November 27, 2020, 05:43:38 AM

Author Topic: Password brute force  (Read 143 times)

Offline Matty

  • Hero Member
  • *****
  • Posts: 1253
    • MattiesGames
Password brute force
« on: November 24, 2020, 08:12:47 AM »
Query:

Are there sufficient internet connected devices to simultaneously attempt to log in to a password protected account using a coordinated brute force method such that no device gets a 'too many attempts' outcome for their ip address?

Offline blinkok

  • Sr. Member
  • ****
  • Posts: 269
Re: Password brute force
« Reply #1 on: November 24, 2020, 08:19:41 AM »
I think attempts are counted on the server

Offline Qube

  • Administrator
  • Hero Member
  • *****
  • Posts: 2565
  • I mostly code at night... Mostly.
    • SyntaxBomb - Indie Coders
Re: Password brute force
« Reply #2 on: November 24, 2020, 09:06:55 AM »
With that method it would be a DDOS at the very least and even if you could do that then any half decent system will block the login ( regardless of IP ) as it's clearly under attack.
Mac mini ( 2018 / 2020 ), 3 GHz 6-Core Intel Core i5, 16 GB 2667 MHz DDR4, 1TB NVMe, eGPU Radeon Pro 580 8 GB, LG Ultragear 27GL83A-B 27 Inch
Commodore VIC-20, 1.1Mhz MOS 6502 CPU, 5KB RAM, VIC ( 6560 ) GPU

Until the next time...

Offline Derron

  • Hero Member
  • *****
  • Posts: 3262
Re: Password brute force
« Reply #3 on: November 24, 2020, 09:41:30 AM »
if you talk about your own scripted login system: then yes, is possible.
If you talk about server logins etc? fail2ban will kick you out after a handful of tries.

If you had a static IP you could even limit logins to "whitelisted" ("allowlisted") IPs - but this is risky.
You could do that if you had eg 2 other servers (not attacked) which you allow to connect to the other server. Now you could login into these servers and from there log in into the "secured" server.

And instead of allowing "bruteforce" one should in these cases consider having some strong encrypted SSH key to login (default is 3k bit encryption but you can go up to 16k). That is then ... not so easy to bruteforce.


bye
Ron

Offline Matty

  • Hero Member
  • *****
  • Posts: 1253
    • MattiesGames
Re: Password brute force
« Reply #4 on: November 24, 2020, 12:57:55 PM »
Interesting.

So if the goal was to deny access to legitimate users rather than gain access the cluster of devices worldwide could repeatedly attempt access from many ips to accounts.

Eg if a foreign entity wished to target a bank's customers they could trigger a host of Internet connected devices to target the logins of that bank's customer accounts and faul to get in but cause those logins to become janmed shut.

Offline Derron

  • Hero Member
  • *****
  • Posts: 3262
Re: Password brute force
« Reply #5 on: November 24, 2020, 04:30:06 PM »
??
Think I did not understand you properly.


if IPs spam YOUR service ... they spam and spam until they get in
if IPs spam an easily secured thing (eg ssh secured by fail2ban) then THESE IPs get into a "jail" (so are blocked for X time), they do not even come to try to login, they are blocked "before" (so less CPU is used)

More "current" technology is surely something you experienced multiple times:
try to log into your amazon, paypal, ... account from a different city, or via mobile. You most probably cannot login but have to verify first (via mail ... kind of one time "two factor authentification").
This way it is harder for attackers to even trying to "login" (assume Russian hacker vs French user).

For this geo locating IPs has to work properly, or "provider identification".
Problems might arise if you use some of the "free wifi" organization hardware - eg some here in Germany are automatically routing every traffic through Sweden (avoids legal issues if someone shares copyrighted stuff...). That way you are prone to get such "verify first" messages :)


But these systems ...they are smart now - you do not get a mail for every "automated login attempt" - they might even present the information on the website first ("click here to send a verification mail"). Else you could easily spam around to various users.

They also check your browser and so on - this way they can "rate" your login visit and if it reaches a certain value ... the system reacts :D.


For our "low scale" servers even "login tries" can be problematic ... if you think of "ddos". For this most often IP ranges are blocked. Most users (eg "German Website -> German users") will still be able to use the website but "foreign" IPs can be temporary blocked.

Qube is doing such stuff (range blocking) I think ... which is why some people here who come from Russia have trouble to even register.


bye
Ron

Offline Matty

  • Hero Member
  • *****
  • Posts: 1253
    • MattiesGames
Re: Password brute force
« Reply #6 on: November 24, 2020, 06:50:42 PM »
Thanks Derron.

 

SimplePortal 2.3.6 © 2008-2014, SimplePortal