summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog1
-rw-r--r--create/data/data.sql4
-rw-r--r--create/schema/schema.sql3
-rw-r--r--frontends/php/include/config.inc.php2
-rw-r--r--frontends/php/include/defines.inc.php3
-rw-r--r--frontends/php/include/perm.inc.php5
-rw-r--r--frontends/php/index.php54
7 files changed, 51 insertions, 21 deletions
diff --git a/ChangeLog b/ChangeLog
index 7514d1ce..ef8dc098 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
Changes for 1.5.1:
+ - [DEV-153] added protection against brute force attack (Artem)
- [DEV-158] added standart sorting to screens (Artem)
- [DEV-154] added more flexibility to scripts (Artem)
- [DEV-166] fixed problem with node syncing (Sasha)
diff --git a/create/data/data.sql b/create/data/data.sql
index 546fdf2a..a5db8732 100644
--- a/create/data/data.sql
+++ b/create/data/data.sql
@@ -34,8 +34,8 @@ INSERT INTO scripts VALUES (2,'Traceroute','/usr/bin/traceroute {HOST.CONN}',0);
-- Dumping data for table `users`
--
-INSERT INTO users VALUES (1,'Admin','Zabbix','Administrator','d41d8cd98f00b204e9800998ecf8427e','',0, 900,'en_gb',30,3,'deafault.css');
-INSERT INTO users VALUES (2,'guest','Default','User','d41d8cd98f00b204e9800998ecf8427e','',0,900,'en_gb',30,1,'default.css');
+INSERT INTO users VALUES (1,'Admin','Zabbix','Administrator','d41d8cd98f00b204e9800998ecf8427e','',0, 900,'en_gb',30,3,'deafault.css',0,'',0);
+INSERT INTO users VALUES (2,'guest','Default','User','d41d8cd98f00b204e9800998ecf8427e','',0,900,'en_gb',30,1,'default.css',0,'',0);
--
-- Dumping data for table `usrgrp`
diff --git a/create/schema/schema.sql b/create/schema/schema.sql
index 6d270b17..5190b260 100644
--- a/create/schema/schema.sql
+++ b/create/schema/schema.sql
@@ -697,6 +697,9 @@ FIELD |lang |t_varchar(5) |'en_gb'|NOT NULL |ZBX_SYNC
FIELD |refresh |t_integer |'30' |NOT NULL |ZBX_SYNC
FIELD |type |t_integer |'0' |NOT NULL |ZBX_SYNC
FIELD |theme |t_varchar(128) |'default.css' |NOT NULL |ZBX_SYNC
+FIELD |attempt_failed |t_integer |0 |NOT NULL |ZBX_SYNC
+FIELD |attempt_ip |t_varchar(39) |'' |NOT NULL |ZBX_SYNC
+FIELD |attempt_clock |t_integer |0 |NOT NULL |ZBX_SYNC
INDEX |1 |alias
TABLE|usrgrp|usrgrpid|ZBX_SYNC
diff --git a/frontends/php/include/config.inc.php b/frontends/php/include/config.inc.php
index ae183ae4..024358ef 100644
--- a/frontends/php/include/config.inc.php
+++ b/frontends/php/include/config.inc.php
@@ -105,7 +105,7 @@ function TODO($msg) { echo "TODO: ".$msg.SBR; } // DEBUG INFO!!!
if(defined('ZBX_DENY_GUI_ACCESS')){
if(isset($ZBX_GUI_ACCESS_IP_RANGE) && is_array($ZBX_GUI_ACCESS_IP_RANGE)){
- $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?($_SERVER['HTTP_X_FORWARDED_FOR']):($_SERVER['REMOTE_ADDR']);
+ $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?($_SERVER['HTTP_X_FORWARDED_FOR']):($_SERVER['REMOTE_ADDR']);
if(!str_in_array($user_ip,$ZBX_GUI_ACCESS_IP_RANGE)) $DENY_GUI = TRUE;
}
else{
diff --git a/frontends/php/include/defines.inc.php b/frontends/php/include/defines.inc.php
index 728288b1..571386fb 100644
--- a/frontends/php/include/defines.inc.php
+++ b/frontends/php/include/defines.inc.php
@@ -27,6 +27,9 @@
define('PAGE_TYPE_XML', 2);
define('PAGE_TYPE_JS', 3); //javascript
define('PAGE_TYPE_HTML_BLOCK', 4); //simple block of html (as text)
+
+ define('ZBX_LOGIN_ATTEMPTS', 5);
+ define('ZBX_LOGIN_BLOCK', 180);
define('T_ZBX_STR', 0);
define('T_ZBX_INT', 1);
diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php
index c0692cf4..5cf3ae64 100644
--- a/frontends/php/include/perm.inc.php
+++ b/frontends/php/include/perm.inc.php
@@ -53,9 +53,14 @@
' AND s.userid=u.userid'.
