My site is under brute force attack, in which attackers try to gain access to user accounts. Bots do not have a user agent. I have a system that blocks a person from entering the system if they exceed 3 attempts per account in less than 10 minutes.
I also checked it for a user agent, and if not, exit.
My question is: do sessions only work in browsers? I think they use a script executed via the command line.
I also implemented this:
if(!isset($_COOKIE[ini_get('session.name')])) {
header("HTTP/1.0 404 Not Found");
exit;
}
Is there anything else I can do to prevent these attacks?
source
share