diff options
| author | artem <artem@97f52cf1-0a1b-0410-bd0e-c28be96e8082> | 2008-04-29 11:52:36 +0000 |
|---|---|---|
| committer | artem <artem@97f52cf1-0a1b-0410-bd0e-c28be96e8082> | 2008-04-29 11:52:36 +0000 |
| commit | ec43f191d24dd3cf181061cbf4582029dcdca399 (patch) | |
| tree | b4a72c596497ddea14668433a355a6579ff3ebc7 /frontends | |
| parent | 131500f24e0298058a33aa79ced9d01111c7b778 (diff) | |
| download | zabbix-ec43f191d24dd3cf181061cbf4582029dcdca399.tar.gz zabbix-ec43f191d24dd3cf181061cbf4582029dcdca399.tar.xz zabbix-ec43f191d24dd3cf181061cbf4582029dcdca399.zip | |
- [DEV-153] added protection against brute force attack (Artem)
git-svn-id: svn://svn.zabbix.com/trunk@5666 97f52cf1-0a1b-0410-bd0e-c28be96e8082
Diffstat (limited to 'frontends')
| -rw-r--r-- | frontends/php/include/config.inc.php | 2 | ||||
| -rw-r--r-- | frontends/php/include/defines.inc.php | 3 | ||||
| -rw-r--r-- | frontends/php/include/perm.inc.php | 5 | ||||
| -rw-r--r-- | frontends/php/index.php | 54 |
4 files changed, 45 insertions, 19 deletions
diff --git a/frontends/php/include/config.inc.php b/frontends/php/include/config.inc.php index ae183ae4..024358ef 100644 --- a/frontends/php/include/config.inc.php +++ b/frontends/php/include/config.inc.php @@ -105,7 +105,7 @@ function TODO($msg) { echo "TODO: ".$msg.SBR; } // DEBUG INFO!!! if(defined('ZBX_DENY_GUI_ACCESS')){ if(isset($ZBX_GUI_ACCESS_IP_RANGE) && is_array($ZBX_GUI_ACCESS_IP_RANGE)){ - $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?($_SERVER['HTTP_X_FORWARDED_FOR']):($_SERVER['REMOTE_ADDR']); + $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?($_SERVER['HTTP_X_FORWARDED_FOR']):($_SERVER['REMOTE_ADDR']); if(!str_in_array($user_ip,$ZBX_GUI_ACCESS_IP_RANGE)) $DENY_GUI = TRUE; } else{ diff --git a/frontends/php/include/defines.inc.php b/frontends/php/include/defines.inc.php index 728288b1..571386fb 100644 --- a/frontends/php/include/defines.inc.php +++ b/frontends/php/include/defines.inc.php @@ -27,6 +27,9 @@ define('PAGE_TYPE_XML', 2); define('PAGE_TYPE_JS', 3); //javascript define('PAGE_TYPE_HTML_BLOCK', 4); //simple block of html (as text) + + define('ZBX_LOGIN_ATTEMPTS', 5); + define('ZBX_LOGIN_BLOCK', 180); define('T_ZBX_STR', 0); define('T_ZBX_INT', 1); diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php index c0692cf4..5cf3ae64 100644 --- a/frontends/php/include/perm.inc.php +++ b/frontends/php/include/perm.inc.php @@ -53,9 +53,14 @@ ' AND s.userid=u.userid'. ' AND ((s.lastaccess+u.autologout>'.time().') OR (u.autologout=0))'. ' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID))); + if(!$USER_DETAILS){ $incorect_session = true; } + else if($login['attempt_failed']){ + error('There was ['.$login['attempt_failed'].'] failed attempts to Login from ['.$login['attempt_ip'].'] at ['.date('d.m.Y H:nn',$login['attempt_clock']).'] o\'clock!'); + DBexecute('UPDATE users SET attempt_failed=0 WHERE userid='.zbx_dbstr($login['userid'])); + } } if(!$USER_DETAILS){ diff --git a/frontends/php/index.php b/frontends/php/index.php index f469e6df..218f8f05 100644 --- a/frontends/php/index.php +++ b/frontends/php/index.php @@ -43,8 +43,7 @@ <?php $sessionid = get_cookie('zbx_sessionid', null); - if(isset($_REQUEST["reconnect"]) && isset($sessionid)) - { + if(isset($_REQUEST["reconnect"]) && isset($sessionid)){ add_audit(AUDIT_ACTION_LOGOUT,AUDIT_RESOURCE_USER,"Manual Logout"); zbx_unsetcookie('zbx_sessionid'); @@ -63,16 +62,27 @@ $name = get_request('name',''); $password = md5(get_request('password','')); - switch($config['authentication_type']){ - case ZBX_AUTH_LDAP: - $login = ldap_authentication($name,get_request('password','')); - break; - case ZBX_AUTH_INTERNAL: - default: - $alt_auth = ZBX_AUTH_INTERNAL; - $login = true; + $sql = 'SELECT u.userid,u.attempt_failed, u.attempt_clock, u.attempt_ip '. + ' FROM users u '. + ' WHERE u.alias='.zbx_dbstr($name). + ' AND ( attempt_failed<'.ZBX_LOGIN_ATTEMPTS. + ' OR (attempt_failed>'.(ZBX_LOGIN_ATTEMPTS-1). + ' AND ('.time().'-attempt_clock)>'.ZBX_LOGIN_BLOCK.'))'; + + $login = $attempt = DBfetch(DBselect($sql)); + + if($login){ + switch($config['authentication_type']){ + case ZBX_AUTH_LDAP: + $login = ldap_authentication($name,get_request('password','')); + break; + case ZBX_AUTH_INTERNAL: + default: + $alt_auth = ZBX_AUTH_INTERNAL; + $login = true; + } } - + if($login){ $login = $row = DBfetch(DBselect('SELECT u.userid,u.alias,u.name,u.surname,u.url,u.refresh,u.passwd '. ' FROM users u, users_groups ug, usrgrp g '. @@ -89,13 +99,12 @@ if($login){ $login = (check_perm2login($row['userid']) && check_perm2system($row['userid'])); } - + if($login){ $sessionid = md5(time().$password.$name.rand(0,10000000)); zbx_setcookie('zbx_sessionid',$sessionid); - DBexecute("insert into sessions (sessionid,userid,lastaccess)". - " values (".zbx_dbstr($sessionid).",".$row["userid"].",".time().")"); + DBexecute('INSERT INTO sessions (sessionid,userid,lastaccess) VALUES ('.zbx_dbstr($sessionid).','.$row['userid'].','.time().')'); add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Correct login [".$name."]"); @@ -113,16 +122,25 @@ else{ $row = NULL; - $_REQUEST['message'] = "Login name or password is incorrect"; - add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Login failed [".$name."]"); + $_REQUEST['message'] = 'Login name or password is incorrect'; + add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,'Login failed ['.$name.']'); + + if($attempt){ + $ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR']; + $attempt['attempt_failed']++; + $sql = 'UPDATE users SET attempt_failed='.zbx_dbstr($attempt['attempt_failed']). + ', attempt_clock='.time(). + ', attempt_ip='.zbx_dbstr($ip). + ' WHERE userid='.zbx_dbstr($attempt['userid']); + DBexecute($sql); + } } } include_once "include/page_header.php"; if(isset($_REQUEST['message'])) show_error_message($_REQUEST['message']); -?> -<?php + if(!isset($sessionid)){ insert_login_form(); } |