diff options
-rw-r--r-- | ChangeLog | 1 | ||||
-rw-r--r-- | create/data/data.sql | 4 | ||||
-rw-r--r-- | create/schema/schema.sql | 3 | ||||
-rw-r--r-- | frontends/php/include/config.inc.php | 2 | ||||
-rw-r--r-- | frontends/php/include/defines.inc.php | 3 | ||||
-rw-r--r-- | frontends/php/include/perm.inc.php | 5 | ||||
-rw-r--r-- | frontends/php/index.php | 54 |
7 files changed, 51 insertions, 21 deletions
@@ -1,5 +1,6 @@ Changes for 1.5.1: + - [DEV-153] added protection against brute force attack (Artem) - [DEV-158] added standart sorting to screens (Artem) - [DEV-154] added more flexibility to scripts (Artem) - [DEV-166] fixed problem with node syncing (Sasha) diff --git a/create/data/data.sql b/create/data/data.sql index 546fdf2a..a5db8732 100644 --- a/create/data/data.sql +++ b/create/data/data.sql @@ -34,8 +34,8 @@ INSERT INTO scripts VALUES (2,'Traceroute','/usr/bin/traceroute {HOST.CONN}',0); -- Dumping data for table `users` -- -INSERT INTO users VALUES (1,'Admin','Zabbix','Administrator','d41d8cd98f00b204e9800998ecf8427e','',0, 900,'en_gb',30,3,'deafault.css'); -INSERT INTO users VALUES (2,'guest','Default','User','d41d8cd98f00b204e9800998ecf8427e','',0,900,'en_gb',30,1,'default.css'); +INSERT INTO users VALUES (1,'Admin','Zabbix','Administrator','d41d8cd98f00b204e9800998ecf8427e','',0, 900,'en_gb',30,3,'deafault.css',0,'',0); +INSERT INTO users VALUES (2,'guest','Default','User','d41d8cd98f00b204e9800998ecf8427e','',0,900,'en_gb',30,1,'default.css',0,'',0); -- -- Dumping data for table `usrgrp` diff --git a/create/schema/schema.sql b/create/schema/schema.sql index 6d270b17..5190b260 100644 --- a/create/schema/schema.sql +++ b/create/schema/schema.sql @@ -697,6 +697,9 @@ FIELD |lang |t_varchar(5) |'en_gb'|NOT NULL |ZBX_SYNC FIELD |refresh |t_integer |'30' |NOT NULL |ZBX_SYNC FIELD |type |t_integer |'0' |NOT NULL |ZBX_SYNC FIELD |theme |t_varchar(128) |'default.css' |NOT NULL |ZBX_SYNC +FIELD |attempt_failed |t_integer |0 |NOT NULL |ZBX_SYNC +FIELD |attempt_ip |t_varchar(39) |'' |NOT NULL |ZBX_SYNC +FIELD |attempt_clock |t_integer |0 |NOT NULL |ZBX_SYNC INDEX |1 |alias TABLE|usrgrp|usrgrpid|ZBX_SYNC diff --git a/frontends/php/include/config.inc.php b/frontends/php/include/config.inc.php index ae183ae4..024358ef 100644 --- a/frontends/php/include/config.inc.php +++ b/frontends/php/include/config.inc.php @@ -105,7 +105,7 @@ function TODO($msg) { echo "TODO: ".$msg.SBR; } // DEBUG INFO!!! if(defined('ZBX_DENY_GUI_ACCESS')){ if(isset($ZBX_GUI_ACCESS_IP_RANGE) && is_array($ZBX_GUI_ACCESS_IP_RANGE)){ - $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?($_SERVER['HTTP_X_FORWARDED_FOR']):($_SERVER['REMOTE_ADDR']); + $user_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?($_SERVER['HTTP_X_FORWARDED_FOR']):($_SERVER['REMOTE_ADDR']); if(!str_in_array($user_ip,$ZBX_GUI_ACCESS_IP_RANGE)) $DENY_GUI = TRUE; } else{ diff --git a/frontends/php/include/defines.inc.php b/frontends/php/include/defines.inc.php index 728288b1..571386fb 100644 --- a/frontends/php/include/defines.inc.php +++ b/frontends/php/include/defines.inc.php @@ -27,6 +27,9 @@ define('PAGE_TYPE_XML', 2); define('PAGE_TYPE_JS', 3); //javascript define('PAGE_TYPE_HTML_BLOCK', 4); //simple block of html (as text) + + define('ZBX_LOGIN_ATTEMPTS', 5); + define('ZBX_LOGIN_BLOCK', 180); define('T_ZBX_STR', 0); define('T_ZBX_INT', 1); diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php index c0692cf4..5cf3ae64 100644 --- a/frontends/php/include/perm.inc.php +++ b/frontends/php/include/perm.inc.php @@ -53,9 +53,14 @@ ' AND s.userid=u.userid'. ' AND ((s.lastaccess+u.autologout>'.time().') OR (u.autologout=0))'. ' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID))); + if(!