rep Power
    10
    Quote Originally Posted by Mr_Jolly View Post
    Brilliant, thanks Nick.

    Erm, this for version 8 ? I'm still on 7.
    Definately time to ugprade!! You are missing out on so much!

  11. #11
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,540
    Thank Post
    38
    Thanked 504 Times in 435 Posts
    Rep Power
    114
    Would you want it on a per machine basis or per user agent on that ip. Just in case you have clients behind an NAT firewall.

  12. #12
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    316
    Thank Post
    35
    Thanked 21 Times in 19 Posts
    Blog Entries
    1
    Rep Power
    10
    Valid point.. It must be a solution that fits all.. and locking out everyone on a secure BYOD wifi might because of one user might not be a clever direction to go!
    If i'm honest, i'm happy with it as is now - it's a big security step and a great place to start - others will have different ideas/opinions!

  13. #13

    Join Date
    Jun 2009
    Posts
    28
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hehe, I know. I'll wait until Monday now though I think, nothing like breaking access to school files for the weekend

  14. #14

    Join Date
    Sep 2012
    Location
    Gloucester
    Posts
    40
    Thank Post
    9
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Great feature. Love it.

SHARE:
+ Post New Thread

Similar Threads

  1. Limit Login and stale sessions
    By speckled in forum Windows
    Replies: 9
    Last Post: 10th November 2008, 03:00 PM
  2. XP Pro - Limiting Login time
    By wesleyw in forum Windows
    Replies: 7
    Last Post: 28th April 2008, 12:59 PM
  3. Limit Login
    By faza in forum How do you do....it?
    Replies: 7
    Last Post: 19th July 2007, 03:48 PM
  4. limit login
    By whatwherewhen in forum Network and Classroom Management
    Replies: 12
    Last Post: 20th February 2007, 06:29 PM
  5. Limit Login in 2000 only Domain
    By e_g_r in forum Wireless Networks
    Replies: 0
    Last Post: 13th February 2007, 09:03 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •