I was wondering, if it is possible to implement with ASP.NET Identity an IP block, if someone tries to log in xxx times with wrong username/password. Or if now, how would you solve this? On IIS or simply by logging all login attempts to the DB and check each time someone logs in, how often he has logged in with wrong credentials and in case he exceeds the maximum, add him to a block table?
Asked
Active
Viewed 520 times
1 Answers
1
If you're using IIS, you can use the approach you outline and use the IIS IP ban list as your block table. To add IP-adresses to the block list, use WMI as described here http://www.codeproject.com/Articles/4671/How-to-Programmatically-add-IP-Addresses-to-IIS-s
However, IP banning has some issues: you'll want to consider removing items from the block list after a given amount of time, multiple users may use the same external IP etc. So you probably want to set your limits pretty high, and prefer username blocking over IP blocking.
Mikael Nitell
- 1,069
- 6
- 16
-
Okay, thanks, so you would also suggest to use a separate DB and store blocks into that one? The Idea is, that a user get's blocked after x tries for x minutes, but I want to avoid that someone does bruteforcing with non-existing usernames, so I also want to additionally block them separately for xxx minutes – Ivan Sieder Jan 26 '16 at 08:15
-
1Yes, you definately need some additional metadata in a DB. And then you sync the IIS ban list from your DB. – Mikael Nitell Jan 26 '16 at 09:00