Jump to content

Bruteforce protection


Guest cem

Recommended Posts

Would be great if there would be some kind of bruteforce protection with Invision Power Board.
I just recently changed one of my websites to vBulletin due to the fact that my forum was getting lots of bruteforce attacks - and member accounts were being hijacked this way - first i didnt know how they did it untill i was told the page http://www.mysite.com/forum/index.php?act=Login&CODE=01 is highly vulnerable against bruteforce attacks. And my server logs proof it.

Invision Power Board needs a function like vBulletin has, that bans the IP address after X wrong password attempts.

Thank you in advance!

Regards,

Cem

Link to comment
Share on other sites

The mod by Dean? It disables the members account (for x minutes) - but does not ban the IP address - which is kinda retarded (pardon my language) - because any user could just disable someones account by intentionally entering the wrong password.

Link to comment
Share on other sites

The mod by Dean? It disables the members account (for x minutes) - but does not ban the IP address - which is kinda retarded (pardon my language) - because any user could just disable someones account by intentionally entering the wrong password.


Banning the IP of a widely used proxy is not a good thing either.
Link to comment
Share on other sites

Banning the IP of a widely used proxy is not a good thing either.



HAHAHA. I really laughed hard when i saw your reply and i'm still laughing my bottom off.. Are you really that dumb?... i dont want to insult you BUT come on... Think what you just replyed!!! The IP is going to be banned for X minutes (lets say 30 minutes) to stop the bruteforce attacks (exactly like vbulletin and other BB software do) and why would banning a widely used proxy be a problem now....... ?

a) Why would a guest/member use a proxy in the first case? Anonymity? Anonymity from what? From you.. the admin? What does he have to hide from you??

Ok lets say for some very ODD reason several members on the forum use the "widely used proxy" which will be a 1 from a million chance..........

b) This guest does not get banned for NOTHING heh! He/she will be banned for X minutes after he has done X wrong password attempts...

Conclusion... It will be obvious that this account does not belong to the person - and if the person has really forgot his password he could use the "forgot password" function - and even if this person does use all his of his X attempts he can just wait X minutes (lets say 30 minutes) and try again... This is just to stop people using bruteforce tools (e.g. accessdiver/form@/c-force etc.etc.)...

capishe kid? next time please think before you reply to my thread.
Link to comment
Share on other sites

One main reason for usage of proxies is some countries can't access all sites. I understand where your going with this though, I seen it on VB and I do believe IPB should add this feature.

BTW you should take it a bit easier on people here :).

EDIT: A couple more reasons for usage of proxies:
Reduce latency
Reduce traffic

Link to comment
Share on other sites

No the mod by someotherguy



Where could i find this mod if you dont mind me ask.

Thank you in advance.

PS: Still i think it should be implemented into IPB - Invision already is a very insecure BB (e.g. MD5 hash storage = sh*t compared to vBulletins...) - I think this would at least stop the bruteforcers..
Link to comment
Share on other sites

Thank a lot .Kris :)

I know the reason for using proxies. Thanks for pointing them out though.. however proxies are also used by bruteforcers (e.g. crackers) that's why i would prefer to ban proxies then to risk losing member accounts and having huge load on my server due to the attacks.

In my opinion.. People whom are really desperate on using proxies should kill them selfs.. or changing ISP might do too...

But yet again.. its not like the proxy is going to be banned forever > let me give you an example:

Mr Cracker has 100 proxies and attacks the forum with password attempts > right now IPB doesn't do anything against them and just lets them go ahead > so IPB just threats them as normal guests trying to log in to the forum which causes a huge load on the server due to the mysql queries used & members using easy passwords (e.g. 1234) will be succesfully cracked and used by Mr. Cracker to spam websites or such.

