• 0 Posts
  • 7 Comments
Joined 1 year ago
cake
Cake day: June 3rd, 2023

help-circle




  • If I’m bruteforcing a server and each time that I try an username/password my IP gets banned but suddenly one combination allows me to do 4-5 test ( any bigger number than previously) you are potentially telling me that this user is different (it exists) than the previous ones. Therefore you are doing the attack easier for me because now I know which users actually exist in the machine. It doesn’t matter if you are locking the attacker after the password was given.

    As others told you, using public key auth, non standard ports or even port knocking will be much more useful.


  • I think is better to not use an standard port and using fail2ban at the same time to avoid automated attacks. If you manage to implent what you are looking for, you are potentially telling an stacker which accounts exist and which not, allowing him to do an easier brute force attack. A typical attacker using a botnet will not be stopped by a single IP being baned, and as son as an IP is banned he will know that this account doesn’t exists. Another option is enabling port knocking.


  • As far as i know, they don’t use the youtube api. Therefore they don’t have to be compilant with any api policy or tos. They just connect to YouTube like any browser do and then show that information(with modifications) on the invidious app.

    Google can try to modify the code faster than the developers try to update the app since they expect the data to be in an specific format, but that’s all, they aren’t using the api… There is nothing to be closed.