Proxies and piracy - website security

Question

I am building my first website. It is an Online Real Estate Agency. Users can create themselves a profile and then insert an ad and upload pictures.

I was told that I should detect multiple logging attempts to protect against Brute Force attacks. Well, with the following code I detect the IP's :

if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{ $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];} else
{ $ip=$_SERVER['REMOTE_ADDR'];} 

The system counts missed logging attempts within a certain delay and holds a ban list in a DB. It works great ... at least when a I test it myself !

Then as I was told 'Beware of piracy through false IP's ', I get the impression my protection system mentionned above is made uneffective.

There are :

1) sofwares available to pirats that encompass a Proxy which can hide their real IP

2) proxies on the web that can also hide real IP's.

What 's the difference between 1) and 2) ?

I would like to know how proxies can be used and what they are able to do in term of illicit practices

• Can sombody change at will it's Ip ?
• Can somebody in China or in Russia 'simulate' a Western Europe or US ip ?
• Can I do more than what I've done to detect any suspicious activity ?

Thanks a lot.

Answer 1

Proxy is a server that can mask your ip. It will send your request as if it was its and then send you back response that got.

Can sombody change at will it's Ip ?

No, they can't just change their ip to whatever they like to. But they can mask it.

Can somebody in China or in Russia 'simulate' a Western Europe or US ip ?

Yes

Can I do more than what I've done to detect any suspicious activity ?

If you detect that some user name is logging in with wrong password too many times using brute force techniques, you could slow down him by using sleep function. This technique you wouldn't cut off users that are using the proxy without bad intends and you will slow the brute force hacking.

if($wrongAttempts > 5) sleep(3000);

if($password == $_GET[pass]) 
{
   // ...
}

You could also start including captcha images to raise security or block the account for some time.

Answer 2

Anyone can change ip, proxy, vpn....
I use this function to detect REAL IP address if it's valid:

function getrealip() {
    if (getenv('HTTP_CLIENT_IP') && long2ip(ip2long(getenv('HTTP_CLIENT_IP')))==getenv('HTTP_CLIENT_IP') && validip(getenv('HTTP_CLIENT_IP')))
        return getenv('HTTP_CLIENT_IP');

    if (getenv('HTTP_X_FORWARDED_FOR') && long2ip(ip2long(getenv('HTTP_X_FORWARDED_FOR')))==getenv('HTTP_X_FORWARDED_FOR') && validip(getenv('HTTP_X_FORWARDED_FOR')))
        return getenv('HTTP_X_FORWARDED_FOR');

    if (getenv('HTTP_X_FORWARDED') && long2ip(ip2long(getenv('HTTP_X_FORWARDED')))==getenv('HTTP_X_FORWARDED') && validip(getenv('HTTP_X_FORWARDED')))
        return getenv('HTTP_X_FORWARDED');

    if (getenv('HTTP_FORWARDED_FOR') && long2ip(ip2long(getenv('HTTP_FORWARDED_FOR')))==getenv('HTTP_FORWARDED_FOR') && validip(getenv('HTTP_FORWARDED_FOR')))
        return getenv('HTTP_FORWARDED_FOR');

    if (getenv('HTTP_FORWARDED') && long2ip(ip2long(getenv('HTTP_FORWARDED')))==getenv('HTTP_FORWARDED') && validip(getenv('HTTP_FORWARDED')))
        return getenv('HTTP_FORWARDED');

    $ip = htmlspecialchars($_SERVER['REMOTE_ADDR']);
    /* Added support for IPv6 connections. otherwise ip returns null */
    if (strpos($ip, '::') === 0) {
        $ip = substr($ip, strrpos($ip, ':')+1);
    }

   return long2ip(ip2long($ip));
}

More info for X-Forwarded

Answer 3

As Dagon says, IP address is a pretty weak way of identifying users, and hackers will almost certainly not use their own IP address, but rather a stolen machine, or a botnet; on the other hand, many corporate users may appear to all come from the same IP address, and you could easily end up blocking every user from that building/company if someone forgets their password.

The first defense against a brute force attack is to have a strong password policy; commonly, this is assumed to be at least 7 characters, with at least one number and one punctuation mark. This often annoys users, and makes them hate your site.

The next defense - if you think you're really at risk - is CAPTCHA; this makes users hate you even more.

The bottom line is: if you are building your first website, I'd look at an off-the-shelf framework, rather than inventing everything yourself. Consider PEAR:auth.