From 5a1a2801f3833eac3740f7298d586f4a45985ced Mon Sep 17 00:00:00 2001 From: Florian Lippert Date: Sun, 29 Aug 2004 17:55:58 +0000 Subject: [PATCH] Anti-Bruteforce-Patch von eremit (Martin) eingefuegt. git-svn-id: file:///var/svn/trunk@18 45fdb5c4-e40b-0410-b369-9aab4fe9a275 --- syscp/index.php | 47 +++++++++++++++++++++++++++++++-------- syscp/install/syscp.sql | 12 ++++++++-- syscp/lng/english.lng.php | 1 + syscp/lng/german.lng.php | 1 + 4 files changed, 50 insertions(+), 11 deletions(-) diff --git a/syscp/index.php b/syscp/index.php index 06d61a2b..16649d6e 100755 --- a/syscp/index.php +++ b/syscp/index.php @@ -43,21 +43,50 @@ $loginname = addslashes($_POST['loginname']); $password = addslashes($_POST['password']); - $result = $db->query("SELECT `customerid` AS `userid` FROM `".TABLE_PANEL_CUSTOMERS."` WHERE `loginname` = '$loginname' AND `password` = '".md5($password)."' AND `deactivated` <> '1'"); - if ($db->num_rows($result) > 0) + $row = $db->query_first("SELECT `loginname` AS `customer` FROM `".TABLE_PANEL_CUSTOMERS."` WHERE `loginname`='$loginname'"); + if ($row['customer'] == $loginname) { - $userinfo = $db->fetch_array($result); - $userinfo['adminsession'] = '0'; + $table = "`".TABLE_PANEL_CUSTOMERS."`"; + $uid = 'customerid'; + $adminsession = '0'; } else { - // wenn user nicht vorhanden auf admin testen - $result = $db->query("SELECT `adminid` AS `userid` FROM `".TABLE_PANEL_ADMINS."` WHERE `loginname` = '$loginname' AND `password` = '".md5($password)."' AND `deactivated` <> '1'"); - if ($db->num_rows($result) > 0) + $row = $db->query_first("SELECT `loginname` AS `admin` FROM `".TABLE_PANEL_ADMINS."` WHERE `loginname`='$loginname'"); + if ($row['admin'] == $loginname) { - $userinfo = $db->fetch_array($result); - $userinfo['adminsession'] = '1'; + $table = "`".TABLE_PANEL_ADMINS."`"; + $uid = 'adminid'; + $adminsession = '1'; } + else + { + standard_error('login'); + exit; + } + } + + $userinfo = $db->query_first("SELECT * FROM $table WHERE `loginname`='$loginname'"); + if ($userinfo['loginfail_count'] >= $settings['login']['maxloginattempts'] && $userinfo['lastlogin_fail'] > (time()-$settings['login']['deactivatetime'])) + { + standard_error('login_blocked'); + exit; + } + elseif ($userinfo['password'] == md5($password)) + { + // login correct + // reset loginfail_counter, set lastlogin_succ + $db->query("UPDATE $table SET `lastlogin_succ`='".time()."', `loginfail_count`='0' WHERE `$uid`='".$userinfo[$uid]."'"); + $userinfo['userid'] = $userinfo[$uid]; + $userinfo['adminsession'] = $adminsession; + } + else + { + // login incorrect + $db->query("UPDATE $table SET `lastlogin_fail`='".time()."', `loginfail_count`=`loginfail_count`+1 WHERE `$uid`='".$userinfo[$uid]."'"); + unset($userinfo); + standard_error('login'); + exit; } if(isset($userinfo['userid']) && $userinfo['userid'] != '') diff --git a/syscp/install/syscp.sql b/syscp/install/syscp.sql index c825e4a5..39abb7a4 100755 --- a/syscp/install/syscp.sql +++ b/syscp/install/syscp.sql @@ -34,7 +34,10 @@ CREATE TABLE `panel_admins` ( `traffic` int(15) NOT NULL default '0', `traffic_used` int(15) NOT NULL default '0', `deactivated` tinyint(1) NOT NULL default '0', - PRIMARY KEY (`adminid`) + `lastlogin_succ` int(11) unsigned NOT