diff options
| -rwxr-xr-x | blob/database_schema | 2 | ||||
| -rwxr-xr-x | blob/nginx_rewrite_rules | 1 | ||||
| -rwxr-xr-x | www/functions/func_login.php | 49 | ||||
| -rwxr-xr-x | www/httperror.php | 6 | ||||
| -rwxr-xr-x | www/index.php | 3 | ||||
| -rwxr-xr-x | www/setup.php | 2 |
6 files changed, 46 insertions, 17 deletions
diff --git a/blob/database_schema b/blob/database_schema index c994910..d2bf0cf 100755 --- a/blob/database_schema +++ b/blob/database_schema @@ -6,6 +6,6 @@ CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id)); -CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER); +CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts, ip TEXT, session_id TEXT, time INTEGER, user INTEGER); CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END; diff --git a/blob/nginx_rewrite_rules b/blob/nginx_rewrite_rules index 2c9b7f3..e276bcf 100755 --- a/blob/nginx_rewrite_rules +++ b/blob/nginx_rewrite_rules @@ -12,6 +12,7 @@ location /favicon.ico {} location /static {} try_files $uri @main; +rewrite ^/banned$ /httperror.php?e=ban; location ~* ^/login/?([a-z0-9]+=[a-z0-9]+(&[a-z0-9]+=[a-z0-9]+)?)?$ { rewrite ^/?login([?/]?.*) /index.php?task=login&arguments=$1 last; diff --git a/www/functions/func_login.php b/www/functions/func_login.php index a4d4696..943e20e 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -54,19 +54,29 @@ function logout(){ function brutforce_protection($db){ $_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1; + $remote_ip = $_SERVER["REMOTE_ADDR"]; + $session_id = session_id(); + $time = $_SERVER["REQUEST_TIME"]; + if($_SESSION["login_attempts"] <= 0){ - $remote_ip = $_SERVER["REMOTE_ADDR"]; - $session_id = session_id(); - $time = $_SERVER["REQUEST_TIME"]; - if($db->exec(" + $db->exec(" BEGIN TRANSACTION; INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time."); COMMIT; - ")){ - echo "You are banned. ;_;"; - } - exit; + "); + banned(); + + } else { + if($db->exec(" + BEGIN TRANSACTION; + INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id) ."', '".$time."'); + COMMIT; + ")){ + return true; + } else { + return false; + } } } @@ -74,14 +84,27 @@ function check_if_banned($db){ $remote_ip = $_SERVER["REMOTE_ADDR"]; $session_id = session_id(); - $check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';"); + $check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;"); $check_ar = $check_db->fetchArray(SQLITE3_NUM); + $log_at = $check_ar[1]; + if($log_at){ + $_SESSION["login_attempts"] = $log_at; + } + $accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h + $db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'"); - if($check_ar[0] < $accepted_time){ - return false; // not longer banned - } else { - return true; // still banned + if($log_at <= 0){ + if ($check_ar[0] >= $accepted_time){ + return true; // still banned + } } + + return false; // not longer banned +} + +function banned(){ + header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned"); + exit; } diff --git a/www/httperror.php b/www/httperror.php index 8b1a62a..423f0fa 100755 --- a/www/httperror.php +++ b/www/httperror.php @@ -6,6 +6,8 @@ 500 502 504 + + ban -- user is banned and not allowed to log in 404 is displayed if $_GET["e"] is not set. @@ -49,6 +51,10 @@ }elseif($_GET['e']==504){ echo '<h1 id="Error-Page-head" >'.$_GET['e'].'</h1>'; echo '<h2 id="Error-Page-description" >A server i'm trying to contact is insanely slow. </br>I can't wait forever. I'm sorry!</h2>'; + + }elseif($_GET['e']=='ban'){ + echo '<h1 id="Error-Page-head" >You are banned!</h1>'; + echo '<h2 id="Error-Page-description" >Too many authentication failures.</br>It's not my fault. I swear.</h2>'; }?> </div> <?php include("static/footer.html");?> diff --git a/www/index.php b/www/index.php index 73c9b5d..3110776 100755 --- a/www/index.php +++ b/www/index.php @@ -12,8 +12,7 @@ if(!isset($_SESSION["login_attempts"])){ } if(check_if_banned($db)){ - echo "You are banned. ;_;"; - exit; + banned(); } if(empty($_GET)){ diff --git a/www/setup.php b/www/setup.php index 99c9034..8d56f6e 100755 --- a/www/setup.php +++ b/www/setup.php @@ -57,7 +57,7 @@ if($bool){ CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id)); INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', ''); CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id)); - CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER); + CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER); CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END; COMMIT;") ) { |