' AND ((s.lastaccess+u.autologout>'.time().') OR (u.autologout=0))'.
' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID)));
+
if(!$USER_DETAILS){
$incorect_session = true;
}
+ else if($login['attempt_failed']){
+ error('There was ['.$login['attempt_failed'].'] failed attempts to Login from ['.$login['attempt_ip'].'] at ['.date('d.m.Y H:nn',$login['attempt_clock']).'] o\'clock!');
+ DBexecute('UPDATE users SET attempt_failed=0 WHERE userid='.zbx_dbstr($login['userid']));
+ }
}
if(!$USER_DETAILS){
diff --git a/frontends/php/index.php b/frontends/php/index.php
index f469e6df..218f8f05 100644
--- a/frontends/php/index.php
+++ b/frontends/php/index.php
@@ -43,8 +43,7 @@
<?php
$sessionid = get_cookie('zbx_sessionid', null);
- if(isset($_REQUEST["reconnect"]) && isset($sessionid))
- {
+ if(isset($_REQUEST["reconnect"]) && isset($sessionid)){
add_audit(AUDIT_ACTION_LOGOUT,AUDIT_RESOURCE_USER,"Manual Logout");
zbx_unsetcookie('zbx_sessionid');
@@ -63,16 +62,27 @@
$name = get_request('name','');
$password = md5(get_request('password',''));
- switch($config['authentication_type']){
- case ZBX_AUTH_LDAP:
- $login = ldap_authentication($name,get_request('password',''));
- break;
- case ZBX_AUTH_INTERNAL:
- default:
- $alt_auth = ZBX_AUTH_INTERNAL;
- $login = true;
+ $sql = 'SELECT u.userid,u.attempt_failed, u.attempt_clock, u.attempt_ip '.
+ ' FROM users u '.
+ ' WHERE u.alias='.zbx_dbstr($name).
+ ' AND ( attempt_failed<'.ZBX_LOGIN_ATTEMPTS.
+ ' OR (attempt_failed>'.(ZBX_LOGIN_ATTEMPTS-1).
+ ' AND ('.time().'-attempt_clock)>'.ZBX_LOGIN_BLOCK.'))';
+
+ $login = $attempt = DBfetch(DBselect($sql));
+
+ if($login){
+ switch($config['authentication_type']){
+ case ZBX_AUTH_LDAP:
+ $login = ldap_authentication($name,get_request('password',''));
+ break;
+ case ZBX_AUTH_INTERNAL:
+ default:
+ $alt_auth = ZBX_AUTH_INTERNAL;
+ $login = true;
+ }
}
-
+
if($login){
$login = $row = DBfetch(DBselect('SELECT u.userid,u.alias,u.name,u.surname,u.url,u.refresh,u.passwd '.
' FROM users u, users_groups ug, usrgrp g '.
@@ -89,13 +99,12 @@
if($login){
$login = (check_perm2login($row['userid']) && check_perm2system($row['userid']));
}
-
+
if($login){
$sessionid = md5(time().$password.$name.rand(0,10000000));
zbx_setcookie('zbx_sessionid',$sessionid);
- DBexecute("insert into sessions (sessionid,userid,lastaccess)".
- " values (".zbx_dbstr($sessionid).",".$row["userid"].",".time().")");
+ DBexecute('INSERT INTO sessions (sessionid,userid,lastaccess) VALUES ('.zbx_dbstr($sessionid).','.$row['userid'].','.time().')');
add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Correct login [".$name."]");
@@ -113,16 +122,25 @@
else{
$row = NULL;
- $_REQUEST['message'] = "Login name or password is incorrect";
- add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Login failed [".$name."]");
+ $_REQUEST['message'] = 'Login name or password is incorrect';
+ add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,'Login failed ['.$name.']');
+
+ if($attempt){
+ $ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];
+ $attempt['attempt_failed']++;
+ $sql = 'UPDATE users SET attempt_failed='.zbx_dbstr($attempt['attempt_failed']).
+ ', attempt_clock='.time().
+ ', attempt_ip='.zbx_dbstr($ip).
+ ' WHERE userid='.zbx_dbstr($attempt['userid']);
+ DBexecute($sql);
+ }
}
}
include_once "include/page_header.php";
if(isset($_REQUEST['message'])) show_error_message($_REQUEST['message']);
-?>
-<?php
+
if(!isset($sessionid)){
insert_login_form();
}
generated by cgit (git 2.34.1) at 2024-05-22 10:00:49 +0000