Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
98 lines (72 sloc) 3.67 KB

Packagist Release Travis GitHub License Code Climate

+Pluswerk TYPO3 security extension: Secure Login

This extension checks frontend and backend logins for brute-force attacks. You can also detect and avoid brute-force attacks on other inputs, like serial number inputs or coupon code inputs.

Say goodbye to the try-out-hackers!

Advantages

  • extendable
  • small
  • security improvement
  • just install and use preset configuration

Identification of brute-force attacks

A brute-force attack is identified in accordance with the following rules:

  1. An IP tries out lots of different users
  2. An user tries out lots of different passwords

Is a brute-force attack identified, the attacking IP (in the first case) or user (in the second case) will be blocked over a specific period.

Installation

Install the TYPO3 extension via composer (recommended) or install the extension via TER (not recommended anymore).

Composer installation:

composer require pluswerk/secure-login

Default configuration

If no settings are made, the extension blocks users or IPs for two hours if they have more than 5 failed attempts in one hour.

Configuration (optional)

// Default configuration: overwrite this in you own localconf.php
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['secure_login'] = [
    'defaultBlockingConfiguration' => [
        'FE' => \Pluswerk\SecureLogin\Configuration\BlockingConfiguration::createConfig(),
        'BE' => \Pluswerk\SecureLogin\Configuration\BlockingConfiguration::createConfig(),
    ],
];

Add the following configurations:

  • maxFailedAttempts: Max amount of failed logins over specified time period 'timeRangeInSeconds'.
  • timeRangeInSeconds: Time period (in seconds) over which 'maxFailedAttempts' are counted.
  • blockingPeriodInSeconds: Time period (in seconds) over which the user or IP are blocked.
Example:

one user gets blocked for 'blockingPeriodInSeconds' seconds if he tries out 'maxFailedAttempts' wrong passwords in the time period of 'timeRangeInSeconds' seconds.

Extend Extension

Display security messages

The configured blocking is always active. To show security messages in the frontend add the following lines to your template:

<!-- use namespace -->
<div xmlns:sl="http://typo3.org/ns/Pluswerk/SecureLogin/ViewHelpers"> 
  <!-- content goes here -->
  
  <f:if condition="{sl:securityMessage()}">
    <!-- fluid placeholder for security messages -->
    <p><sl:securityMessage/></p>
  </f:if>
  
  <!-- content goes here -->
</div> 

Log fail attempts

This sample logs failed logins:

$formInDatabase = $this->formRepository->findBySerialNumber($form->getSerialNumber()); 
if (count($formInDatabase) > 0) { 
  /** @var \Pluswerk\SecureLogin\Configuration\BlockingConfiguration $blockingConfiguration */ 
  $blockingConfiguration = \Pluswerk\SecureLogin\Configuration\BlockingConfiguration::createConfig();
  
  /** @var AuthSecurityService $authSecurityService */
  $authSecurityService = GeneralUtility::makeInstance(AuthSecurityService::class);
  $authSecurityService->logUserPasswordAuthenticationFailed($username, $password);
}