Well, I was in the shower thinking of my vacation in December 27th and I ended up thinking of a way to fight off sniffing out log-in attempts.
The idea is really simple which revolves around one word: Random.
Here’s the idea:
1) Server generates two random names.
2) These two names are stored in a table in some database with aging timestamps.
3) The server prints out the log-in form and name the username\password inputs to these two random names.
4) User (Client) POST the two parameters.
5) Server checks the table for that entry and checks if the random values are stored and the entry didn’t die.
6) Server authenticates accordingly.
Explaining more:
Here’s a simple log-in form:
<form id="submitForm" method="post" action="index.php?com=login"> <label>Username</label> <input name="username" value=""><br> <label>Password</label> <input type="password" name="password" value=""><br> <br><br> <input type="submit" value="Submit"></input> </form>
So when you send out the POST parameters with your username and passwords, the traffic will be something like this:
username=WHATEVERUSERNAME
password=YOURLAMEPASSWORD
So, why not have random names for these inputs that only the server can understand. And the name regenerates every given period (I think a minute is enough).
So you’ll end up seeing something like this:
<form id="submitForm" method="post" action="index.php?com=login"> <label>Username</label> <input name="J0tPRf" value=""><br> <label>Password</label> <input type="password" name="NjGc6T" value=""><br> <br><br> <input type="submit" value="Submit"></input> </form>
Where the passing parameters will look like this:
J0tPRf=WHATEVERUSERNAME
NjGc6T=YOURLAMEPASSWORD
This way, not only you’ll have to guess the user’s password, you’ll also have to guess the parameters to pass out.
The only disadvantage is probably exhausting your database and bloat it with entries (Which can be handled with a small cronjob that runs every few minutes to clear out the dead attempts).
This is only an initial version, I’m working on another concept pretty soon to even add another thing to confuse bruteforcers.
Here’s the zipped file that contains the following:
* login.sql: An SQL dump of the database
* config.php: Where it stores database credentials. Change values according to your settings if you’re going to test it out.
* parse_commands.php: Where the magic happens
* index.php: The starting point of the whole magic 😀
I’ve documented the code as much as I can. Enjoy~