Authentification & traffic management guru

[eluser]sikkle[/eluser]
I'm wondering if someone got some way maybe i didn't know already include in example with Ci, FreackAuth or Db_session.

Some people got some way to start managing BANNED ip user from your website ?

Some people got some way to start managing not more then 20 actions in one minute from a user ?

Some people got some way to handle maximum try to login way ?


This is general but i'm windering if i miss something BIG and just receive a link to go read or if it's more and need to have a though about it.

thanks.

[eluser]Michael Wales[/eluser]

Some people got some way to start managing BANNED ip user from your website ?

Make a table called banned with 1 field - ip. Add a pre_controller hook to check this database for banned IPs - if so, redirect them to a your are banned page.

Some people got some way to start managing not more then 20 actions in one minute from a user ?

Not sure why you would limit the user this way, but I'd make an action table with a Unix timestamp of the last action, the user ID of the user, and maybe what the action was. Then make a pre_controller hook to query this database for the number of rows for user_id within the past 60 seconds. If num_rows() > 20 - be retarded and don't let them do anything.

Some people got some way to handle maximum try to login way ?

Once again, make a login attempts tables - store the unix timestamp, the IP address, possibly the username/password combination they were attempting. Query this table when someone tries to login for a number of missed attempts within a certain timeframe. Once again - probably not a good idea, because the first thing I would do (as an evil user) is write a script to attempt to login as 'admin' as fast as possible and ban the administrator.

[eluser]sikkle[/eluser]
A)

Great, i love the basic idea of banned field in the hook, i'll read about it.
this would be pretty simple if i understand well the hook.


B)

You get a point with the limit user action, it's more like to control abuse of registered user, but i think i have to get a better solution for this.

C)

Humm, So indeed it's not an options, what is your though about this ? good solution exist ? you can't avoid this ? we lost the war ?

[eluser]Michael Wales[/eluser]
C) I wouldn't worry about - who really cares how many incorrect attempts there are?

The only time you should be concerned with this if you are storing sensitive data within your system, maybe if you were developing an application for a business. Then you would provide an administrative section for help desk personnel at that business to unlock user's accounts. Upon locking, they would receive an error message telling them to call their IT department to be unlocked.

Because I'm pretty involved in the Silicon Valley scene, and I see a lot of startups focus on this sort of stuff way to much and end up crashing and burning regardless I'll offer this advice:

Don't sweat the small stuff. Things like this don't matter - you are focusing on meaningless items when the big picture should be your application as a whole and what it tries to accomplish. Don't worry about scaling, or controlling user abuse to much, 95% of the web applications that are developed never see more than a couple thousand users and will die out within 6-8 months.

Focus on your application - get it completed. Focus on scaling and user control when those times come, if they come.

[eluser]sikkle[/eluser]
humm maybe i wasnt right, but ok in fact, i'm not sure at all about this point.

I've got three dedicated server. Last year, during 3 day, i open up the sshd without crypted key, maybe this was stupid i accept this

Three day, what i receive ? 1500 attemps to log as root, user, try some username related to website hosted there.

Don't you think maybe it's better to use strategy like, to much attemps in too many time, just ban the ip ?

I already have enough user in bank to take care of this.

Maybe someone else get other vision of several login attemps cracking ?

[eluser]Michael Wales[/eluser]
Okay, I was unaware you were working on an already established project (I got the impression you were creating something new).

I think looking for abuse from a specific IP address and then banning that IP is a reasonable solution to the problem, as long as you provide a means to contact you for reactivation - in case it was a legitimate user.

Most of the time it's bots that are attempting this abuse, so you could probably enable some form of Captcha on the login screen - or setup some automatic unbanned via a Captcha-type form.

[eluser]sikkle[/eluser]
So maybe just a little libs, check banned user. that it that all, a view page to show the process to ask to get unbanned.

not bad.

many thanks.