faza 0day

Beranda
Cybersecurity

Create a Secure Login System with Brute Force Protection

Create a Secure Login System with Brute Force Protection

Protect your website from brute force attacks with IP-based rate limiting and Gmail alerts for suspicious login attempts.

Why Brute Force Protection is Essential

Brute force attacks are a method where hackers try multiple username and password combinations until they find the right one. Without proper protection, your website could fall victim to unauthorized access.

Building a Secure Login System

Here’s how you can create a secure login system in PHP to defend against brute force attacks. We’ll implement IP-based rate limiting and Gmail notifications for extra security.

Step 1: Store Login Attempts

Create a database table to track login attempts based on IP addresses. This allows you to detect and block repeated failed attempts.


CREATE TABLE login_attempts (
    id INT AUTO_INCREMENT PRIMARY KEY,
    ip_address VARCHAR(45) NOT NULL,
    attempt_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Step 2: Implement Rate Limiting

Limit the number of login attempts from a single IP address within a specific time frame. For example, block an IP after 5 failed attempts in 15 minutes.


$ip = $_SERVER['REMOTE_ADDR'];
$max_attempts = 5;
$time_frame = 15 * 60; // 15 minutes

$stmt = $pdo->prepare("SELECT COUNT(*) FROM login_attempts 
                       WHERE ip_address = :ip AND attempt_time > NOW() - INTERVAL :time_frame SECOND");
$stmt->execute(['ip' => $ip, 'time_frame' => $time_frame]);
$attempt_count = $stmt->fetchColumn();

if ($attempt_count >= $max_attempts) {
    die("Too many login attempts. Please try again later.");
}

Step 3: Log Failed Attempts

Record each failed login attempt in the database. This data can be used to monitor suspicious activity.


$stmt = $pdo->prepare("INSERT INTO login_attempts (ip_address) VALUES (:ip)");
$stmt->execute(['ip' => $ip]);

Step 4: Notify Admin via Gmail

If an IP address exceeds the maximum allowed attempts, send an email notification to the admin.


if ($attempt_count >= $max_attempts) {
    $to = "admin-email@gmail.com";
    $subject = "Brute Force Attempt Detected";
    $message = "Multiple failed login attempts detected from IP: " . $ip;
    $headers = "From: security@yourdomain.com";

    mail($to, $subject, $message, $headers);
}

Step 5: Block Suspicious IPs

For added security, block IPs with excessive failed attempts using .htaccess or a firewall.


$block_file = fopen(".htaccess", "a");
fwrite($block_file, "Deny from " . $ip . "\\n");
fclose($block_file);

Additional Best Practices

To further secure your login system, consider the following:

  • Use strong password hashing (e.g., bcrypt).
  • Enable two-factor authentication (2FA).
  • Monitor server logs for unusual activity.
  • Keep your PHP version and libraries up to date.

Conclusion

Implementing a secure login system with brute force protection is crucial for safeguarding your website. By combining rate limiting, logging, and Gmail notifications, you can effectively deter unauthorized access and stay informed about potential threats.

Nam saya Washere Saya Pengemar Dunia IT Dan Saya Suka Dengan bahasaa pemerogram an