我正在尝试保护我的 rails 3 应用程序免受暴力登录猜测。我正在使用authlogic。在特定次数的失败登录尝试后强制用户(或机器人)填写验证码的最佳方法是什么?authlogic 是否有内置机制来记录来自同一 IP 的连续失败尝试次数?我会很感激任何帮助。
1 回答
1
Authlogic has a Authlogic::Session::BruteForceProtection module (you can find how it's implemented here). Basically, it blocks an account after N unsuccessful logins. From its documentation:
By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:
class UserSession < Authlogic::Session::Base
consecutive_failed_logins_limit 10
end
In order to enable this field your model MUST have a failed_login_count (integer) field.
You could activate this module and add your captcha mechanism in the controller.
Later edit: I have just seen the 'from the same IP' part.
If you need a 'from the same IP' protection (i assume you mean that the attacker is not interested in a particular account, so the purpose is not to crack a particular account, but a DOS attack), then in my opinion it shouldn't be done at this level (rails application server). This should be handled by your system administrator, on the front-end (proxy) server.
于 2010-06-11T10:22:24.010 回答