如何检查我的Web应用程序的用户是否尝试使用不同的凭据登录?
我正在尝试从3天开始制作或找到好方法来检测是否有用户尝试使用许多登录凭据登录我的网络应用程序或进行洪水攻击,因此我可以在此问题中将验证码显示为此示例登录页面,但没有运气。
I'm trying from 3 days to make or find good way to detect if there is a user trying to login my web application with many login credentials or making flood attack, so I can show captcha as example in this cause in my login page, but with no luck.
我可以知道是否有用户登录用户名:xyz尝试多次登录,但如果用户试图登录怎么办?使用许多用户名登录,例如xyz1,xyz2,xyz3,admin,administrator,root等等。
I can know if there is user with login username : "xyz" trying many times to login, but what if a user trying to login with many usernames like "xyz1" , "xyz2", "xyz3" , "admin", "administrator", "root" .... etc.
特别注册该用户可能尝试使用不同的会话和隐藏的IP或许多IP。
Specially that user maybe trying with different sessions and hidden IP or many IPs.
如果你想知道一个很好的例子,它的东西就像是雅虎和谷歌登录页面。
If you want to know good example, its something is like yahoo and google login page.
我试图通过谷歌搜索和浏览堆栈溢出中的许多问题找不到我糟糕的语言,但没有找到有用的文章。
I tried to find way with my poor language with googling and browsing many questions in * and not found helpful article.
应用程序托管bean有用吗?使用它是否健康?以及使用应用程序托管bean或任何其他方式执行此操作的正确方法是什么?
Is Application managed bean helpful ? is it healthy to use? and what correct way to do this, in cause Application managed bean or any another way?
您不能。正如您自己发现的那样:您无法从Web应用程序中可靠地保护您的Web应用程序。您的应用程序可以选择:
You can't. As you've discovered yourself: you're not going to be able to reliably protect your web application, from within your web application. Your application has the choice to:
-
针对单个用户名记录多次尝试这是相当基本的你可以在许多网络应用程序中找到它;记录针对相同用户名的失败登录尝试,并在一定数量的失败后阻止进一步的登录尝试。不会阻止攻击者继续尝试
Log multiple attempts against a single username This is fairly basic and you'll find this in many web apps; record failed login attempts against the same username and block further login attempts after a set number of failures. Doesn't stop the attacker from continuing to try
在一段时间内记录来自单个IP地址的多次尝试如果您可以信任通过HTTP请求发送的IP地址,那么也可能相当简单。正如您所猜测的那样,您更可能无法信任该IP地址(可能是欺骗性的,可能是代理等),但您仍然可以记录IP地址,并阻止所有注册/登录给定的IP地址。不会阻止攻击者继续尝试
Log multiple attempts from a single IP address, over a span of time This could be fairly straightforward also, provided you can trust the IP address that's sent with the HTTP request. As you've guessed, it's more likely you're not going to be able to trust that IP address (could be spoofed, could be a proxy e.t.c.), but you could still log IP addresses, and block all registrations/logins from a given IP address. Doesn't stop the attacker from continuing to try
这会让您失望,超出您的申请范围:工作与您的网络基础架构提供商能够及早发现垃圾邮件和DDoS攻击,并关闭相关数据包,并可能自动将这些IP地址添加到黑名单。
What this leaves you with, is going outside your application: work with your network infrastructure provider to be able to detect spam and DDoS attacks early, and head off the associated packets and possibly add those IP addresses to blacklists automatically.
相关:
- How can I throttle user login attempts in PHP