How to prevent login API from being violently cracked?
at present, I have encountered a problem. I am working on a set of api, for user login. In the future, this set of api is for pc and app, so the question is, how to prevent api from being violently cracked? If the other party uses only one account for password matching, I can record the number of logins of the account and freeze the account after a certain number of times, but here comes the problem: if I get a 600W account + password and enter it at a time, it is very likely to bump into a matching account, and it is not reliable to limit ip, because it is too easy to forge ip, so how to solve this problem?
if you set a CAPTCHA every time, the user experience is too poor, and it is only a matter of time before the CAPTCHA is recognized by the machine. I don"t know how to solve it.
Update
6.4. in fact, what I have been thinking is that if you can get the unique ID of the machine, something like the mac address is the best, so as to prevent an attacker from browsing api, on a machine, it is useless for him to keep changing his ip account, but it is a pity that he can not get it, so I want to ask the big companies how to solve it.
first, if it is a developer API, it is recommended to add the [access frequency] setting. For example, if you set the frequency limit to 1000 times per minute (it can be a port, per ip, etc.), and if this limit is exceeded within one minute, the server will return 429: Too Many Attempts. Respond.
second, about the prevention of forged IP addresses. You can send a request to the other party's ip address. The forged ip address does not have any response,. If $_ SERVER ['REMOTE_ADDR'] is forged in the PHP, there is no way to be forged except with a proxy, but PHP can also detect the proxy, and then combine the IP address to prevent flooding attacks.
access frequency restriction suggested plugin: Laravel-Throttle" rel=" nofollow noreferrer "> https://github.com/GrahamCamp.
IP detection:
$_SERVER['HTTP_X_FORWARDED_FOR']
|| $_SERVER['HTTP_X_FORWARDED']
|| $_SERVER['HTTP_FORWARDED_FOR']
|| $_SERVER['HTTP_CLIENT_IP']
|| $_SERVER['HTTP_VIA']
|| in_array($_SERVER['REMOTE_PORT'], array(8080,80,6588,8000,3128,553,554)))
|| @fsockopen($_SERVER['REMOTE_ADDR'], 80, $errno, $errstr, 30))
{
echo "";
}
you can bind an account with a new ip to verify the verification code. As for the difficulty of cracking, it depends on the difficulty of your verification code. On this basis, a frequency limit is added
is the verification code, but it is not always checked. Only if the number of login errors exceeds a certain limit (for example, 3 times) will the verification code be required.
ensures both user experience and system security.
1. You can set password complexity rules (including letters + special symbols + numbers + case)
2. It is a good experience to set and control the number of password error logins
dragging the CAPTCHA in the same period of time.
on Taobao or Aliyun, you can often see the CAPTCHA of mouse dragging
