PHP:反洪水/垃圾邮件系统

发布于 2024-08-19 10:41:33 字数 509 浏览 14 评论 0原文

我实际上正在开发一个 PHP 项目,该项目将具有用户系统(登录,注册,将丢失的密码发送到电子邮件,..),我认为这可能非常容易受到暴力攻击和/或垃圾邮件(发送某人电子邮件的密码,例如 1000 次等。请使用您的幻想) 。

  • 当今的网络服务器(Apache、IIS)是否具有某种针对暴力破解的内置防御?
  • 实现反垃圾邮件/洪水系统的最佳方法是什么,如果我希望一个页面每分钟不能被调用超过两次,但另一个页面可能被调用最多 100 次分钟左右。

    • 我肯定必须存储 IP 地址、上次访问页面的时间以及某处的访问次数 - 但将其存储在文本文件/数据库 (MySQL) 中是否足够有效

    • 我应该使用验证码来注册/恢复丢失的密码吗?

    • “文本”验证码是否可行? (类似于“5 加 9 减 2 是多少?”)

    • 该页面不会被那么多用户(100-200)使用,我真的必须实现所有这些事情吗?

I'm actually working on a PHP project that will feature a user system (Login,Register,Send lost password to email,..) and I think that this may be very vulnerable to Brute-Force attacks and/or Spam (Send a password to someone's email like 1000 times, etc. use your fantasy)
.

  • Do today's webservers (Apache, IIS) have some sort of built-in defense against Brute-Force?
  • What would be the best way to implement an Anti-Spam/Flood system, if I e.g.: want a page not be able to be called more than two times a minute, however another page may be called up to 100 times a minute or so.

    • I would definitely have to store IP adresses, the time when they last visited a page and the number of visits somewhere - but would it be efficient enough storing it in a text-file/database (MySQL)

    • Should I use captchas for things like registering/recovering lost passwords?

    • Are "text" captchas viable? (Something like "What is 5 plus 9 minus 2? ")

    • The page won't be used by that many users (100-200), do I actually have to implement all these things?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

回忆那么伤 2024-08-26 10:41:33

关于验证码:我建议不要使用验证码,除非您确实需要它。为什么?

  1. 这很丑。
  2. 这对你的用户来说很烦人。您不应该让他们不辞辛苦地使用您的网站。

有一些替代方案非常简单,非常有效,并且对(几乎所有)用户完全透明。

  1. 蜜罐字段:向表单添加一个具有常用名称(例如“网站”)的字段。在它旁边,添加一个标签,说明“不要在此框中写入”。使用 Javascript 隐藏输入和标签。当您收到表单提交时,如果字段中有任何内容,请拒绝输入。

    使用 JS 的用户不会看到它,但不会有问题。没有 JS 的用户只需遵循简单的说明即可。垃圾邮件机器人会上当并暴露自己。

  2. 自动假验证码:这与上面类似。添加一个带有标签的输入字段 “写下‘Alex’”(例如)。使用 Javascript(并且知道大多数自动垃圾邮件机器人不会运行 JS),隐藏该字段并用“Alex”填充它。如果提交的表单没有魔法词,则忽略它。

    使用 JS 的用户不会看到它,但不会有问题。没有 JS 的用户只需遵循简单的说明即可。垃圾邮件机器人不知道该怎么做,您可以忽略他们的输入。

这将保护您免受 99.9% 的自动垃圾邮件机器人的侵害。它无法保护您免受有针对性的攻击,哪怕只有一点点。有人可以自定义他们的机器人以避免蜜罐或始终填写正确的值。


关于暴力阻止:服务器端解决方案显然是实现此目的的唯一可行方法。对于我当前的一个项目,我实现了一种与您所描述的非常相似的强力保护系统。它基于 CakePHP 的 Brute Force Protection 插件

该算法相当简单,但一开始有点令人困惑。

  1. 用户请求某些操作(例如重置密码)
  2. 运行:DELETE * FROM brute_force WHERE expires DELETE * FROM brute_force WHERE expires NOW()
  3. 运行:

    从 brute_force 中选择 COUNT(*) 个 
    WHERE 操作 = '密码重置'
    AND ip = <他们的 IP 地址>
    
  4. 如果计数大于X,则告诉他们等待一段时间。
  5. 否则,运行:

    INSERT INTO brute_force(ip、操作、过期)
    VALUES (<他们的 IP 地址>, '密码重置', NOW() + Y 分钟)
    
  6. 继续执行重置密码功能。

这将允许用户在 Y 分钟内仅尝试重置密码 X 次。根据您的需要调整这些值。也许 5 分钟内重置 3 次?此外,您可以为每个操作设置不同的值:对于某些操作(例如:生成 PDF),您可能希望将其限制为 10 分钟内 10 个。

Regarding CAPTCHAs: I would recommend against using CAPTCHAs unless you really need it. Why?

  1. it's ugly.
  2. it's annoying for your users. You shouldn't make them jump through hoops to use your site.

There are some alternatives which are very simple, can be very effective and are entirely transparent to (almost all) users.

  1. Honeypot fields: add a field to your forms with a common name like "website". Beside it, add a label saying something to the effect of "don't write in this box". Using Javascript hide the input and label. When you receive a form submission, if there's anything in the field, reject the input.

    Users with JS won't see it and will be fine. Users without JS will just have to follow the simple instruction. Spambots will fall for it and reveal themselves.

  2. Automatic faux-CAPTCHA: This is similar to the above. Add an input field with a label saying "Write 'Alex'" (for example). Using Javascript (and knowing that most automated spam bots won't be running JS), hide the field and populate it with 'Alex'. If the submitted form doesn't have the magic word there, then ignore it.

