PHP: Anti-Flood/Spam system

Question

I\'m actually working on a PHP project that will feature a user system (Login,Register,Send lost password to email,..) and I think that this may be very vulnerable to Brute-Forc

Answer 1

Don't try to implement all the logic in your PHP - the lower in your stack you can implement it, the more efficiently it can be dealt with.

Most firewalls (including iptables on BSD/Linux) have connection throttling. Also, have a look at mod_security for DDOS/brute force attack prevention.

You should design your application around the idea that these kind of attacks will not give the attacker access to the app - at the end of the day there's no way you can prevent a DOS attack, although you can limit its effectiveness.

There's not a lot of value in relying on a consistent IP address from your attacker - there's lots of ways of getting around that.

e.g. keep track of the number of password reset requests between logins by each user. In your password reset form, respond (to the client) in exactly the same way if the user submits an unknown email address. Log invalid email addresses.

HTH

C.