Sep24Written by:Will
9/24/2005
Right now, I am building a new web site for my girlfriend. Those of us who are in the business of building web sites are constantly looking at security. One of those security areas are login pages. This is one of the more popular avenues of attack by many hackers. And why not? If the hacker and/or his software can just guess a username and password combo and get in to mess things up, then why bother with trying to get access to the database directly? Unless there are deeper motivations... However, I am not too concerned with those motivations on my girlfriend's family site. There shouldn't be any credit card or ssn numbers in her database. Hehehe...
Right now, I am building a new web site for my girlfriend. Those of us who are in the business of building web sites are constantly looking at security. One of those security areas are login pages. This is one of the more popular avenues of attack by many hackers. And why not? If the hacker and/or his software can just guess a username and password combo and get in to mess things up, then why bother with trying to get access to the database directly? Unless there are deeper motivations... However, I am not too concerned with those motivations on my girlfriend's family site. There shouldn't be any credit card or ssn numbers in her database. Hehehe...
Now we all come up with ways to deter hackers from accessing our web sites. One method of this is to simply send the request away. This is what I am talking about for this posting.
As an example, on this site I keep a count of how many times the requestor enters invalid login credentials. Since we cannot depend on client cookies, or session variables for this, I automatically log the IP number into the database with the date, time, and some HTTP request information should I need it later. A simple INSERT statement like below should do the trick . This one is VBScript for an Access DB, but it can easily be adapted into other languages and DBs.
Dim sql
sql="INSERT INTO blacklist_table (" & _
"bl_ip, bl_date, bl_httpdata" & _
") VALUES (" & _
"'" & request.ServerVariables("REMOTE_ADDR") & "'," & _
"#" & now() & "#," & _
"'" & request.ServerVariables("ALL_HTTP") & "'" & _
")"
On each request to the web site, it checks to see if the IPs login attempts are above 25 for the day. If they are, I send the visitor to the Homeland Security Contact page. Hehehe... Here is another VBScript example:
Dim sql
sql="SELECT COUNT(*) AS totalcount FROM blacklist_table " & _
"WHERE bl_ip = '" & request.ServerVariables("REMOTE_ADDR") & "' " & _
"AND (bl_date BETWEEN #" & formatdatetime(now(), 2) & "# AND #" & _
formatdatetime(dateadd("d", 1, now()), 2) & "#)"
Pretty simple, huh? As with anything else in the security world, one trick doesn't save the ship. The key to good security is LAYERS, meaning multiple defenses on multple fronts. I just thought this one was kind of amusing because of where I am sending them.
Have a good one!