this post was submitted on 13 Mar 2024

1018 points (96.9% liked)

Memes

45189 readers

1396 users here now

Rules:

Be civil and nice.
Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago

MODERATORS

[email protected]

1018

Brute force protection (rytter.me)

submitted 6 months ago by [email protected] to c/[email protected]

111 comments fedilink hide all child comments

Brute force protection

@memes

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 0 points 6 months ago

Best idea ever!!!

[–] [email protected] 15 points 6 months ago

Fine I'll just change my password to what I thought it should be.

*New password cannot match old password

[–] [email protected] 4 points 6 months ago

Add a randomizer with 50/50 succeeding for this error

[–] [email protected] 14 points 6 months ago (3 children)

I remember in college editing OpenSSH source code to instead of return wrong password to a root shell prompt just to stop brute force attacks

[–] [email protected] 1 points 5 months ago (1 children)

@Pacmanlives
Couldn't you just disable root login in the sshd config?

[–] [email protected] 2 points 5 months ago (1 children)

Oh all of my configs are deny root ssh login or without-password. I noticed a significant decrease in scans when returning a root prompt when I did that. This was also in the mid 2000s so who knows how things would be in this day in age for a reduction in scans

[–] [email protected] 2 points 5 months ago (1 children)

@Pacmanlives
So it was a fake root prompt which tricked the bots into believing that they logged in successfully but in reality the prompt could do nothing on the system?

[–] [email protected] 1 points 5 months ago

Correct

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago)

But... arent they logged in as root then? Wdym with "prompt" i am lost

[–] [email protected] 5 points 6 months ago

A honeypot!

[–] [email protected] 9 points 6 months ago (4 children)

Not to be pedantic but wouldn't it be IsFirstLoginWithAttemptedPassword or am I missing something?

[–] [email protected] 1 points 6 months ago

You're right, and nothing wrong with being pedantic when working with code :)

[–] [email protected] 5 points 6 months ago

No, it's correct - say your password gets leaked across thousands of passwords. A hacker will try to crack all of them with a program that guesses them once, which as the image suggests defeats these types of programs

[–] [email protected] 1 points 6 months ago

@cobra89
Yeah I agree.

[–] [email protected] 7 points 6 months ago (1 children)

no, since it first checks if the password is correct. if it is, display error message. if it is corrent and the second time, accept the password (code not in screenshot) but if the password is wrong, it doesnt check if it is the first attempt.

[–] [email protected] 1 points 6 months ago (2 children)

How does that stop a brute force attack? As written, it only stops the single luckiest brute force attack that happens to get the password right on their first try.

[–] [email protected] 1 points 6 months ago

It wouldn't stop most brute force attacks, which are not performed on the live web service, but rather on a password hasb list that was stolen via some other means.

[–] [email protected] 3 points 6 months ago

You can't really prevent a brute force attack. Even if you prevent it from one IP or so, you can still do "distributed" brute force attacks.

Also only allowing one password per 5 seconds or so per IP will not work if you have lots of users and they are at work and have the same IP.

load more comments