Now lets say IPB would ban the IP address for 30 minutes after 5 wrong password attempts. So Mr. Cracker loads up his wordlist and proxies again but after 5 wrong password attempts the Proxies are being banned from the server so after a couple minutes his bruteforce attack wont cause any harm because all of his ammo (e.g. proxies) are banned from the server.... after 30 minutes Mr. Cracker can get back ofcourse and do the same routine over... but it will take him sjit loads of time which will just make him stop eventually (if he decides to go on he'll be finished next christmas...)

I'm sure you understand what i mean :)

Btw, let me add this.. i'm not here to bash invision.. not at all - i'm still using invision power board, because i think no forum can be compared to its simple-to-use Admin CP and functions... However i think security should also be a piority which i am trying to point out.. i'm just a customer giving suggestions to improve the software!

Link to comment
Share on other sites

It looks many ppls have no idea of bruteforce.
go to securibox or any other and learn something. it's not that hard if you have some time.
and there is image verification login mod also. it's chinese site though.
search for yourself. cant link there cz china is warez allowed country.

Link to comment
Share on other sites

It looks many ppls have no idea of bruteforce.


go to securibox or any other and learn something. it's not that hard if you have some time.


and there is image verification login mod also. it's chinese site though.


search for yourself. cant link there cz china is warez allowed country.



Whats the point of this reply? You really think i dont know what i am talking about...
Also the point of this thread is to include a security system to IPB against bruteforcers - so please stay out of my topics next time if you want to reply gibberish do that somewhere else.

THANKS!
Link to comment
Share on other sites

FWIW cem, sometimes proxies are used for perfectly valid, non-destructive reasons. Yes, the vast majority of people who are behind 'widely used' proxies have a destructive intent, but there is a low risk of banning innocents. It's a 'choose your poison' sort of thing. If you're getting hit a lot from Proxy ABC, then yeah, you have few choices. Take your risks as you see 'em :)

Link to comment
Share on other sites

I think the idea of image verification would solve all problems... assuming the bruteforce program can't defeat the image verification... in which case you're back to square one.

Let's turn this into a more productive suggestion... Require image verification (such as you do when you register) but it would be off by default. In the security settings, the admin could enable image verification on logon. Original poster, would that help?

Link to comment
Share on other sites

HAHAHA. I really laughed hard when i saw your reply and i'm still laughing my bottom off.. Are you really that dumb?... i dont want to insult you BUT come on... Think what you just replyed!!! The IP is going to be banned for X minutes (lets say 30 minutes) to stop the bruteforce attacks (exactly like vbulletin and other BB software do) and why would banning a widely used proxy be a problem now....... ?



a) Why would a guest/member use a proxy in the first case? Anonymity? Anonymity from what? From you.. the admin? What does he have to hide from you??



Ok lets say for some very ODD reason several members on the forum use the "widely used proxy" which will be a 1 from a million chance..........



b) This guest does not get banned for NOTHING heh! He/she will be banned for X minutes after he has done X wrong password attempts...



Conclusion... It will be obvious that this account does not belong to the person - and if the person has really forgot his password he could use the "forgot password" function - and even if this person does use all his of his X attempts he can just wait X minutes (lets say 30 minutes) and try again... This is just to stop people using bruteforce tools (e.g. accessdiver/form@/c-force etc.etc.)...



capishe kid? next time please think before you reply to my thread.


LoL.
They don't use proxies to hide, they use proxies because their ISP says so.
On my board there are hundreds of users using the same proxy IP, there are also users using the same IP address because of NAT. I have a mod that bans IP addresses from logging in for 20 minutes after five failed attempts and still I get angry emails once in a while "Why can't I login now!"
It's true that proxies are bad, but there is very little to do when the three largest ISPs here advice people to use them. It's not hard to guess what people do when they want to fool around in forums, they use proxies. Can't ban the IP they are using so they will be back with a new account in few days. I'm trying to create a "ban cookie" that would be set on a banned computer and would not let you post.
Link to comment
Share on other sites

Question: what makes you think that IPB's password management system is so insecure? Have you looked at the code at all? :)

First, a random salt consisting of random special characters is md5'd.
The password a user specifies is md5'd.
Then the two are md5'd together.

