add brute force protection to login (385d4b2) - webinterface.git

add brute force protection to login

Bernd Wurst commited on 2019-04-10 07:56:36
Zeige 3 geänderte Dateien mit 21 Einfügungen und 0 Löschungen.

inc/base.php 6778dca..3d5c548
inc/error.php 627085e..5b008a9
session/checkuser.php 27e8340..f1161c6

inc/base.php

@@ -189,6 +189,13 @@ function logger($severity, $scriptname, $scope, $message)
     db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES (:remote, :user, :scriptname, :scope, :message)", $args);
 }
 
+function count_failed_logins() {
+    $result = db_query("SELECT count(*) AS num FROM misc.scriptlog WHERE user IS NULL AND scriptname='session/start' AND scope='login' AND message LIKE 'wrong user data%' AND remote=:remote AND `timestamp` > NOW() - INTERVAL 10 MINUTE", array(":remote" => $_SERVER['REMOTE_ADDR']));
+    $data = $result->fetch();
+    DEBUG('seen '.$data['num'].' failed logins from this address within 10 minutes');
+    return $data['num'];
+}
+
 function html_header($arg)
 {
     global $html_header;

inc/error.php

Zeige Datei @ 385d4b2

@@ -135,6 +135,12 @@ function require_role($roles)
 
 function login_screen($why = null)
 {
+    $failed = count_failed_logins();
+    if ($failed > 5) {
+        global $title;
+        $title = '';
+        system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
+    }
     if (! $why) {
         if (isset($_COOKIE['CLIENTCERT_AUTOLOGIN']) && $_COOKIE['CLIENTCERT_AUTOLOGIN'] == '1') {
             redirect("/certlogin/index.php?destination=".urlencode($_SERVER['REQUEST_URI']));

session/checkuser.php

Zeige Datei @ 385d4b2

@@ -32,6 +32,14 @@ define('ROLE_SUBUSER', 32);
 
 function find_role($login, $password, $i_am_admin = false)
 {
+    if (!$i_am_admin) {
+        $failed = count_failed_logins();
+        if ($failed > 5) {
+            global $title;
+            $title = '';
+            system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
+        }
+    }
     // Domain-Admin?  <not implemented>
     // System-User?
     $uid = (int) $login;


...	...	@@ -189,6 +189,13 @@ function logger($severity, $scriptname, $scope, $message)
189	189	db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES (:remote, :user, :scriptname, :scope, :message)", $args);
190	190	}
191	191
	192	+function count_failed_logins() {
	193	+ $result = db_query("SELECT count(*) AS num FROM misc.scriptlog WHERE user IS NULL AND scriptname='session/start' AND scope='login' AND message LIKE 'wrong user data%' AND remote=:remote AND `timestamp` > NOW() - INTERVAL 10 MINUTE", array(":remote" => $_SERVER['REMOTE_ADDR']));
	194	+ $data = $result->fetch();
	195	+ DEBUG('seen '.$data['num'].' failed logins from this address within 10 minutes');
	196	+ return $data['num'];
	197	+}
	198	+
192	199	function html_header($arg)
193	200	{
194	201	global $html_header;

...	...	@@ -135,6 +135,12 @@ function require_role($roles)
135	135
136	136	function login_screen($why = null)
137	137	{
	138	+ $failed = count_failed_logins();
	139	+ if ($failed > 5) {
	140	+ global $title;
	141	+ $title = '';
	142	+ system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
	143	+ }
138	144	if (! $why) {
139	145	if (isset($_COOKIE['CLIENTCERT_AUTOLOGIN']) && $_COOKIE['CLIENTCERT_AUTOLOGIN'] == '1') {
140	146	redirect("/certlogin/index.php?destination=".urlencode($_SERVER['REQUEST_URI']));

...	...	@@ -32,6 +32,14 @@ define('ROLE_SUBUSER', 32);
32	32
33	33	function find_role($login, $password, $i_am_admin = false)
34	34	{
	35	+ if (!$i_am_admin) {
	36	+ $failed = count_failed_logins();
	37	+ if ($failed > 5) {
	38	+ global $title;
	39	+ $title = '';
	40	+ system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
	41	+ }
	42	+ }
35	43	// Domain-Admin? <not implemented>
36	44	// System-User?
37	45	$uid = (int) $login;
38	46