Improved brutforce protection and added ban page.

6 files changed, 45 insertions, 17 deletions

diff --git a/blob/database_schema b/blob/database_schema
index c994910..d2bf0cf 100755
--- a/blob/database_schema
+++ b/blob/database_schema
@@ -6,6 +6,6 @@ CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner
 
 CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id));
 
-CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER);
+CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts, ip TEXT, session_id TEXT, time INTEGER, user INTEGER);
 
 CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END;
diff --git a/blob/nginx_rewrite_rules b/blob/nginx_rewrite_rules
index e6783f0..1b65c16 100755
--- a/blob/nginx_rewrite_rules
+++ b/blob/nginx_rewrite_rules
@@ -11,6 +11,8 @@ location	/robots.txt {} 					#stop rewriting the robots.txt
 location 	/favicon.ico {}
 location 	/static {}
 
+rewrite ^/banned$							/httperror.php?e=ban;
+
 location ~* ^/?login/?([a-z0-9]+=[a-z0-9]+(&[a-z0-9]+=[a-z0-9]+)?)?$ {
 	rewrite ^/?login([?/]?.*) 					/index.php?task=login&arguments=$1	last;
 }
diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index a4d4696..afd116c 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -54,19 +54,29 @@ function logout(){
 function brutforce_protection($db){
 	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;
 
+	$remote_ip = $_SERVER["REMOTE_ADDR"];
+	$session_id = session_id();
+	$time = $_SERVER["REQUEST_TIME"];
+
 	if($_SESSION["login_attempts"] <= 0){
-		$remote_ip = $_SERVER["REMOTE_ADDR"];
-		$session_id = session_id();
-		$time = $_SERVER["REQUEST_TIME"];
 
-		if($db->exec("
+		$db->exec("
 			BEGIN TRANSACTION;
 			INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
 			COMMIT;
-		")){
-			echo "You are banned. ;_;";
-		}
-		exit;
+		")
+		banned();
+
+	} else {
+		 if($db->exec("
+		 	BEGIN TRANSACTION;
+			INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)    ."', '".$time."');
+			COMMIT;
+		 ")){
+		 	return true;
+		 } else {
+		 	return false;
+		 }
 	}
 }
 
@@ -74,14 +84,27 @@ function check_if_banned($db){
 
 	$remote_ip = $_SERVER["REMOTE_ADDR"];
 	$session_id = session_id();
-	$check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
+	$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;");
 	$check_ar = $check_db->fetchArray(SQLITE3_NUM);
 
+	$log_at = $check_ar[1];
+	if($log_at){
+		$_SESSION["login_attempts"] = $log_at;
+	}
+
 	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
+	$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");
 
-	if($check_ar[0] < $accepted_time){
-		return false; 					// not longer banned
-	} else {
-		return true;					// still banned
+	if($log_at <= 0)
+		if ($check_ar[0] >= $accepted_time){
+			return true;					// still banned
+		}
 	}
+
+	return false; 					// not longer banned
+}
+
+function banned(){
+	header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned");
+	exit;
 }
diff --git a/www/httperror.php b/www/httperror.php
index 8b1a62a..e22dd28 100755
--- a/www/httperror.php
+++ b/www/httperror.php
@@ -49,6 +49,10 @@
 	}elseif($_GET['e']==504){
 		echo '<h1 id="Error-Page-head" >'.$_GET['e'].'</h1>';
 		echo '<h2 id="Error-Page-description" >A server i&#39;m trying to contact is insanely slow. </br>I can&#39;t wait forever. I&#39;m sorry!</h2>';
+
+	 }elseif($_GET['e']=='ban'){
+		echo '<h1 id="Error-Page-head" >You are banned!</h1>';
+		echo '<h2 id="Error-Page-description" >Too many authentication failures.</br>It&#39s not my fault. I swear.</h2>';}
 	}?>
 </div>
 <?php include("static/footer.html");?>
diff --git a/www/index.php b/www/index.php
index 73c9b5d..3110776 100755
--- a/www/index.php
+++ b/www/index.php
@@ -12,8 +12,7 @@ if(!isset($_SESSION["login_attempts"])){
 }
 
 if(check_if_banned($db)){
-	echo "You are banned. ;_;";
-	exit;
+	banned();
 } 
 
 if(empty($_GET)){
diff --git a/www/setup.php b/www/setup.php
index 99c9034..8d56f6e 100755
--- a/www/setup.php
+++ b/www/setup.php
@@ -57,7 +57,7 @@ if($bool){
 		CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id));
 		INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', '');
 		CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id));
-		CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER);
+		CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER);
 		CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END;
 		COMMIT;")
 	) {