Printable View
Hello , I've browsed the posts but can't find this mentioned.
We recently had a brute force attack on our hap server so I have been asked to limit login attempts. Our firewall is supposed to detect DOS attacks but didn't see this as a problem ( probably because of the HTTPS bypass rule I had to use ) so i was wondering if there is any code built in or that could be added to enable a 3 try minimum followed by a 10/20 min cooldown.
Any ideas ?
Rick.
I can look into it for you
Give this DLL a try
Sounds like a really good idea :)
Can we also log failed login attempts - with the username tried and IP address? I have a couple of people who have issues getting past the login page.. i know it's user error, but it'd be handy to have access to some proof that they have even tried!
From a security perspective, I'd be keen to see if kids are trying out staff logins!
This dll now logs after 4 failed attempts so you can see persistent failures (in the Web Tracker, Event Viewer is slightly less info)
Wow, thanks for this @nickbro
However, i am getting a error on loading the login page:
The url is beta/login.aspx?ReturnUrl=%2fbeta
MattCode:Server Error in '/beta' Application.
Sequence contains no matching element
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.InvalidOperationException: Sequence contains no matching element
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
(InvalidOperationException: Sequence contains no matching element)
System.Linq.Enumerable.Single(IEnumerable`1 source, Func`2 predicate) +4472766
HAP.Web.Login.Page_Load(Object sender, EventArgs e) in n:\Visual Studio 2010\Projects\CHS Extranet\HAP.Web\Login.aspx.cs:23
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.UI.Control.LoadRecursive() +71
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3064
Ok try this one
Brilliant, thanks Nick.
Erm, this for version 8 ? I'm still on 7.
Really really nice :) - Such an important addition - thanks @Mr_Jolly for the suggestion and thanks @nickbro for the speedy addition!! :)
It works a treat!
4th failed login generates the ban event and hides the login button for that Browser session (though a different browser from the same machine seems to work).
:):):)Quote:
14 December 2012 12:02 Logon.Banned 172.16.109.163 FakeUsername Chrome 23.0 WinNT Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
Definately time to ugprade!! You are missing out on so much! :)Quote:
Originally Posted by Mr_Jolly
Would you want it on a per machine basis or per user agent on that ip. Just in case you have clients behind an NAT firewall.
Valid point.. It must be a solution that fits all.. and locking out everyone on a secure BYOD wifi might because of one user might not be a clever direction to go! :)
If i'm honest, i'm happy with it as is now - it's a big security step and a great place to start - others will have different ideas/opinions! :)
Hehe, I know. I'll wait until Monday now though I think, nothing like breaking access to school files for the weekend :)
Great feature. Love it.