diff options
| author | Horus3 | 2014-04-16 13:43:34 +0200 |
|---|---|---|
| committer | Horus3 | 2014-04-16 13:43:34 +0200 |
| commit | b70acc4bce1450a726cf50a2f2f09539d74252b0 (patch) | |
| tree | fd8b70beb7bbe57534137f3b19ea7c0f6fa0191a /www | |
| parent | 3dc852b163daba5fa59499215f8b725a6f0a39eb (diff) | |
| download | files.iamfabulous.de-b70acc4bce1450a726cf50a2f2f09539d74252b0.tar.gz | |
Improved brutforce protection and added ban page.
Diffstat (limited to 'www')
| -rwxr-xr-x | www/functions/func_login.php | 49 | ||||
| -rwxr-xr-x | www/httperror.php | 4 | ||||
| -rwxr-xr-x | www/index.php | 3 | ||||
| -rwxr-xr-x | www/setup.php | 2 |
4 files changed, 42 insertions, 16 deletions
diff --git a/www/functions/func_login.php b/www/functions/func_login.php index a4d4696..afd116c 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -54,19 +54,29 @@ function logout(){ function brutforce_protection($db){ $_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1; + $remote_ip = $_SERVER["REMOTE_ADDR"]; + $session_id = session_id(); + $time = $_SERVER["REQUEST_TIME"]; + if($_SESSION["login_attempts"] <= 0){ - $remote_ip = $_SERVER["REMOTE_ADDR"]; - $session_id = session_id(); - $time = $_SERVER["REQUEST_TIME"]; - if($db->exec(" + $db->exec(" BEGIN TRANSACTION; INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time."); COMMIT; - ")){ - echo "You are banned. ;_;"; - } - exit; + ") + banned(); + + } else { + if($db->exec(" + BEGIN TRANSACTION; + INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id) ."', '".$time."'); + COMMIT; + ")){ + return true; + } else { + return false; + } } } @@ -74,14 +84,27 @@ function check_if_banned($db){ $remote_ip = $_SERVER["REMOTE_ADDR"]; $session_id = session_id(); - $check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';"); + $check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;"); $check_ar = $check_db->fetchArray(SQLITE3_NUM); + $log_at = $check_ar[1]; + if($log_at){ + $_SESSION["login_attempts"] = $log_at; + } + $accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h + $db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'"); - if($check_ar[0] < $accepted_time){ - return false; // not longer banned - } else { - return true; // still banned + if($log_at <= 0) + if ($check_ar[0] >= $accepted_time){ + return true; // still banned + } } + + return false; // not longer banned +} + +function banned(){ + header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned"); + exit; } diff --git a/www/httperror.php b/www/httperror.php index 8b1a62a..e22dd28 100755 --- a/www/httperror.php +++ b/www/httperror.php @@ -49,6 +49,10 @@ }elseif($_GET['e']==504){ echo '<h1 id="Error-Page-head" >'.$_GET['e'].'</h1>'; echo '<h2 id="Error-Page-description" >A server i'm trying to contact is insanely slow. </br>I can't wait forever. I'm sorry!</h2>'; + + }elseif($_GET['e']=='ban'){ + echo '<h1 id="Error-Page-head" >You are banned!</h1>'; + echo '<h2 id="Error-Page-description" >Too many authentication failures.</br>It's not my fault. I swear.</h2>';} }?> </div> <?php include("static/footer.html");?> diff --git a/www/index.php b/www/index.php index 73c9b5d..3110776 100755 --- a/www/index.php +++ b/www/index.php @@ -12,8 +12,7 @@ if(!isset($_SESSION["login_attempts"])){ } if(check_if_banned($db)){ - echo "You are banned. ;_;"; - exit; + banned(); } if(empty($_GET)){ diff --git a/www/setup.php b/www/setup.php index 99c9034..8d56f6e 100755 --- a/www/setup.php +++ b/www/setup.php @@ -57,7 +57,7 @@ if($bool){ CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id)); INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', ''); CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id)); - CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER); + CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER); CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END; COMMIT;") ) { |