PHPSESSID Brute force

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: PHPSESSID Brute force
« Reply #30, on August 25th, 2012, 12:36 AM »
Quote
- Range can even be country-based...
For now. IPv4 country lists are going to start to become more and more confused as the world is just not ready for IPv6 and we'll see more and more blocks change hands.
Quote
Since most spammers are from a different country than the 'expected one', it could be an okay solution. After all, do you know of many people who would move to another continent while their session is opened..?
Some of the big IPs have been known to change all four octets of an IPv4 between requests. It happens a lot less now but it's not unheard of. We simply cannot use it.
Quote
Thing is, you tend to go a bit much these days for what seems to have become your favorite Wargames quote
No, it's not because the only winning move is not to play. There are reasons why this stuff isn't in SMF or Wedge. If I genuinely thought for one moment that IP binding of any shape or form was even remotely practical for anything, I'd have implemented it. As it stands I still need to remove the ban system, because IP bans are so ridiculously broken it's incredible, and not only because there's no IPv6 support.

You do remember what happened with SMF Hacks, right? Where he put a ban on my IP address and ended up losing so many legitimate customers because of it?

I even contemplated actually removing any kind of IP address tracking from Wedge at one point, only to realise that people would expect it to be there and no matter how much I shouted that it doesn't work, people wouldn't listen. There are a precious few cases where it does work (i.e. whitelisting for search engines against known IP address blocks) but for anything else it simply should not be used.

Where we are with it is about the best we can realistically be, because while I'm all for keeping things secure, I'm not going to make it more secure for some and generate MASSES of bug reports for 'it doesn't work'. Because I can't in good conscience turn around and say it's by design, when all it's demonstrating is how the design is wrong.

The ONLY way I'd support it is if it were implemented as an option but not allow it in the actual admin panel itself. That way only the people who actually understood the implications would be able to turn it on in the first place.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Nao

  • Dadman with a boy
  • Posts: 16,063
Re: PHPSESSID Brute force
« Reply #31, on August 25th, 2012, 07:57 AM »
That's all I'm saying... An option, disabled by default ;)

(Removing the ban system? You mean the IP ban system, right...?)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278