Module: Authlogic::Session::BruteForceProtection
- Included in:
- Base
- Defined in:
- lib/authlogic/session/brute_force_protection.rb
Overview
Brute Force Protection
A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server and execute a brute force attack locally, meaning there is no network lag, it would take decades to complete. Now throw in network lag for hackers executing this attack over a network, and it would take centuries.
But for those that are extra paranoid and can’t get enough protection, why not stop them as soon as you realize something isn’t right? That’s what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:
class UserSession < Authlogic::Session::Base
consecutive_failed_logins_limit 10
end
Class Method Summary collapse
Instance Method Summary collapse
-
#reset_failed_login_count ⇒ Object
This allows you to reset the failed_login_count for the associated record, allowing that account to start at 0 and continue trying to login.
Class Method Details
.included(klass) ⇒ Object
20 21 22 23 24 |
# File 'lib/authlogic/session/brute_force_protection.rb', line 20 def self.included(klass) klass.validate :validate_failed_logins, :if => :protect_from_brute_force_attacks? klass.validate :increase_failed_login_count, :if => :protect_from_brute_force_attacks? klass.after_save :reset_failed_login_count, :if => :protect_from_brute_force_attacks? end |
Instance Method Details
#reset_failed_login_count ⇒ Object
This allows you to reset the failed_login_count for the associated record, allowing that account to start at 0 and continue trying to login. So, if an account exceeds the limit the only way they will be able to log back in is if your execute this method, which merely resets the failed_login_count field to 0.
29 30 31 |
# File 'lib/authlogic/session/brute_force_protection.rb', line 29 def reset_failed_login_count record.failed_login_count = 0 end |