Password sharing


#1

Does anyone know if Dreamhost has any protection for hosting customers to use to prevent or notify webmasters when a member of a site has shared their password?
And if Dreamhost doesn’t provide this feature (cgi), does anyone know of a good (reliable and secure) script?


#2

I’m having some trouble with this problem as well. I haven’t been able to find anything at dreamhost to protect against this sort of abuse. I am trying to install/configure a script that I have gotten from a site that offers this service: http://www.pennywize.com. I’m such a novice with this stuff that I’m having all sorts of issues… Hope something I’ve said helps a little.


#3

Generally this is not much of an issue a host can help with. An analogy is the lock on the door to a brick & mortar store. You can’t really turn to the realtor when people walk in off the street and try to pick the lock on the door, or that you have somebody betraying your trust with the keys.

One thing you can do is monitor your log files and note that IP address of entries where someone appears to be trying different passwords. Then in an .htaccess file you may put:

deny from a.b.c.d

And the person will automatically receive a “Forbidden” error page. If it seems to be a similiar block of addresses, you may shorten it to a.b.c or a.b if necessary. Note this may block out legitimate visitors as well if you are not careful.

This also works well with anonymous surfing services that always send requests from the same IP address.


#4

The CGI Resouce Index has a number of scripts listed at http://cgi.resourceindex.com/Programs_and_Scripts/Perl/Password_Protection/, some of which just do password protection, but some of which are designed to guard against exactly the sort of thing you’re talking about. There’s one called Password Sentry that’s got an extremely good rating from users - if I were going to use something like this that’s probably what I’d pick.

Lynna

Business: http://www.spidersilk.net
Personal: http://www.wildideas.net


#5

Pennywize is really fantastic, you can install the software for free to see how it works and then upgrade to a paid account when you see the need is there. With pennywize you log into a control panel type thing and it lists the usernames and passwords that have logged into your site, it also lists ip addys. it is easy to see when soemone has logged in from many diff. ip’s and is sharing. you do have to have a paid account to have the auto shut off features that disable an account when an ip threshold has been met, but it is really worthwhile software.

If you need any tips or advice about setting it up id be happy to help, if i can. It was a bit tricky to get set up at first, but Dan @pennywize was a terrific help to me, and all my dumb questions ; )

hope this helps


#6

I didnt want to cross post but,

http://discussion.dreamhost.com/showthreaded.pl?Cat=&Board=forum_programming&Number=25933&page=0&view=expanded&sb=5&o=1&part=