[Catalyst] Rate limiting password attacks
Bill Moseley
moseley at hank.org
Fri Aug 17 19:09:14 GMT 2007
On Fri, Aug 17, 2007 at 11:49:42AM -0400, Perrin Harkins wrote:
> On 8/17/07, Carl Johnstone <catalyst at fadetoblack.me.uk> wrote:
> > You'll almost certainly have to log it per-IP address rather than an a
> > cookie or session or anything like that. Any real password-cracking bot is
> > unlikely to honour your cookies or session identifiers.
>
> Last time I needed to do this we had a fallback to IP if no valid
> cookie was found so that it couldn't be evaded by simply refusing all
> cookies. There are workarounds for this workaround though, so it is
> an ongoing battle. AOL proxies were the main reason for doing this.
I missed something along the way in this thread. Cookies? Is that to
block a specific client?
I'm just thinking of blocking specific logins when too many failed
logins are attempted. Even in cases where the login is not a valid
login in the application. Could be implemented somewhat transparently
by overriding login().
By the way, any examples with the "new" C::P::Cache to pass expires on a
cache set? Also look forward to the appearance of
Catalyst::Plugin::Cache::ControllerNamespacing. Or something to
partition the cache. I want the sessions and failed login cache to be
separate. Is August and not seeing nothingmuch around related?
What's the status of the Cache plugin(s) wrt. backends?
I want to be able to swap between FastMmap and Memcached via a config
option.
--
Bill Moseley
moseley at hank.org
More information about the Catalyst
mailing list