2012-06-06 11:00:02 +02:00
|
|
|
<?php
|
|
|
|
App::uses('AppModel', 'Model');
|
2016-08-18 06:30:05 +02:00
|
|
|
App::uses('ConnectionManager', 'Model');
|
2012-06-06 11:12:19 +02:00
|
|
|
App::uses('Sanitize', 'Utility');
|
|
|
|
|
2018-07-19 11:48:22 +02:00
|
|
|
class Bruteforce extends AppModel
|
|
|
|
{
|
|
|
|
public function insert($ip, $username)
|
|
|
|
{
|
|
|
|
$this->Log = ClassRegistry::init('Log');
|
|
|
|
$this->Log->create();
|
2020-02-10 11:41:54 +01:00
|
|
|
$expire = Configure::check('SecureAuth.expire') ? Configure::read('SecureAuth.expire') : 300;
|
|
|
|
$amount = Configure::check('SecureAuth.amount') ? Configure::read('SecureAuth.amount') : 5;
|
|
|
|
$expire = time() + $expire;
|
2018-07-19 11:48:22 +02:00
|
|
|
$expire = date('Y-m-d H:i:s', $expire);
|
|
|
|
$bruteforceEntry = array(
|
|
|
|
'ip' => $ip,
|
2020-02-10 11:41:54 +01:00
|
|
|
'username' => trim(strtolower($username)),
|
2018-07-19 11:48:22 +02:00
|
|
|
'expire' => $expire
|
|
|
|
);
|
|
|
|
$this->save($bruteforceEntry);
|
|
|
|
$title = 'Failed login attempt using username ' . $username . ' from IP: ' . $_SERVER['REMOTE_ADDR'] . '.';
|
2020-09-01 12:56:35 +02:00
|
|
|
if ($this->isBlocklisted($ip, $username)) {
|
|
|
|
$title .= 'This has tripped the bruteforce protection after ' . $amount . ' failed attempts. The user is now blocklisted for ' . $expire . ' seconds.';
|
2018-07-19 11:48:22 +02:00
|
|
|
}
|
|
|
|
$log = array(
|
|
|
|
'org' => 'SYSTEM',
|
|
|
|
'model' => 'User',
|
|
|
|
'model_id' => 0,
|
|
|
|
'email' => $username,
|
|
|
|
'action' => 'login_fail',
|
|
|
|
'title' => $title
|
|
|
|
);
|
|
|
|
$this->Log->save($log);
|
|
|
|
}
|
2012-06-06 11:00:02 +02:00
|
|
|
|
2018-07-19 11:48:22 +02:00
|
|
|
public function clean()
|
|
|
|
{
|
|
|
|
$dataSourceConfig = ConnectionManager::getDataSource('default')->config;
|
|
|
|
$dataSource = $dataSourceConfig['datasource'];
|
2020-02-10 11:41:54 +01:00
|
|
|
$expire = date('Y-m-d H:i:s', time());
|
2020-04-14 15:18:25 +02:00
|
|
|
if ($dataSource == 'Database/Mysql' || $dataSource == 'Database/MysqlObserver') {
|
2020-02-10 11:41:54 +01:00
|
|
|
$sql = 'DELETE FROM bruteforces WHERE `expire` <= "' . $expire . '";';
|
2018-07-19 11:48:22 +02:00
|
|
|
} elseif ($dataSource == 'Database/Postgres') {
|
2020-03-30 15:19:43 +02:00
|
|
|
$sql = 'DELETE FROM bruteforces WHERE expire <= \'' . $expire . '\';';
|
2018-07-19 11:48:22 +02:00
|
|
|
}
|
|
|
|
$this->query($sql);
|
|
|
|
}
|
2012-06-06 11:00:02 +02:00
|
|
|
|
2020-09-01 12:56:35 +02:00
|
|
|
public function isBlocklisted($ip, $username)
|
2018-07-19 11:48:22 +02:00
|
|
|
{
|
|
|
|
// first remove old expired rows
|
|
|
|
$this->clean();
|
|
|
|
// count
|
2020-02-08 09:35:37 +01:00
|
|
|
$params = array(
|
|
|
|
'conditions' => array(
|
|
|
|
'Bruteforce.ip' => $ip,
|
|
|
|
'LOWER(Bruteforce.username)' => trim(strtolower($username)))
|
|
|
|
);
|
2018-07-19 11:48:22 +02:00
|
|
|
$count = $this->find('count', $params);
|
2020-02-08 09:35:37 +01:00
|
|
|
$amount = Configure::check('SecureAuth.amount') ? Configure::read('SecureAuth.amount') : 5;
|
|
|
|
if ($count >= $amount) {
|
2018-07-19 11:48:22 +02:00
|
|
|
return true;
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2012-06-06 11:00:02 +02:00
|
|
|
}
|