emanuel 18 Posted March 7, 2018 Share Posted March 7, 2018 Hello devs, it's any way to Block brute force login client side? I think its possibile with this way? : - after 5 or 10 login fail ban IP for one Hour? - a solution to ban them HWID? automatically? Someone from here know something? Link to comment Share on other sites More sharing options...
Premium North 1179 Posted March 7, 2018 Premium Share Posted March 7, 2018 This is the hidden content, please Sign In or Sign Up 2 Link to comment Share on other sites More sharing options...
DasSchwarzeT 111 Posted March 7, 2018 Share Posted March 7, 2018 If they are bruteforcing without using the client you could add a salt to the password in the logininterface 1 Link to comment Share on other sites More sharing options...
emanuel 18 Posted March 7, 2018 Author Share Posted March 7, 2018 Acum 17 minute, DasSchwarzeT a spus: If they are bruteforcing without using the client you could add a salt to the password in the logininterface Its about client side bro, i wanna know if its possibile to stop brute force on login client side Link to comment Share on other sites More sharing options...
metin2-factory 1013 Posted March 7, 2018 Share Posted March 7, 2018 1 hour ago, emanuel said: Its about client side bro, i wanna know if its possibile to stop brute force on login client side https://en.wikipedia.org/wiki/Salt_(cryptography) Reading/googling before commenting can do wonders mate Basically, having a hash generator in client & server side with symmetric encryption methods can significantly minimize the chance of successful bruteforce. For example, in client you'll have the salt encrypt method, it will convert the login data into a one way hash. and server will check if the hashed data equivalent to the database data. server side check, example: if (clientLoginHashedData is not equal encrypt(databaseLoginData) { return false; } If you're interested i can code for you such a system(not free). Good luck. Link to comment Share on other sites More sharing options...
emanuel 18 Posted March 7, 2018 Author Share Posted March 7, 2018 Acum 5 ore, metin2-factory a spus: https://en.wikipedia.org/wiki/Salt_(cryptography) Reading/googling before commenting can do wonders mate Basically, having a hash generator in client & server side with symmetric encryption methods can significantly minimize the chance of successful bruteforce. For example, in client you'll have the salt encrypt method, it will convert the login data into a one way hash. and server will check if the hashed data equivalent to the database data. server side check, example: if (clientLoginHashedData is not equal encrypt(databaseLoginData) { return false; } If you're interested i can code for you such a system(not free). Good luck. know not free,can you prove you'r method block brute force ? Link to comment Share on other sites More sharing options...
Premium tierrilopes 452 Posted March 7, 2018 Premium Share Posted March 7, 2018 It doesn't block brute-force, it makes the brute-force atempts useless because the password storage method is different. Yet, they can unpack your client, view the salt (I'm considering it is the same for all accounts) and adapt their brute-force. You should make an unique salt for each account, and use to make a hash (new versions of sha are nice). You can do like you said also, but it shouldn't be your first line of defense, blocking ip + hwid for 30min after 5wrong logins atempts in the last 5minutes for example. You can also implement 2-step auth on your server, check Google authenticator. 1 Link to comment Share on other sites More sharing options...
metin2-factory 1013 Posted March 8, 2018 Share Posted March 8, 2018 14 hours ago, tierrilopes said: It doesn't block brute-force, it makes the brute-force atempts useless because the password storage method is different. Yet, they can unpack your client, view the salt (I'm considering it is the same for all accounts) and adapt their brute-force. You should make an unique salt for each account, and use to make a hash (new versions of sha are nice). You can do like you said also, but it shouldn't be your first line of defense, blocking ip + hwid for 30min after 5wrong logins atempts in the last 5minutes for example. You can also implement 2-step auth on your server, check Google authenticator. 2-step auth is a great idea as well, but entering a 2nd password with every entrance can hurt the user experience so i'm not sure about that(i'm not a UX expert xD). blocking ip + hwid is too much(why the rest of the family has to suffer if one is being a jackass?). blocking hwid can be bypassed aswell if i'm not mistaken? i know that mac address can be spoofed for sure. i'd go with the unique salt per account, or, make a very intuitive and user friendly 2-step auth system. GL Link to comment Share on other sites More sharing options...
Premium tierrilopes 452 Posted March 8, 2018 Premium Share Posted March 8, 2018 Yeah, both hwid and ip can be bypassed sadly. About hwid it could get more then just the mac address, ids from other parts aswell, I'm just not sure where privacy could start being an issue I used unique salt for each account, inspired by the ips account management. About 2step you're right, its good but can be annoying. Maybe ask it only for critical operations like change email, password? And for new devices, keeping a log of what devices are used to log in. Then for known devices ask only once every 30 days? That should reduce annoyance 1 Link to comment Share on other sites More sharing options...
emanuel 18 Posted March 8, 2018 Author Share Posted March 8, 2018 Anddd a 100% solution for this? Link to comment Share on other sites More sharing options...
Premium tierrilopes 452 Posted March 8, 2018 Premium Share Posted March 8, 2018 There is no 100% solution for anything when security is the goal. Theres always ways to improve security as theres ways to bypass it. Link to comment Share on other sites More sharing options...
Bot Metin2 Dev 4887 Posted March 8, 2018 Bot Share Posted March 8, 2018 Change the packet namens, encrypt the packets better, nop the function out, that gives the informations to python like "yes, the data was right, user will be logged in now". But a 100% solution you won't find here, until you programme a serverside captcha that is encrypted, that will be shown after 5 fails. I hope, that I am not that wrong.. King Regards Cyber Link to comment Share on other sites More sharing options...
Predator™ 37 Posted March 8, 2018 Share Posted March 8, 2018 buy brute force 750 and solve yourself https://www.youtube.com/watch?v=OxQpGpFSZWw Link to comment Share on other sites More sharing options...
Tasho 243 Posted March 8, 2018 Share Posted March 8, 2018 I think he talk about this video. You can't block it 100%. 1 Link to comment Share on other sites More sharing options...
Premium tierrilopes 452 Posted March 8, 2018 Premium Share Posted March 8, 2018 Read the whole topic and start implementing stuff, brute-force will have zero effect. 1 Link to comment Share on other sites More sharing options...
emanuel 18 Posted March 8, 2018 Author Share Posted March 8, 2018 Acum 10 ore, Tasho a spus: I think he talk about this video. You can't block it 100%. Right Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now