Anti-Bruteforce-Patch von eremit (Martin) eingefuegt.

git-svn-id: file:///var/svn/trunk@18 45fdb5c4-e40b-0410-b369-9aab4fe9a275

syscp/index.php

@@ -43,21 +43,50 @@
 			$loginname = addslashes($_POST['loginname']);
 			$password = addslashes($_POST['password']);
 
-			$result = $db->query("SELECT `customerid` AS `userid` FROM `".TABLE_PANEL_CUSTOMERS."` WHERE `loginname` = '$loginname' AND `password` = '".md5($password)."' AND `deactivated` <> '1'");
-			if ($db->num_rows($result) > 0) 
+			$row = $db->query_first("SELECT `loginname` AS `customer` FROM `".TABLE_PANEL_CUSTOMERS."` WHERE `loginname`='$loginname'");
+			if ($row['customer'] == $loginname)
 			{
-				$userinfo = $db->fetch_array($result);
-				$userinfo['adminsession'] = '0';
+				$table = "`".TABLE_PANEL_CUSTOMERS."`";
+				$uid = 'customerid';
+				$adminsession = '0';
 			}
 			else
 			{
-				// wenn user nicht vorhanden auf admin testen
-				$result = $db->query("SELECT `adminid` AS `userid` FROM `".TABLE_PANEL_ADMINS."` WHERE `loginname` = '$loginname' AND `password` = '".md5($password)."' AND `deactivated` <> '1'");
-				if ($db->num_rows($result) > 0)
+				$row = $db->query_first("SELECT `loginname` AS `admin` FROM `".TABLE_PANEL_ADMINS."` WHERE `loginname`='$loginname'");
+				if ($row['admin'] == $loginname)
 				{
-					$userinfo = $db->fetch_array($result);
-					$userinfo['adminsession'] = '1';
+					$table = "`".TABLE_PANEL_ADMINS."`";
+					$uid = 'adminid';
+					$adminsession = '1';
 				}
+				else
+				{
+					standard_error('login');
+					exit;
+				}
+			}
+
+			$userinfo = $db->query_first("SELECT * FROM $table WHERE `loginname`='$loginname'");
+			if ($userinfo['loginfail_count'] >= $settings['login']['maxloginattempts'] && $userinfo['lastlogin_fail'] > (time()-$settings['login']['deactivatetime']))
+			{
+				standard_error('login_blocked');
+				exit;
+			}
+			elseif ($userinfo['password'] == md5($password))
+			{
+				// login correct
+				// reset loginfail_counter, set lastlogin_succ
+				$db->query("UPDATE $table SET `lastlogin_succ`='".time()."', `loginfail_count`='0' WHERE `$uid`='".$userinfo[$uid]."'");
+				$userinfo['userid'] = $userinfo[$uid];
+				$userinfo['adminsession'] = $adminsession;
+			}
+			else
+			{
+				// login incorrect
+				$db->query("UPDATE $table SET `lastlogin_fail`='".time()."', `loginfail_count`=`loginfail_count`+1 WHERE `$uid`='".$userinfo[$uid]."'");
+				unset($userinfo);
+				standard_error('login');
+				exit;
 			}
 
 			if(isset($userinfo['userid']) && $userinfo['userid'] != '')

syscp/install/syscp.sql

@@ -34,7 +34,10 @@ CREATE TABLE `panel_admins` (
   `traffic` int(15) NOT NULL default '0',
   `traffic_used` int(15) NOT NULL default '0',
   `deactivated` tinyint(1) NOT NULL default '0',
-  PRIMARY KEY  (`adminid`)
+  `lastlogin_succ` int(11) unsigned NOT NULL default '0',
+  `lastlogin_fail` int(11) unsigned NOT NULL default '0',
+  `loginfail_count` int(11) unsigned NOT NULL default '0',
+   PRIMARY KEY  (`adminid`)
 ) TYPE=MyISAM ;
 
 
@@ -80,7 +83,10 @@ CREATE TABLE `panel_customers` (
   `ftp_lastaccountnumber` int(11) NOT NULL default '0',
   `mysql_lastaccountnumber` int(11) NOT NULL default '0',
   `deactivated` tinyint(1) NOT NULL default '0',
-  PRIMARY KEY  (`customerid`),
+  `lastlogin_succ` int(11) unsigned NOT NULL default '0',
+  `lastlogin_fail` int(11) unsigned NOT NULL default '0',
+  `loginfail_count` int(11) unsigned NOT NULL default '0',
+   PRIMARY KEY  (`customerid`),
   KEY `loginname` (`loginname`)
 ) TYPE=MyISAM ;
 #
@@ -248,6 +254,8 @@ INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) V
 INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (21, 'system', 'binddefaultzone', 'default.zone');
 INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (22, 'panel', 'version', '1.1-cvs');
 INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (23, 'system', 'hostname', 'SERVERNAME');
+INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (24, 'login', 'maxloginattempts', '3');
+INSERT INTO `panel_settings` (`settingid`, `settinggroup`, `varname`, `value`) VALUES (25, 'login', 'deactivatetime', '900');
 
 
 # --------------------------------------------------------

syscp/lng/english.lng.php

@@ -148,6 +148,7 @@
 $lng['error']['domains_cantdeletemaindomain'] = 'You cannot delete a domain which is used as an email-domain.';
 $lng['error']['ftp_cantdeletemainaccount'] = 'You cannot delete your main FTP-account';
 $lng['error']['login'] = 'The username or password you typed in is wrong. Please try it again!';
+$lng['error']['login_blocked'] = 'This account has been suspended because of too many loginerrors. <br />Please try again in '.$settings['login']['deactivatetime'].' seconds.';
 $lng['error']['notallreqfieldsorerrors'] = 'You have not filled in all or filled in some fields incorrectly.';
 $lng['error']['oldpasswordnotcorrect'] = 'The old password is not correct.';
 $lng['error']['youcantallocatemorethanyouhave'] = 'You cannot allocate more ressources than you own for yourself.';

syscp/lng/german.lng.php

@@ -148,6 +148,7 @@
 $lng['error']['domains_cantdeletemaindomain'] = 'Sie können keine Domain, die als eMail-Domain verwendet wird löschen. ';
 $lng['error']['ftp_cantdeletemainaccount'] = 'Sie können Ihren Hauptaccount nicht löschen.';
 $lng['error']['login'] = 'Der angegebene Benuternamen/Passwort ist falsch.';
+$lng['error']['login_blocked'] = 'Dieser Account wurde aufgrund zuvieler Fehlversuche vorrübergehend geschlossen. <br />Bitte versuchen Sie es in '.$settings['login']['deactivatetime'].' Sekunden erneut.';
 $lng['error']['notallreqfieldsorerrors'] = 'Sie haben nicht alle Felder oder ein Feld mit fehlerhaften Angaben ausgef&uuml;llt.';
 $lng['error']['oldpasswordnotcorrect'] = 'Das alte Passwort ist nicht korrekt.';
 $lng['error']['youcantallocatemorethanyouhave'] = 'Sie k&ouml;nnen nicht mehr Ressource verteilen als Sie noch frei haben.';