Improve security / safety against DDOS and brute force (failed) logins

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
onoehring
Veteran Member
Posts: 263
Joined: 2019-05-21 22:42
Contact:

Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-01 07:44

Hi,

I present a little more safety for your applications.

The attached file will count access from a user (by IP), and, if the file is being accessed to much (defined in the script), the user (IP) will be banned for a certain time (defined in the script) from accessing some page. The user will then see a countdown which changes back to a link once the countdown (wait/ban) is over.
(
antiflood2019-08-01.zip
(2.75 KiB) Downloaded 13 times
)

You can use this very easily to prevent brute force attacks on your login page.

Installation for the use in AppGini
1. Place the file in the attached ZIP in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. If you want to prevent countless logins (brute force), just include this file in hooks/__global.php in the login_failed function with this single line of code (probably even with out php opening/closing).

Code: Select all

<?php include "antiflood.php"; ?>
Simple as that.

If you do this, the user will have certain login tries before he has to wait.

The script does not need any cookies.
You may adjust number of allowed page requests for the user, time interval to start counting page requests (seconds) = how often the page can be loaded in that time, seconds to punish the user who has exceeded in doing requests and the directory name to keep script data.

Suggestions? Comments?
Oh, not my idea, nor my script. I simply adjusted and added a little (see documentation in file).
And: I know that it's not a real nice solution concerning DDOS - but still ;-)

Olaf

AhmedBR
Veteran Member
Posts: 193
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-19 20:09

Nice, BUT all you have to do is request the URL again, and you will get the login screen bypassing the time lock.

AhmedBR
Veteran Member
Posts: 193
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-19 20:17

And also if you just click the Back button you will get the login screen as well.

onoehring
Veteran Member
Posts: 263
Joined: 2019-05-21 22:42
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-20 06:24

Hi AhmedBR,

well, yoou are (unfortunately) correct, I will take a look and post the improvement.

Olaf

onoehring
Veteran Member
Posts: 263
Joined: 2019-05-21 22:42
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-20 07:09

Hi AhmbedBR,

thank you for making my day. When I tried your suggestion, I really had to laugh. That was classic. You are correct, my suggested solution was easy to circumvent using the browsers back button.
Explanation: The antiflood was only included after the login attempt failed (sounds reasonable), but not (and here is the mistake) before the page is rendered.
I changed the include position to /login.php and this prevents using browser refresh/back in my case. Maybe someone else tries.

Also, I recommend using this code to include

Code: Select all

<?php include("$currDir/hooks/antiflood.php"); ?>
So please do not use the method described in the thread above - it does not fulfill it's purpose!
Use this instead
1. Place this file in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. Include in this file
/login.php as the very first line. Simply add
<?php include("$currDir/hooks/antiflood.php"); ?>
before everything else in that file.

Important: Please note, that the login.php will be overwritten, once you regenerate your files with AppGini.


Updated antiflood.php file (updated instructions):
antiflood2019-08-20.zip
(2.78 KiB) Downloaded 12 times
Any suggestions/comments?

Olaf

AhmedBR
Veteran Member
Posts: 193
Joined: 2013-09-19 10:23

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by AhmedBR » 2019-08-24 16:46

Looks Good :D ;)
Thanks for sharing.

onoehring
Veteran Member
Posts: 263
Joined: 2019-05-21 22:42
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by onoehring » 2019-08-24 17:33

Hi,

thank you for your feedback.
Olaf

User avatar
a.gneady
Site Admin
Posts: 1024
Joined: 2012-09-27 14:46
Contact:

Re: Improve security / safety against DDOS and brute force (failed) logins

Post by a.gneady » 2019-08-27 12:13

Nice work, Olaf. I'd like to add a little tip. When a user tries to sign in with an incorrect password, they get the usual invalid login page, but they also get a 403 Access Denied header. You can use this fact to configure a server firewall to block users by IP address after x 'Access Denied' responses in y minutes. A widely used firewall on Linux servers that supports such rules is CSF
:idea: Learn all the tips and tricks of customizing AppGini apps through our online course.

:arrow: Mass Update plugin: Update multiple records at once and improve your workflow efficiency.

:arrow: Summary Reports plugin: Build powerful reports and charts for your AppGini apps.

:arrow: Search Page Maker: Compose user-friendly yet powerful search pages for your AppGini apps.

Post Reply