Improve security / safety against DDOS and brute force (failed) logins

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
onoehring
Veteran Member
Posts: 248
Joined: 2019-05-21 22:42
Contact:

Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-01 07:44

Hi,

I present a little more safety for your applications.

The attached file will count access from a user (by IP), and, if the file is being accessed to much (defined in the script), the user (IP) will be banned for a certain time (defined in the script) from accessing some page. The user will then see a countdown which changes back to a link once the countdown (wait/ban) is over.
(
antiflood2019-08-01.zip
(2.75 KiB) Downloaded 9 times
)

You can use this very easily to prevent brute force attacks on your login page.

Installation for the use in AppGini
1. Place the file in the attached ZIP in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. If you want to prevent countless logins (brute force), just include this file in hooks/__global.php in the login_failed function with this single line of code (probably even with out php opening/closing).

Code: Select all

<?php include "antiflood.php"; ?>
Simple as that.

If you do this, the user will have certain login tries before he has to wait.

The script does not need any cookies.
You may adjust number of allowed page requests for the user, time interval to start counting page requests (seconds) = how often the page can be loaded in that time, seconds to punish the user who has exceeded in doing requests and the directory name to keep script data.

Suggestions? Comments?
Oh, not my idea, nor my script. I simply adjusted and added a little (see documentation in file).
And: I know that it's not a real nice solution concerning DDOS - but still ;-)

Olaf

AhmedBR
Veteran Member
Posts: 192
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-19 20:09

Nice, BUT all you have to do is request the URL again, and you will get the login screen bypassing the time lock.

AhmedBR
Veteran Member
Posts: 192
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-19 20:17

And also if you just click the Back button you will get the login screen as well.

onoehring
Veteran Member
Posts: 248
Joined: 2019-05-21 22:42
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-20 06:24

Hi AhmedBR,

well, yoou are (unfortunately) correct, I will take a look and post the improvement.

Olaf

onoehring
Veteran Member
Posts: 248
Joined: 2019-05-21 22:42
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-20 07:09

Hi AhmbedBR,

thank you for making my day. When I tried your suggestion, I really had to laugh. That was classic. You are correct, my suggested solution was easy to circumvent using the browsers back button.
Explanation: The antiflood was only included after the login attempt failed (sounds reasonable), but not (and here is the mistake) before the page is rendered.
I changed the include position to /login.php and this prevents using browser refresh/back in my case. Maybe someone else tries.

Also, I recommend using this code to include

Code: Select all

<?php include("$currDir/hooks/antiflood.php"); ?>
So please do not use the method described in the thread above - it does not fulfill it's purpose!
Use this instead
1. Place this file in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. Include in this file
/login.php as the very first line. Simply add
<?php include("$currDir/hooks/antiflood.php"); ?>
before everything else in that file.

Important: Please note, that the login.php will be overwritten, once you regenerate your files with AppGini.


Updated antiflood.php file (updated instructions):
antiflood2019-08-20.zip
(2.78 KiB) Downloaded 3 times
Any suggestions/comments?

Olaf

Post Reply