NULL default '0', + `lastlogin_fail` int(11) unsigned NOT NULL default '0', + `loginfail_count` int(11) unsigned NOT NULL default '0', + PRIMARY KEY (`adminid`) ) TYPE=MyISAM ; @@ -80,7 +83,10 @@ CREATE TABLE `panel_customers` ( `ftp_lastaccountnumber` int(11) NOT NULL default '0', `mysql_lastaccountnumber` int(11) NOT NULL default '0', `deactivated` tinyint(1) NOT NULL default '0', - PRIMARY KEY (`customerid`), + `lastlogin_succ` int(11) unsigned NOT NULL default '0', + `lastlogin_fail` int(11) unsigned NOT NULL default '0', + `loginfail_count` int(11) unsigned NOT NULL default '0', + PRIMARY KEY (`customerid`), KEY `loginname` (`loginname`) ) TYPE=MyISAM ; # @@ -248,6 +254,8 @@ INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) V INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (21, 'system', 'binddefaultzone', 'default.zone'); INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (22, 'panel', 'version', '1.1-cvs'); INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (23, 'system', 'hostname', 'SERVERNAME'); +INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (24, 'login', 'maxloginattempts', '3'); +INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (25, 'login', 'deactivatetime', '900'); # -------------------------------------------------------- diff --git a/syscp/lng/english.lng.php b/syscp/lng/english.lng.php index 169b6745..79250b75 100755 --- a/syscp/lng/english.lng.php +++ b/syscp/lng/english.lng.php @@ -148,6 +148,7 @@ $lng['error']['domains_cantdeletemaindomain'] = 'You cannot delete a domain which is used as an email-domain.'; $lng['error']['ftp_cantdeletemainaccount'] = 'You cannot delete your main FTP-account'; $lng['error']['login'] = 'The username or password you typed in is wrong. Please try it again!'; +$lng['error']['login_blocked'] = 'This account has been suspended because of too many loginerrors.
Please try again in '.$settings['login']['deactivatetime'].' seconds.'; $lng['error']['notallreqfieldsorerrors'] = 'You have not filled in all or filled in some fields incorrectly.'; $lng['error']['oldpasswordnotcorrect'] = 'The old password is not correct.'; $lng['error']['youcantallocatemorethanyouhave'] = 'You cannot allocate more ressources than you own for yourself.'; diff --git a/syscp/lng/german.lng.php b/syscp/lng/german.lng.php index 01b1fd9c..7a91a901 100755 --- a/syscp/lng/german.lng.php +++ b/syscp/lng/german.lng.php @@ -148,6 +148,7 @@ $lng['error']['domains_cantdeletemaindomain'] = 'Sie können keine Domain, die als eMail-Domain verwendet wird löschen. '; $lng['error']['ftp_cantdeletemainaccount'] = 'Sie können Ihren Hauptaccount nicht löschen.'; $lng['error']['login'] = 'Der angegebene Benuternamen/Passwort ist falsch.'; +$lng['error']['login_blocked'] = 'Dieser Account wurde aufgrund zuvieler Fehlversuche vorrübergehend geschlossen.
Bitte versuchen Sie es in '.$settings['login']['deactivatetime'].' Sekunden erneut.'; $lng['error']['notallreqfieldsorerrors'] = 'Sie haben nicht alle Felder oder ein Feld mit fehlerhaften Angaben ausgefüllt.'; $lng['error']['oldpasswordnotcorrect'] = 'Das alte Passwort ist nicht korrekt.'; $lng['error']['youcantallocatemorethanyouhave'] = 'Sie können nicht mehr Ressource verteilen als Sie noch frei haben.';