ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #320 from wrongecho/brute-force-login

Browse Source 
Add basic IP login brute force protection
This commit is contained in:
Johnny
2022-01-22 16:45:36 -05:00
committed by GitHub
parent 833d8996ed c819309fc4
commit c47eac328d
1 changed files with 140 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files
login.php
+24 -1
View File
@@ -29,6 +29,29 @@ if(isset($_POST['login'])){
// Sessions should start after the user has POSTed data
session_start();
// Check recent failed login attempts for this IP (more than 10 failed logins in 5 mins)
// TODO: We can probably just use a count for this, but couldn't make it not count *everything*
$ip_failed_logins_sql = mysqli_query($mysqli, "SELECT * FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 5 MINUTE)");
$failed_login_count = mysqli_num_rows($ip_failed_logins_sql);
// Login brute force check
if($failed_login_count >= 10){
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
// Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company)
if($failed_login_count == 10){
mysqli_query($mysqli,"INSERT INTO alerts SET alert_type = 'Lockout', alert_message = '$ip was locked out for repeated failed login attempts.', alert_date = NOW(), company_id = '1'");
}
// Inform user
$response = '<div class=\'alert alert-danger\'>IP Lockout - Please try again later.<button class=\'close\' data-dismiss=\'alert\'>&times;</button></div>';
}
// Passed login brute force check
else{
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$password = $_POST['password'];
$current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code']));
@@ -37,7 +60,6 @@ if(isset($_POST['login'])){
}
$sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email'");
$row = mysqli_fetch_array($sql);
if (password_verify($password, $row['user_password'])) {
$token = $row['user_token'];
@@ -110,6 +132,7 @@ if(isset($_POST['login'])){
";
}
}
}
?>