Browse code

add brute force protection to login

Bernd Wurst authored on 10/04/2019 07:56:36
Showing 3 changed files
... ...
@@ -189,6 +189,13 @@ function logger($severity, $scriptname, $scope, $message)
189 189
     db_query("INSERT INTO misc.scriptlog (remote, user,scriptname,scope,message) VALUES (:remote, :user, :scriptname, :scope, :message)", $args);
190 190
 }
191 191
 
192
+function count_failed_logins() {
193
+    $result = db_query("SELECT count(*) AS num FROM misc.scriptlog WHERE user IS NULL AND scriptname='session/start' AND scope='login' AND message LIKE 'wrong user data%' AND remote=:remote AND `timestamp` > NOW() - INTERVAL 10 MINUTE", array(":remote" => $_SERVER['REMOTE_ADDR']));
194
+    $data = $result->fetch();
195
+    DEBUG('seen '.$data['num'].' failed logins from this address within 10 minutes');
196
+    return $data['num'];
197
+}
198
+
192 199
 function html_header($arg)
193 200
 {
194 201
     global $html_header;
... ...
@@ -135,6 +135,12 @@ function require_role($roles)
135 135
 
136 136
 function login_screen($why = null)
137 137
 {
138
+    $failed = count_failed_logins();
139
+    if ($failed > 5) {
140
+        global $title;
141
+        $title = '';
142
+        system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
143
+    }
138 144
     if (! $why) {
139 145
         if (isset($_COOKIE['CLIENTCERT_AUTOLOGIN']) && $_COOKIE['CLIENTCERT_AUTOLOGIN'] == '1') {
140 146
             redirect("/certlogin/index.php?destination=".urlencode($_SERVER['REQUEST_URI']));
... ...
@@ -32,6 +32,14 @@ define('ROLE_SUBUSER', 32);
32 32
 
33 33
 function find_role($login, $password, $i_am_admin = false)
34 34
 {
35
+    if (!$i_am_admin) {
36
+        $failed = count_failed_logins();
37
+        if ($failed > 5) {
38
+            global $title;
39
+            $title = '';
40
+            system_failure("Zu viele fehlgeschlagenen Login-Versuche! Bitte warten Sie einige Minuten bis zum nächsten Versuch!");
41
+        }
42
+    }
35 43
     // Domain-Admin?  <not implemented>
36 44
     // System-User?
37 45
     $uid = (int) $login;