From c819309fc4c664793a3600b196dab1133f481ff0 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Sat, 22 Jan 2022 19:54:39 +0000 Subject: [PATCH] Add basic IP login brute force protection --- login.php | 257 +++++++++++++++++++++++++++++------------------------- 1 file changed, 140 insertions(+), 117 deletions(-) diff --git a/login.php b/login.php index 656c356c..793fff16 100644 --- a/login.php +++ b/login.php @@ -1,8 +1,8 @@ (NOW() - INTERVAL 5 MINUTE)"); + $failed_login_count = mysqli_num_rows($ip_failed_logins_sql); - // Setup encryption session key - if(isset($row['user_specific_encryption_ciphertext'])){ - $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext']; - $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password); - generateUserSessionKey($site_encryption_master_key); + // Login brute force check + if($failed_login_count >= 10){ + + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()"); + + // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company) + if($failed_login_count == 10){ + mysqli_query($mysqli,"INSERT INTO alerts SET alert_type = 'Lockout', alert_message = '$ip was locked out for repeated failed login attempts.', alert_date = NOW(), company_id = '1'"); + } + + // Inform user + $response = '
IP Lockout - Please try again later.
'; } - // Setup extension - if(isset($row['user_extension_key']) && !empty($row['user_extension_key'])){ - // Extension cookie - // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. - setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/','secure' => true,'httponly' => true,'samesite' => 'None']); + // Passed login brute force check + else{ + $email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email'])); + $password = $_POST['password']; + $current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code'])); + if (!empty($current_code)) { + $current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code'])); + } + $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email'"); + $row = mysqli_fetch_array($sql); + if (password_verify($password, $row['user_password'])) { - // Set PHP session in DB so we can access the session encryption data (above) - $user_php_session = session_id(); - mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); + $token = $row['user_token']; + $_SESSION['user_id'] = $row['user_id']; + $_SESSION['user_name'] = $row['user_name']; + $user_name = $row['user_name']; + $user_id = $row['user_id']; - } + // Setup encryption session key + if (isset($row['user_specific_encryption_ciphertext'])) { + $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext']; + $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password); + generateUserSessionKey($site_encryption_master_key); + } - if(empty($token)){ - $_SESSION['logged'] = TRUE; - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); - - header("Location: dashboard.php"); - }else{ - $token_field = "
- -
-
- + // Setup extension + if (isset($row['user_extension_key']) && !empty($row['user_extension_key'])) { + // Extension cookie + // Note: Browsers don't accept cookies with SameSite None if they are not HTTPS. + setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'None']); + + // Set PHP session in DB so we can access the session encryption data (above) + $user_php_session = session_id(); + mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'"); + + } + + if (empty($token)) { + $_SESSION['logged'] = TRUE; + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); + + header("Location: dashboard.php"); + } else { + $token_field = "
+ +
+
+ +
+
+
"; + + require_once("rfc6238.php"); + + if (TokenAuth6238::verify($token, $current_code)) { + $_SESSION['logged'] = TRUE; + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login 2FA', log_action = 'Success', log_description = '$user_name successfully logged in using 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); + //header("Location: $config_start_page"); + header("Location: dashboard.php"); + } else { + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = '2FA Failed', log_description = '$user_name failed 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); + + $response = " +
+ Please Enter 2FA Key! +
-
-
"; + "; + } + } - require_once("rfc6238.php"); + } else { + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()"); - if(TokenAuth6238::verify($token,$current_code)){ - $_SESSION['logged'] = TRUE; - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login 2FA', log_action = 'Success', log_description = '$user_name successfully logged in using 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); - //header("Location: $config_start_page"); - header("Location: dashboard.php"); - }else{ - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = '2FA Failed', log_description = '$user_name failed 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id"); - - $response = " -
- Please Enter 2FA Key! + $response = " +
+ Incorrect username or password.
"; - } + } } - - }else{ - mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()"); - - $response = " -
- Incorrect username or password. - -
- "; - } } ?> - + <?php echo $config_app_name; ?> | Login @@ -128,63 +151,63 @@ if(isset($_POST['login'])){ - - - + - - - - - - + + + + + + - + + + + + - + \ No newline at end of file