sfAntiBruteForcePlugin project

3 gravatar By Grégoire Marchal - 12/11/2010

Lately, I've created a small web application to play with the twitter API. My application is secured by a classic login/password: basic. I quickly wanted to add security on it, especially against brute force attacks. This kind of attack consists in trying a lot of login/password combinations on a form to find out a valid one (more info). I searched more information about this topic and hoped I found a symfony plugin. Result: no plugin, but a lot of interesting informations that encouraged me to start developing the wanted plugin! So I will summarize those informations here, make some kind of collaborative specifications for my plugin, and I hope you'll help me!

The most of informations I've collected come from this french (sorry...) tutorial: un anti brute-force léger et rapide.

The principle : prevent an user, and even more a bot, from trying a huge number of login/password combination on a given authentication page. Therefore, we have to count the failed attempts of users, and forbid them to try again when a given threshold is reached. Here are the things to specify.

What to use to identify attempts?

The client IP? Bad idea, this data is not reliable. Most of hackers will know how to modify it and will be able to make an infinity of attempts.

The PHP sessions? No, just erase the cookies and you're done...

On the login used for authentication? Well, it's not an ideal solution, but it's the best I've found for now. The main inconvenience is that anyone who knows your login can block your account...

If you have other ideas, let me know!

How to store the attempts counts?

In a database? It seems to be the more natural solution. But some projects don't use a database (and it's my case here!). I think it would be too intrusive to require a database and an ORM just for that.

In files? It's the way the above tutorial has chosen. About speed and load, I don't which way is the best. But this solution is less intrusive since it will work with any symfony project (I think).

If you have other ideas...

Where to proceed in symfony code?

At first, I thought I would have to create a filter to control accesses upstream. But the problem is, if I use the login to identify attempts, I need it to increase its counter. I also need to know if this attempts is a success or not. So I need to be in the controller to do that, in the action that manage the authentication process. So the developer will add that kind of call when an attempt fails:

sfAntiBruteForceManager::notifyFailedAuthentication($identifier);

This method will increment the counter for this user.

But before the authentication attempt, we have to check that the user can try (that he hasn't reached his threshold):

if (sfAntiBruteForceManager::canTryAuthentication($identifier))
{
  // ...
}

sfGuard integration ?

Later, probably. Don't put the cart before the horse! Let's keep it in mind.

So, here are the first leads for writing this plugin which will be, in my opinion, very useful for the developers who care about security (aka good developers!). I look forward to your remarks, suggestions, ideas!

PS : follow the evolutions on the official page of sfAntiBruteForcePlugin.

Back home

Comments (3)

gravatar By Deepak Kumar, the 12/13/2010 at 1:13 PM
Why can’t we use captcha to avoid brute force log in you are talking about here?

What do you think about it? Many people use it anyway.
gravatar By Grégoire Marchal, the 12/13/2010 at 3:27 PM
I think captcha are ergonomic OR secure, never both. I want both, so captcha is not the solution, in my humble opinion.
gravatar By Grégoire Marchal, the 12/13/2010 at 11:30 PM

Comment