Jump to content
metin2dev
  • 0
emanuel

open Asking developers

Question

Hello devs, it's any way to Block brute force login client side? I think its possibile with this way? :

- after 5 or 10 login fail ban IP for one Hour? 

- a solution to ban them HWID? automatically? 

Someone from here know something? 

Share this post


Link to post
Share on other sites

15 answers to this question

Recommended Posts

  • 0
Acum 17 minute, DasSchwarzeT a spus:

If they are bruteforcing without using the client you could add a salt to the password in the logininterface

Its about client side bro, i wanna know if its possibile to stop brute force on login client side 

Share this post


Link to post
Share on other sites
  • 0
1 hour ago, emanuel said:

Its about client side bro, i wanna know if its possibile to stop brute force on login client side 

https://en.wikipedia.org/wiki/Salt_(cryptography)

Reading/googling before commenting can do wonders mate :)

 

Basically, having a hash generator in client & server side with symmetric encryption methods can significantly minimize the chance of successful bruteforce.

For example, in client you'll have the salt encrypt method, it will convert the login data into a one way hash.

and server will check if the hashed data equivalent to the database data.

server side check, example:

if (clientLoginHashedData is not equal encrypt(databaseLoginData)

{

return false;

}

 

If you're interested i can code for you such a system(not free).

Good luck.

Share this post


Link to post
Share on other sites
  • 0
Acum 5 ore, metin2-factory a spus:

https://en.wikipedia.org/wiki/Salt_(cryptography)

Reading/googling before commenting can do wonders mate :)

 

Basically, having a hash generator in client & server side with symmetric encryption methods can significantly minimize the chance of successful bruteforce.

For example, in client you'll have the salt encrypt method, it will convert the login data into a one way hash.

and server will check if the hashed data equivalent to the database data.

server side check, example:

if (clientLoginHashedData is not equal encrypt(databaseLoginData)

{

return false;

}

 

If you're interested i can code for you such a system(not free).

Good luck.

know not free,can you prove you'r method block brute force ?

Share this post


Link to post
Share on other sites
  • 0

It doesn't block brute-force, it makes the brute-force atempts useless because the password storage method is different.

Yet, they can unpack your client, view the salt (I'm considering it is the same for all accounts) and adapt their brute-force.

You should make an unique salt for each account, and use to make a hash (new versions of sha are nice).

You can do like you said also, but it shouldn't be your first line of defense, blocking ip + hwid for 30min after 5wrong logins atempts in the last 5minutes for example.

You can also implement 2-step auth on your server, check Google authenticator.

  • Thanks 1

Share this post


Link to post
Share on other sites
  • 0
14 hours ago, tierrilopes said:

It doesn't block brute-force, it makes the brute-force atempts useless because the password storage method is different.

Yet, they can unpack your client, view the salt (I'm considering it is the same for all accounts) and adapt their brute-force.

You should make an unique salt for each account, and use to make a hash (new versions of sha are nice).

You can do like you said also, but it shouldn't be your first line of defense, blocking ip + hwid for 30min after 5wrong logins atempts in the last 5minutes for example.

You can also implement 2-step auth on your server, check Google authenticator.

2-step auth is a great idea as well, but entering a 2nd password with every entrance can hurt the user experience so i'm not sure about that(i'm not a UX expert xD).

blocking ip + hwid is too much(why the rest of the family has to suffer if one is being a jackass?). blocking hwid can be bypassed aswell if i'm not mistaken? i know

that mac address can be spoofed for sure.

i'd go with the unique salt per account, or, make a very intuitive and user friendly 2-step auth system.

GL :)

Share this post


Link to post
Share on other sites
  • 0

Yeah, both hwid and ip can be bypassed sadly. About hwid it could get more then just the mac address, ids from other parts aswell, I'm just not sure where privacy could start being an issue

I used unique salt for each account, inspired by the ips account management.

About 2step you're right, its good but can be annoying. Maybe ask it only for critical operations like change email, password?

And for new devices, keeping a log of what devices are used to log in. Then for known devices ask only once every 30 days? That should reduce annoyance

  • Like 1

Share this post


Link to post
Share on other sites
  • 0

Change the packet namens, encrypt the packets better, nop the function out, that gives the informations to python like "yes, the data was right, user will be logged in now".

But a 100% solution you won't find here, until you programme a serverside captcha that is encrypted, that will be shown after 5 fails.

 

I hope, that I am not that wrong..

 

King Regards

Cyber

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×