any other earlier versions than 1.8 available?

Discussion related to the Open ID Provider Server written published by Packetizer.
Locked
dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

any other earlier versions than 1.8 available?

Post by dimkar »

Hi paulej

Congratulations for the implementation of the openid server, the only one that really works!!

I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.

Another interesting feature would be to allow a user to try n (say 3) times on logon process.


thanks in advance,
Dimitrios

.my previous post was held for approval or gone?
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: any other earlier versions than 1.8 available?

Post by paulej »

dimkar wrote:Hi paulej

Congratulations for the implementation of the openid server, the only one that really works!!
Thanks! Glad you like it. :-)

dimkar wrote: I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.
I have not personally done any work on the server, but a new open source project was forked from the code I originally wrote:
http://sourceforge.net/projects/openidserver/
dimkar wrote: Another interesting feature would be to allow a user to try n (say 3) times on logon process.
I think it allows the user to try repeatedly. You want to limit the number of tries? The cancel button allows the user to escape anytime.
dimkar wrote: .my previous post was held for approval or gone?
It is deleted now :-) A few of us approve new postings from new people to keep spam down on the site.
dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

Re: any other earlier versions than 1.8 available?

Post by dimkar »

Hi paulej
thanks for the reply

Actually I do mean the system itself to allow the user to try n times on the logon process and not repeatedly to avoid fake login bots or dos attacks.

thanks
Dimitrios
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: any other earlier versions than 1.8 available?

Post by paulej »

That might be useful, but the challenge is coming up with a mechanism that works.

For example, we could not simply use cookies to keep a count, since hacker would not return that cookie.

We could try to keep a count by IP address, but distributed bot nets would be able to use a bunch of addresses. Also, we would not want to lock out any address for an inordinate amount of time, since a person might make a mistake and enter the wrong password n times. (I probably would.)

We could put in some artificial delay for failed logins, but attackers can detect this and immediately send another request.

I can see ways to try to thwart attackers, but I can find ways attackers can get around it. So, I'm not sure if a good solution exists. I do know I don't have time to try to prevent it. :-)

People try to get into my machines using SSH attacks all the time. I cannot prevent them, but I do monitor the activity and I block IP addresses if somebody tries more than a certain number of times and fails. If I saw my OpenID server attacked, I would do the same thing. It's not clear where the abuse prevention code should reside, but I'd personally run it outside, because I will block subsequent requests before they even hit the web server.
dimkar
Posts: 3
Joined: Thu Jul 05, 2012 6:42 am

Re: any other earlier versions than 1.8 available?

Post by dimkar »

You are probably right.... maybe outside the DMZ...on the firewall place.

Anyways thanks for the good product.
Locked