- Move brute force login protection before the page loads

- Increased the threshold to 15 attempts, but over 10 mins instead

login.php

@@ -5,13 +5,28 @@ if(!file_exists('config.php')){
     exit;
 }
 
-include("config.php");
+require_once("config.php");
-include("functions.php");
+require_once("functions.php");
+require_once("rfc6238.php");
 
 // IP & User Agent for logging
 $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
 $user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
 
+// Block brute force password attacks - check recent failed login attempts for this IP
+//  Block access if more than 15 failed login attempts have happened in the last 10 minutes
+$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 10 MINUTE)"));
+$failed_login_count = $row['failed_login_count'];
+
+if ($failed_login_count >= 15) {
+
+    // Logging
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Blocked', log_description = '$ip was blocked access to login due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'");
+
+    // Inform user & quit processing page
+    exit("<h2>ITFlow</h2>Your IP address has been blocked due to repeated failed login attempts. Please try again later. <br><br>This action has been logged.");
+}
+
 // Query Settings for "default" company (as companies are being removed shortly)
 $sql_settings = mysqli_query($mysqli,"SELECT * FROM settings WHERE company_id = 1");
 $row = mysqli_fetch_array($sql_settings);
@@ -25,7 +40,6 @@ $config_smtp_password = $row['config_smtp_password'];
 $config_mail_from_email = $row['config_mail_from_email'];
 $config_mail_from_name = $row['config_mail_from_name'];
 
-
 // HTTP-Only cookies
 ini_set("session.cookie_httponly", True);
 
@@ -40,25 +54,6 @@ if (isset($_POST['login'])) {
     // Sessions should start after the user has POSTed data
     session_start();
 
-    // Check recent failed login attempts for this IP (more than 10 failed logins in 5 mins)
-    $row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 5 MINUTE)"));
-    $failed_login_count = $row['failed_login_count'];
-
-    // Login brute force check
-    if ($failed_login_count >= 10) {
-
-        // Logging
-        mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'");
-
-        // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company)
-        if($failed_login_count == 10){
-            mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'");
-        }
-
-        // Inform user
-        $response = '<div class=\'alert alert-danger\'>IP Lockout - Please try again later.<button class=\'close\' data-dismiss=\'alert\'>&times;</button></div>';
-
-    } else {
     // Passed login brute force check
     $email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
     $password = $_POST['password'];
@@ -82,7 +77,6 @@ if (isset($_POST['login'])) {
         $token = $row['user_token'];
 
         // Checking for user 2FA
-            require_once("rfc6238.php");
         if (empty($token) || TokenAuth6238::verify($token, $current_code)) {
 
             // FULL LOGIN SUCCESS - 2FA not configured or was successful
@@ -183,7 +177,6 @@ if (isset($_POST['login'])) {
               </div>";
     }
 }
-}
 
 ?>