Module: Authlogic::Session::BruteForceProtection

Included in:: Base

Defined in:: lib/authlogic/session/brute_force_protection.rb

Overview

Brute Force Protection

A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server and execute a brute force attack locally, meaning there is no network lag, it would take decades to complete. Now throw in network lag for hackers executing this attack over a network, and it would take centuries.

But for those that are extra paranoid and can’t get enough protection, why not stop them as soon as you realize something isn’t right? That’s what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right. If you wish to lower this number just set the configuration to a lower number:

class UserSession < Authlogic::Session::Base
  consecutive_failed_logins_limit 10
end

Class Method Summary collapse

.included(klass) ⇒ Object

Instance Method Summary collapse

#reset_failed_login_count ⇒ Object

This allows you to reset the failed_login_count for the associated record, allowing that account to start at 0 and continue trying to login.

Class Method Details

.included(klass) ⇒ `Object`

# File 'lib/authlogic/session/brute_force_protection.rb', line 20

def self.included(klass)
  klass.validate :validate_failed_logins, :if => :protect_from_brute_force_attacks?
  klass.validate :increase_failed_login_count, :if => :protect_from_brute_force_attacks?
  klass.after_save :reset_failed_login_count, :if => :protect_from_brute_force_attacks?
end

Instance Method Details

#reset_failed_login_count ⇒ `Object`

This allows you to reset the failed_login_count for the associated record, allowing that account to start at 0 and continue trying to login. So, if an account exceeds the limit the only way they will be able to log back in is if your execute this method, which merely resets the failed_login_count field to 0.



29
30
31

# File 'lib/authlogic/session/brute_force_protection.rb', line 29

def reset_failed_login_count
  record.failed_login_count = 0
end