0

I'm trying to block access to my website if the user tries to login more than 6 times. I'm currently using this code to get the client IP address to block his access:

string strHostName = System.Net.Dns.GetHostName();
string clientIPAddress = System.Net.Dns.GetHostAddresses(strHostName).GetValue(0).ToString();

The problem is that this will return the public IP address. If I use this address I may be blocking access to the whole client network.

Is there any way I can block only the user that making the login attempts?

robert
  • 609
  • 6
  • 14
  • Are you trying to block access for 6 failed attempts of login for the same account name? – Karl Anderson Aug 01 '13 at 15:30
  • Is it against hackers? – argaz Aug 01 '13 at 15:31
  • The attempts are regardless the account name. – robert Aug 01 '13 at 15:33
  • why do you care where the login came from? assuming you get this right, it can be easily worked around by using a different pc or if they're able to acquire a different ip address – Jason Aug 01 '13 at 15:34
  • Yes, but this will prevent automated brute force attacks. – robert Aug 01 '13 at 15:37
  • check out http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication for other methods of preventing brute force attacks – argaz Aug 01 '13 at 16:13
  • also http://security.stackexchange.com/questions/10305/with-which-algorithm-i-can-prevent-a-brute-force-on-a-login deals with this topic – argaz Aug 01 '13 at 16:37
  • So there is no way to block a specific user using the IP address or any other identifier? – robert Aug 01 '13 at 16:38
  • Yes, since IP is the only identifier that is sent to you that is unforgeable. You can block the IP but as you know, the same IP can belong to other users. – argaz Aug 01 '13 at 17:00

1 Answers1

0

Short answer: no. Most other stuff you could verify in request headers would be spoofable by the client browser and thus easily changed.

The best way would be to hamper login attempts from the same IP address/range, rather than block. You could introduce an artificial delay once there have been a number of recent incorrect login attempts from the same IP. For example, log each attempt server side and check this log on each subsequent login attempt - if there have been more than 5 failed logins within the last 2 minutes, make your application wait 2 seconds before returning a response. This would significantly reduce the effectiveness of any automated brute force attack, while allowing an legitimate user on the same public IP gain access to their account.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145