Custom coded anti-brute forcing methods.

[NullSafe]

What I try to do on the back-end is to limited the available attempts for a specific username. Also limiting attempts per IP. I also randomize the input "names" for every page load to make it harder. On top of that implementing a completely custom captcha. This usually does the trick for me when facing larger traffic.

I am interested to see what methods you use on back-end to secure your logins?

 

[kiloton]

This is an overkill. Depends on application, but IP whitelisting and rate limiting of 3 per minute
is more than enough. You can also install fail2ban and feed it with failed attempts.

Protect Your Web Applications from Password Cracking with Fail2ban | Apriorit

Learn how to ensure password cracking protection and secure your web application using the Fail2ban service.

www.apriorit.com

 

[NullSafe]

Is this really an overkill when you get a huge traffic and extreme loads of brute attempts? This method have mostly stopped attackers right in their tracks, but there are still attempts.

I was thinking to apply limits to the server responses, like you know many bruters look for "200" Response. I am thinking to make both, fail and success to return the same, just with different payload to so say.

 

[kiloton]

If you want to annoy your users with captchas, it's your right.
Limits to the server responses? This is complete nonsense. First, you can't limit it because it's
a response, not a request and it will be completely useless to change the server side logic.

Only file/directory bruting tools like DirBuster of wfuzz look for 200/404 responses. How common
is this compared to legitimate traffic? You will only create too many false positives.