Even if a user used 1234 as his password, a brute force program can't know that simply due to the salt.

The databases out there that store md5 hashes of passwords post that they can't take into account salts.

The ONLY possibility is that by some chance the database happens to have stored an md5 hash that (randomly) matches the user's hash.

I agree that if you are getting brute-force attacked often, this is likely something that you should be looking into outside of the software run on your site.

I have posed challenges before to crack a password of a test account I have setup. If anyone wants to take me up on the challenge, I will give you the valid md5 password hash of this account (and the url the site is setup on). I would want you to
1) Get logged into the account (it's not an admin acct ;) )
and
2) Send me a PM with your username once logged in to show that you managed to login under that acct.

Until that time, I still retain that you can't hack in using someone's password due to an insecure password storage.

Back to the banning of IP addresses based on failed login attempts, it's a feature to consider, though probably not widely needed. It would be better to lock the account really. Think about what happens at a bank website if you submit too many invalid passwords, etc. A cracker could just switch to another proxy, but if you lock the acct, they have to switch to another acct and start all over again. Any implementation of this could cause inconvienence, but that would be up to the admin to determine whether the cost outweighs the benefit.

Link to comment
Share on other sites

bfarber I think you are missing the point.. This has nothing to do with how the password is stored in the database. The problem is that its very hard to make users choose secure passwords and IPB by default allows users to choose passwords as low as 3 characters!! Programs like accessdiver (http://www.accessdiver.com/) .. allow a hacker to run through a 200,000 wordlist in under an hour .. and IPB has absolutely no type of protection against this..

Link to comment
Share on other sites

What you are missing however is that the password (Even a 3 character password) isn't just md5'd and then stored in the database.

A random salt is ADDED to their 3 character password (which is md5'd) and then the two are md5'd together).

A password cracker (Such as accessdriver) CAN NOT take this into acct. It's just impossible. Have you even tried it? I mean, for example, add a user to your site with a VERY simple password (in IPB 2.0 and above) and then use that program to get the password?

It will look for md5( 'abc' ). Problem is, if that user's password was abc, their hash would consist of something more like md5( md5( '~!@\^$' ) . md5( 'abc' ) )

Those password crackers CAN NOT take that into account. Many even state they can't take capital and lowercase letters at the same time into acct.

Take this site into acct: http://passcracking.com/
Here is what they say:

At the moment we can crack md5 hashes in this character range: a-z;0-9 [8] which means we can break almost all hashes (99.56%) which are created from lowercase plaintext with letters and/or digits up to length of 8 characters.



As you can see, the hashes IPB uses for passwords do not fall into that realm, and cannot be cracked by the brute force attempts. Only possibility is for those systems to somehow get a hash for another password that matches the one in the db. It would actually be a different password, however different words can in theory come out to the same hash (since md5's are 32 characters, eventually in theory some different character combos would equate to the same hashes). That would be pure chance, and absolutely impossible to account for.
Link to comment
Share on other sites

  • Management

Whilst it's true that IPB stores the MD5 hashes with a salt, the possibility of a brute force attack still remains.

The DB stores the password as md5( md5( password ) . salt )

During log in, the member is loaded from converge and the salt loaded. The log in then checks for: md5( $entered_password ) . $salt_from_db );

A brute force application can run through a list and effectively pass $entered_password through to the log in module.

Link to comment
Share on other sites

How about a combo approach?

After X failed attempts, present an image verification code in the login panel for the next N minutes/days for the IP that requested login with the bad password.

In this case, the people using the same IP (proxy or intranet), might start seeing the image verification code even the first time they see the login form sometime, but if it is a real person typing info into the form, entering the verification code wouldn't be too much of a hassle.

You could even add a third login level that would optionally suspend logins from the IP if X consecutive failures occurred when the verification code is enabled.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...