    Users with JS won't see it and will be fine. Users without JS will just have to follow the simple instruction. Spambots won't know what to do and you can ignore their input.

This will safeguard you from 99.9% of automated spam bots. What it won't do, even in the slightest, is safeguard you against a targeted attack. Someone could customise their bot to avoid the honeypot or always fill in the correct value.


Regarding Brute Force blocking: A server-side solution is the only viable way to do this obviously. For one of my current projects, I implemented a brute force protection system very similar to what you describe. It was based on this Brute Force Protection plugin for CakePHP.

The algorithm is fairly simple, but a little confusing initially.

  1. User requests some action (reset password, for example)
  2. Run: DELETE * FROM brute_force WHERE expires < NOW()
  3. Run:

    SELECT COUNT(*) FROM brute_force 
    WHERE action = 'passwordReset'
    AND ip = <their ip address>
    
  4. If the count is greater than X then tell them to wait a while.
  5. Otherwise, run:

    INSERT INTO brute_force (ip, action, expires)
    VALUES (<their ip address>, 'passwordReset', NOW() + Y minutes)
    
  6. Continue with the reset password function.

This will allow users to only try resetting a password X times in Y minutes. Tweak these values as you see fit. Perhaps 3 resets in 5 minutes? Additionally, you could have different values for each action: for some things (eg: generate a PDF), you might want to restrict it to 10 in 10 minutes.

神爱温柔 2024-08-26 10:41:33
  1. 是的,在数据​​库中存储 IP 地址、上次访问时间和访问时间就可以了。
  2. 建议使用验证码注册/恢复密码,以免电子邮件地址被垃圾邮件发送。还要阻止暴力破解。
  3. 是的,文本验证码是可能的,尽管对于某人来说更容易破解并编写脚本来自动回答。对于免费的验证码,我建议 Recaptcha
  4. 这实际上取决于您对安全的关心程度。我当然建议使用验证码,因为它们很容易实现。
  1. Yes, storing an IP address, last accessed and times accessed in a database would be fine.
  2. Using CAPTCHAs for register/recovering password is advised so that e-mail addresses cannot be spammed. Also to stop brute forcing.
  3. Yes, text CAPTCHAs are possible, although far easier for someone to crack and write a script to automate the answer. For a free CAPTCHA, I'd recommend Recaptcha.
  4. That really depends on how much you care about security. I'd certainly recommend using a CAPTCHA as they are simple to implement.
隔岸观火 2024-08-26 10:41:33

不要尝试在 PHP 中实现所有逻辑 - 您可以在堆栈中实现它的位置越低,处理它的效率就越高。

大多数防火墙(包括 BSD/Linux 上的 iptables)都有连接限制。另外,请查看 mod_security 以预防 DDOS/暴力攻击。

应该围绕此类攻击不会让攻击者访问该应用程序的想法来设计您的应用程序 - 归根结底,您无法阻止 DOS 攻击,尽管您可以限制它的有效性。

依赖攻击者提供的一致 IP 地址并没有多大价值 - 有很多方法可以解决这个问题。

例如,跟踪每个用户登录之间的密码重置请求的数量。在您的密码重置表单中,如果用户提交了未知的电子邮件地址,请以完全相同的方式回复(给客户)。记录无效的电子邮件地址。

HTH

C.

Don't try to implement all the logic in your PHP - the lower in your stack you can implement it, the more efficiently it can be dealt with.

Most firewalls (including iptables on BSD/Linux) have connection throttling. Also, have a look at mod_security for DDOS/brute force attack prevention.

You should design your application around the idea that these kind of attacks will not give the attacker access to the app - at the end of the day there's no way you can prevent a DOS attack, although you can limit its effectiveness.

There's not a lot of value in relying on a consistent IP address from your attacker - there's lots of ways of getting around that.

e.g. keep track of the number of password reset requests between logins by each user. In your password reset form, respond (to the client) in exactly the same way if the user submits an unknown email address. Log invalid email addresses.

HTH

C.

∞琼窗梦回ˉ 2024-08-26 10:41:33

除了执行 Gazler 告诉您的操作之外,您还应该有某种方法来统计一般登录尝试次数。如果所有登录尝试的总数大于 X,则要么开始使用 sleep 命令,要么只是说服务器负载较高。

Besides doing what Gazler is telling you, you should also have some way of counting the login attempts in general. It the total of all login attempts are bigger then X then either start using the sleep command or just say the servers have a high load.

青衫儰鉨ミ守葔 2024-08-26 10:41:33

存储 IP 地址对于登录和跟踪来说是一个很好的做法,但我认为只需验证码就可以阻止垃圾邮件、暴力攻击和洪水。

Recaptcha确实是一个很好的解决方案。

Storing IP addresses is good practise for loggin and tracking but I think that just a captcha would stop spamming, brute-force attacks and flooding.

Recaptcha is indeed a good solution.

你没皮卡萌 2024-08-26 10:41:33

当然,您的目标受众可能不大,但如果它在公共领域,那么它很容易受到攻击,

这些天文本验证码很容易被破解,相信我,

对于反垃圾邮件/洪水系统,您可以记录 IP 地址(最好是 MySQL)并添加时间限制登录重试

sure, Your target audience might not be large but if it's in the public domain then it's vulnerable,

text captcha's are cracked easily these days believe me

for an Anti-Spam/Flood system you could log IP addressses (MySQL preferably) and add a time limit login retries

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文