From b70acc4bce1450a726cf50a2f2f09539d74252b0 Mon Sep 17 00:00:00 2001
From: Horus3
Date: Wed, 16 Apr 2014 13:43:34 +0200
Subject: Improved brutforce protection and added ban page.
---
www/functions/func_login.php | 49 ++++++++++++++++++++++++++++++++------------
www/httperror.php | 4 ++++
www/index.php | 3 +--
www/setup.php | 2 +-
4 files changed, 42 insertions(+), 16 deletions(-)
(limited to 'www')
diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index a4d4696..afd116c 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -54,19 +54,29 @@ function logout(){
function brutforce_protection($db){
$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;
+ $remote_ip = $_SERVER["REMOTE_ADDR"];
+ $session_id = session_id();
+ $time = $_SERVER["REQUEST_TIME"];
+
if($_SESSION["login_attempts"] <= 0){
- $remote_ip = $_SERVER["REMOTE_ADDR"];
- $session_id = session_id();
- $time = $_SERVER["REQUEST_TIME"];
- if($db->exec("
+ $db->exec("
BEGIN TRANSACTION;
INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
COMMIT;
- ")){
- echo "You are banned. ;_;";
- }
- exit;
+ ")
+ banned();
+
+ } else {
+ if($db->exec("
+ BEGIN TRANSACTION;
+ INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id) ."', '".$time."');
+ COMMIT;
+ ")){
+ return true;
+ } else {
+ return false;
+ }
}
}
@@ -74,14 +84,27 @@ function check_if_banned($db){
$remote_ip = $_SERVER["REMOTE_ADDR"];
$session_id = session_id();
- $check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
+ $check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;");
$check_ar = $check_db->fetchArray(SQLITE3_NUM);
+ $log_at = $check_ar[1];
+ if($log_at){
+ $_SESSION["login_attempts"] = $log_at;
+ }
+
$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h
+ $db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");
- if($check_ar[0] < $accepted_time){
- return false; // not longer banned
- } else {
- return true; // still banned
+ if($log_at <= 0)
+ if ($check_ar[0] >= $accepted_time){
+ return true; // still banned
+ }
}
+
+ return false; // not longer banned
+}
+
+function banned(){
+ header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned");
+ exit;
}
diff --git a/www/httperror.php b/www/httperror.php
index 8b1a62a..e22dd28 100755
--- a/www/httperror.php
+++ b/www/httperror.php
@@ -49,6 +49,10 @@
}elseif($_GET['e']==504){
echo ''.$_GET['e'].'
';
echo 'A server i'm trying to contact is insanely slow. I can't wait forever. I'm sorry!
';
+
+ }elseif($_GET['e']=='ban'){
+ echo 'You are banned!
';
+ echo 'Too many authentication failures.It's not my fault. I swear.
';}
}?>
diff --git a/www/index.php b/www/index.php
index 73c9b5d..3110776 100755
--- a/www/index.php
+++ b/www/index.php
@@ -12,8 +12,7 @@ if(!isset($_SESSION["login_attempts"])){
}
if(check_if_banned($db)){
- echo "You are banned. ;_;";
- exit;
+ banned();
}
if(empty($_GET)){
diff --git a/www/setup.php b/www/setup.php
index 99c9034..8d56f6e 100755
--- a/www/setup.php
+++ b/www/setup.php
@@ -57,7 +57,7 @@ if($bool){
CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id));
INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', '');
CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id));
- CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER);
+ CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER);
CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END;
COMMIT;")
) {
--
cgit v1.2.3
From e5447d0702de9733f14d5d6ff1e1b46aac9335af Mon Sep 17 00:00:00 2001
From: root
Date: Wed, 16 Apr 2014 13:49:08 +0200
Subject: Comments.
---
www/functions/func_login.php | 4 ++--
www/httperror.php | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
(limited to 'www')
diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index afd116c..943e20e 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -64,7 +64,7 @@ function brutforce_protection($db){
BEGIN TRANSACTION;
INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
COMMIT;
- ")
+ ");
banned();
} else {
@@ -95,7 +95,7 @@ function check_if_banned($db){
$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h
$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");
- if($log_at <= 0)
+ if($log_at <= 0){
if ($check_ar[0] >= $accepted_time){
return true; // still banned
}
diff --git a/www/httperror.php b/www/httperror.php
index e22dd28..423f0fa 100755
--- a/www/httperror.php
+++ b/www/httperror.php
@@ -6,6 +6,8 @@
500
502
504
+
+ ban -- user is banned and not allowed to log in
404 is displayed if $_GET["e"] is not set.
@@ -52,7 +54,7 @@
}elseif($_GET['e']=='ban'){
echo 'You are banned!
';
- echo 'Too many authentication failures.It's not my fault. I swear.
';}
+ echo 'Too many authentication failures.It's not my fault. I swear.
';
}?>
--
cgit v1.2.3