Home/ Questions/Q 9198147
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T22:13:01+00:00

I am looking for alternative security cautions for Apache web server. I generally work

  • 0

I am looking for alternative security cautions for Apache web server. I generally work with PHP and MySQL.

For processes like user login, I keep IP address, try count, and last try time in database, so if someone tries more than x times in last n minutes or seconds, I simply block IP address.

When there are a lot of different processes like user login, keeping IP addresses in database does not sound right (because of decreasing performance and a lot to do). I know if you want security, you need to sacrifice some performance but is there a better way to stop users making too many requests? Maybe a module to Apache? Or a lower level caution to server? I am especially trying to avoid unnecessary database work.

I considered using CAPTCHA but using it for every form kills user experience. And using it after x request in n minutes still requires first technique i mentioned.

A cache system might help but i can’t see how it prevents a brute force attack or filling up database with garbage. AFAIK it only helps to reading from database (please correct me if i am wrong).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Other than @ranty’s comment above (which is suitable unless you really have a lot of users at the same time), you could use a memory cache system such as memcached. It have a nice php interface and is very easy to use.

    Dump every login attempt to memcache (using ip address as key and trycount as value, cleared by timespan). It’s fast and should not cost too much in performance or development effort.

    Pseudo code for this would look like this:

    $memcache_obj = memcache_connect('memcache_host', 11211);
$ip = $_SERVER('REMOTE_ADDR');
$trycount = memcache_get($memcache_obj, $ip);
if ( $trycount == null ) $trycount=0;
if ( $trycount > 3 ) die('bad user');
memcache_set($memcache_obj, $ip, $trycount++ , 0, 30);
    • 0