$USER_DETAILS){ $incorect_session = true; } + else if($login['attempt_failed']){ + error('There was ['.$login['attempt_failed'].'] failed attempts to Login from ['.$login['attempt_ip'].'] at ['.date('d.m.Y H:nn',$login['attempt_clock']).'] o\'clock!'); + DBexecute('UPDATE users SET attempt_failed=0 WHERE userid='.zbx_dbstr($login['userid'])); + } } if(!$USER_DETAILS){ diff --git a/frontends/php/index.php b/frontends/php/index.php index f469e6df..218f8f05 100644 --- a/frontends/php/index.php +++ b/frontends/php/index.php @@ -43,8 +43,7 @@ <?php $sessionid = get_cookie('zbx_sessionid', null); - if(isset($_REQUEST["reconnect"]) && isset($sessionid)) - { + if(isset($_REQUEST["reconnect"]) && isset($sessionid)){ add_audit(AUDIT_ACTION_LOGOUT,AUDIT_RESOURCE_USER,"Manual Logout"); zbx_unsetcookie('zbx_sessionid'); @@ -63,16 +62,27 @@ $name = get_request('name',''); $password = md5(get_request('password','')); - switch($config['authentication_type']){ - case ZBX_AUTH_LDAP: - $login = ldap_authentication($name,get_request('password','')); - break; - case ZBX_AUTH_INTERNAL: - default: - $alt_auth = ZBX_AUTH_INTERNAL; - $login = true; + $sql = 'SELECT u.userid,u.attempt_failed, u.attempt_clock, u.attempt_ip '. + ' FROM users u '. + ' WHERE u.alias='.zbx_dbstr($name). + ' AND ( attempt_failed<'.ZBX_LOGIN_ATTEMPTS. + ' OR (attempt_failed>'.(ZBX_LOGIN_ATTEMPTS-1). + ' AND ('.time().'-attempt_clock)>'.ZBX_LOGIN_BLOCK.'))'; + + $login = $attempt = DBfetch(DBselect($sql)); + + if($login){ + switch($config['authentication_type']){ + case ZBX_AUTH_LDAP: + $login = ldap_authentication($name,get_request('password','')); + break; + case ZBX_AUTH_INTERNAL: + default: + $alt_auth = ZBX_AUTH_INTERNAL; + $login = true; + } } - + if($login){ $login = $row = DBfetch(DBselect('SELECT u.userid,u.alias,u.name,u.surname,u.url,u.refresh,u.passwd '. ' FROM users u, users_groups ug, usrgrp g '. @@ -89,13 +99,12 @@ if($login){ $login = (check_perm2login($row['userid']) && check_perm2system($row['userid'])); } - + if($login){ $sessionid = md5(time().$password.$name.rand(0,10000000)); zbx_setcookie('zbx_sessionid',$sessionid); - DBexecute("insert into sessions (sessionid,userid,lastaccess)". - " values (".zbx_dbstr($sessionid).",".$row["userid"].",".time().")"); + DBexecute('INSERT INTO sessions (sessionid,userid,lastaccess) VALUES ('.zbx_dbstr($sessionid).','.$row['userid'].','.time().')'); add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Correct login [".$name."]"); @@ -113,16 +122,25 @@ else{ $row = NULL; - $_REQUEST['message'] = "Login name or password is incorrect"; - add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Login failed [".$name."]"); + $_REQUEST['message'] = 'Login name or password is incorrect'; + add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,'Login failed ['.$name.']'); + + if($attempt){ + $ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR']; + $attempt['attempt_failed']++; + $sql = 'UPDATE users SET attempt_failed='.zbx_dbstr($attempt['attempt_failed']). + ', attempt_clock='.time(). + ', attempt_ip='.zbx_dbstr($ip). + ' WHERE userid='.zbx_dbstr($attempt['userid']); + DBexecute($sql); + } } } include_once "include/page_header.php"; if(isset($_REQUEST['message'])) show_error_message($_REQUEST['message']); -?> -<?php + if(!isset($sessionid)){ insert_login_form(); } |