Closed mebjas closed 8 years ago
Even if we stop that, you can use other IPs. Its not about stopping it, its about making it harder, with least effort. -A
Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
On Feb 19, 2014, at 5:14 PM, minhaz notifications@github.com wrote:
I have a small doubt In adv_password lib in auth section the function isBruteForce() checks for no of attempts in small period of time to declare it brute force or not. But what if I set my bot to send request permissible under the given condition (of time)? and run it for a long time to get correct credentials?
Has it not been implemented because these type of attacks will take too much time to crack password making it less feasible?
Correct me wherever I'm wrong :)
— Reply to this email directly or view it on GitHub.
One more thing just came to my mind... We have a function that identifies a brute-force attack but what then, one thing is developer has to call this function each time to check if brute force attack was attempted then he has to apply his own methods to do later operations. Shouldn't it be part of library to provide actions when brute force is detected?
A basic kind of action, should be provided. Like an HTTP status and killing the process. But it should allow overriding. -A
Notice: This message is digitally signed, its source and integrity are verifiable. If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body. Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
On Feb 23, 2014, at 11:14 AM, minhaz notifications@github.com wrote:
One more thing just came to my mind... We have a function that identifies a brute-force attack but what then, one thing is developer has to call this function each time to check if brute force attack was attempted then he has to apply his own methods to do later operations. Shouldn't it be part of library to provide actions when brute force is detected?
— Reply to this email directly or view it on GitHub.
I have a small doubt In adv_password lib in auth section the function isBruteForce() checks for no of attempts in small period of time to declare it brute force or not. But what if I set my bot to send request permissible under the given condition (of time)? and run it for a long time to get correct credentials?
Has it not been implemented because these type of attacks will take too much time to crack password making it less feasible?
Correct me wherever I'm wrong :)