Improve security / safety against DDOS and brute force (failed) logins

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-01 07:44

Hi,

I present a little more safety for your applications.

The attached file will count access from a user (by IP), and, if the file is being accessed to much (defined in the script), the user (IP) will be banned for a certain time (defined in the script) from accessing some page. The user will then see a countdown which changes back to a link once the countdown (wait/ban) is over.
(
antiflood2019-08-01.zip
(2.75 KiB) Downloaded 231 times
)

You can use this very easily to prevent brute force attacks on your login page.

Installation for the use in AppGini
1. Place the file in the attached ZIP in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. If you want to prevent countless logins (brute force), just include this file in hooks/__global.php in the login_failed function with this single line of code (probably even with out php opening/closing).

Code: Select all

<?php include "antiflood.php"; ?>
Simple as that.

If you do this, the user will have certain login tries before he has to wait.

The script does not need any cookies.
You may adjust number of allowed page requests for the user, time interval to start counting page requests (seconds) = how often the page can be loaded in that time, seconds to punish the user who has exceeded in doing requests and the directory name to keep script data.

Suggestions? Comments?
Oh, not my idea, nor my script. I simply adjusted and added a little (see documentation in file).
And: I know that it's not a real nice solution concerning DDOS - but still ;-)

Olaf

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-19 20:09

Nice, BUT all you have to do is request the URL again, and you will get the login screen bypassing the time lock.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-19 20:17

And also if you just click the Back button you will get the login screen as well.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-20 06:24

Hi AhmedBR,

well, yoou are (unfortunately) correct, I will take a look and post the improvement.

Olaf

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-20 07:09

Hi AhmbedBR,

thank you for making my day. When I tried your suggestion, I really had to laugh. That was classic. You are correct, my suggested solution was easy to circumvent using the browsers back button.
Explanation: The antiflood was only included after the login attempt failed (sounds reasonable), but not (and here is the mistake) before the page is rendered.
I changed the include position to /login.php and this prevents using browser refresh/back in my case. Maybe someone else tries.

Also, I recommend using this code to include

Code: Select all

<?php include("$currDir/hooks/antiflood.php"); ?>
So please do not use the method described in the thread above - it does not fulfill it's purpose!
Use this instead
1. Place this file in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. Include in this file
/login.php as the very first line. Simply add
<?php include("$currDir/hooks/antiflood.php"); ?>
before everything else in that file.

Important: Please note, that the login.php will be overwritten, once you regenerate your files with AppGini.


Updated antiflood.php file (updated instructions):
antiflood2019-08-20.zip
(2.78 KiB) Downloaded 242 times
Any suggestions/comments?

Olaf

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-24 16:46

Looks Good :D ;)
Thanks for sharing.
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper


User avatar
a.gneady
Site Admin
Posts: 1281
Joined: 2012-09-27 14:46
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by a.gneady » 2019-08-27 12:13

Nice work, Olaf. I'd like to add a little tip. When a user tries to sign in with an incorrect password, they get the usual invalid login page, but they also get a 403 Access Denied header. You can use this fact to configure a server firewall to block users by IP address after x 'Access Denied' responses in y minutes. A widely used firewall on Linux servers that supports such rules is CSF
:idea: AppGini plugins to add more power to your apps:
  • DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
  • Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
  • Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.

Post Reply