Re-implementing LastLog - Part II
From the last article I've discussed about the concept on the uses of the last log.
Now it's time to re-implementing it in Rosemary using NoSQLs databases.
Since the session module used in Rosemary does benefits from Redis db. This time I'll leave the last log alone and implement the brute force fences via Redis.
I could also reduce the status field in last log collection2 effectively to only the status success or not. Brute forcing happens at a really fast rate so frequently querying to a general database does not seem practical. Since Redis is so good at this task, I'll give it that.
Well that took me uneccessary 1.5 hours to draft this little interactive demo there. But I hope it gives you a better sense of how this thing works.
The cooldown for banned mode will generally be shorter since the purpose of banning is to reduces the actual auth check for a potential brute force attack. In the demo the lifespan is set to 10 seconds and the cooldown is set to 5 seconds.
Now I just have to actually implement this on my blog.
Edit: ( 11 March, 2016 )
The mechanism is now implemented, you can now head to this blog's login page to try it out.
Now it's time to re-implementing it in Rosemary using NoSQLs databases.
Since the session module used in Rosemary does benefits from Redis db. This time I'll leave the last log alone and implement the brute force fences via Redis.
Introduction to Redis db
Did I mentioned this blog utilizes Redis? Redis is a datastructure server. The primary idea is that the db can both operate inside memory and storage. Which allows me to further expand the session module to be SSO1 or even logged on across browser without cookies ( theoretically possible, but haven't thought through it yet ). It also natively offers a data-expiration properties which fits perfectly for this scenario.I could also reduce the status field in last log collection2 effectively to only the status success or not. Brute forcing happens at a really fast rate so frequently querying to a general database does not seem practical. Since Redis is so good at this task, I'll give it that.
Lifespan
The lifespan mechanism is handled by automatic expiration of the data. I have written a demo to fiddle with:GoodLifespanCooldown
Property nameValueExpires On
Description of the demo
Clicking Add a failed attempt simulates a failed login attempt. The right panel shows the flags stored in the database. When the failed login attempt reach to a threashold ( Suspicious ) it switches to a tightened security mode. Which has 2 phases of cooldown. The Suspicious cooldown will took longer as this ip failed too many times.The cooldown for banned mode will generally be shorter since the purpose of banning is to reduces the actual auth check for a potential brute force attack. In the demo the lifespan is set to 10 seconds and the cooldown is set to 5 seconds.
Now I just have to actually implement this on my blog.
Edit: ( 11 March, 2016 )
The mechanism is now implemented, you can now head to this blog's login page to try it out.
- Single Sign-on
- In Mongo db, a collection in equivalent to general SQL database's table
Thu Mar 10 2016 23:41:18 GMT+0000 (Coordinated Universal Time)
Last modified: Sat Apr 09 2022 12:52:10 GMT+0000 (Coordinated Universal Time)
Comments
No comments here.
Do you even comment?
website:
Not a valid website
Invalid email format
Please enter your email
*Name:
Please enter a name
Submit
抱歉,Google Recaptcha 服務被牆掉了,所以不能回覆了