Page 1 of 1

Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-01 07:44
by onoehring
Hi,

I present a little more safety for your applications.

The attached file will count access from a user (by IP), and, if the file is being accessed to much (defined in the script), the user (IP) will be banned for a certain time (defined in the script) from accessing some page. The user will then see a countdown which changes back to a link once the countdown (wait/ban) is over.
(
antiflood2019-08-01.zip
(2.75 KiB) Downloaded 233 times
)

You can use this very easily to prevent brute force attacks on your login page.

Installation for the use in AppGini
1. Place the file in the attached ZIP in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. If you want to prevent countless logins (brute force), just include this file in hooks/__global.php in the login_failed function with this single line of code (probably even with out php opening/closing).

Code: Select all

<?php include "antiflood.php"; ?>
Simple as that.

If you do this, the user will have certain login tries before he has to wait.

The script does not need any cookies.
You may adjust number of allowed page requests for the user, time interval to start counting page requests (seconds) = how often the page can be loaded in that time, seconds to punish the user who has exceeded in doing requests and the directory name to keep script data.

Suggestions? Comments?
Oh, not my idea, nor my script. I simply adjusted and added a little (see documentation in file).
And: I know that it's not a real nice solution concerning DDOS - but still ;-)

Olaf

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-19 20:09
by AhmedBR
Nice, BUT all you have to do is request the URL again, and you will get the login screen bypassing the time lock.

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-19 20:17
by AhmedBR
And also if you just click the Back button you will get the login screen as well.

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-20 06:24
by onoehring
Hi AhmedBR,

well, yoou are (unfortunately) correct, I will take a look and post the improvement.

Olaf

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-20 07:09
by onoehring
Hi AhmbedBR,

thank you for making my day. When I tried your suggestion, I really had to laugh. That was classic. You are correct, my suggested solution was easy to circumvent using the browsers back button.
Explanation: The antiflood was only included after the login attempt failed (sounds reasonable), but not (and here is the mistake) before the page is rendered.
I changed the include position to /login.php and this prevents using browser refresh/back in my case. Maybe someone else tries.

Also, I recommend using this code to include

Code: Select all

<?php include("$currDir/hooks/antiflood.php"); ?>
So please do not use the method described in the thread above - it does not fulfill it's purpose!
Use this instead
1. Place this file in the hooks folder (hooks/antiflood.php).
2. Create a subfolder "antiflood" in your hooks folder (hooks/antiflood), make sure folder is writeable by webserver (750)
3. Include in this file
/login.php as the very first line. Simply add
<?php include("$currDir/hooks/antiflood.php"); ?>
before everything else in that file.

Important: Please note, that the login.php will be overwritten, once you regenerate your files with AppGini.


Updated antiflood.php file (updated instructions):
antiflood2019-08-20.zip
(2.78 KiB) Downloaded 245 times
Any suggestions/comments?

Olaf

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-24 16:46
by AhmedBR
Looks Good :D ;)
Thanks for sharing.

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-24 17:33
by onoehring
Hi,

thank you for your feedback.
Olaf

Re: Improve security / safety against DDOS and brute force (failed) logins

Posted: 2019-08-27 12:13
by a.gneady
Nice work, Olaf. I'd like to add a little tip. When a user tries to sign in with an incorrect password, they get the usual invalid login page, but they also get a 403 Access Denied header. You can use this fact to configure a server firewall to block users by IP address after x 'Access Denied' responses in y minutes. A widely used firewall on Linux servers that supports such rules is CSF