added: IP ban mechanism (not finished yet -- we need a winix function to remove a ban)

now after some incorrent login attempts your IP can be banned or blocked
       (see new config variables)


git-svn-id: svn://ttmath.org/publicrep/winix/trunk@902 e52654a7-88a9-db11-a3e9-0013d4bc506e

functions/Makefile.o.dep

@@ -1 +1 @@
-o = adduser.o cat.o chmod.o chown.o ckeditor.o cp.o default.o download.o emacs.o env.o functionbase.o functionparser.o functions.o last.o ln.o locale.o login.o logout.o ls.o man.o meta.o mkdir.o mount.o mv.o nicedit.o node.o passwd.o priv.o privchanger.o pw.o reload.o rm.o rmuser.o run.o sort.o specialdefault.o stat.o subject.o template.o timezone.o tinymce.o uname.o upload.o uptime.o vim.o who.o 
+o = adduser.o cat.o chmod.o chown.o ckeditor.o cp.o default.o download.o emacs.o env.o functionbase.o functionparser.o functions.o ipban.o last.o ln.o locale.o login.o logout.o ls.o man.o meta.o mkdir.o mount.o mv.o nicedit.o node.o passwd.o priv.o privchanger.o pw.o reload.o rm.o rmuser.o run.o sort.o specialdefault.o stat.o subject.o template.o timezone.o tinymce.o uname.o upload.o uptime.o vim.o who.o 

functions/functionbase.cpp

@@ -71,6 +71,12 @@ void FunctionBase::SetSynchro(Synchro * psynchro)
 }
 
 
+void FunctionBase::SetSessionManager(SessionManager * pmanager)
+{
+	session_manager = pmanager;
+}
+
+
 void FunctionBase::Init()
 {
 	// this method is called only once at the beginning

functions/functionbase.h

@@ -63,6 +63,7 @@ public:
 	void SetFunctions(Functions * pfunctions);
 	void SetTemplates(Templates * ptemplates);
 	void SetSynchro(Synchro * psynchro);
+	void SetSessionManager(SessionManager * pmanager);
 
 protected:
 
@@ -73,7 +74,7 @@ protected:
 	Functions * functions;
 	Templates * templates;
 	Synchro   * synchro;
-
+	SessionManager * session_manager;
 };
 
 

functions/functions.cpp

@@ -52,6 +52,11 @@ void Functions::SetSynchro(Synchro * psynchro)
 }
 
 
+void Functions::SetSessionManager(SessionManager * pmanager)
+{
+	session_manager = pmanager;
+}
+
 
 
 size_t Functions::FunctionsSize()
@@ -143,6 +148,7 @@ void Functions::SetObjects(FunctionBase * fun)
 	fun->SetFunctions(this);
 	fun->SetTemplates(templates);
 	fun->SetSynchro(synchro);
+	fun->SetSessionManager(session_manager);
 }
 
 
@@ -192,6 +198,7 @@ void Functions::CreateFunctions()
 	Add(fun_logout);
 	Add(fun_ln);
 	Add(fun_ls);
+	Add(fun_ipban);
 	Add(fun_man);
 	Add(fun_meta);
 	Add(fun_mkdir);

functions/functions.h

@@ -29,6 +29,7 @@
 #include "logout.h"
 #include "ln.h"
 #include "ls.h"
+#include "ipban.h"
 #include "man.h"
 #include "meta.h"
 #include "mkdir.h"
@@ -82,6 +83,7 @@ public:
 	Fun::Logout		fun_logout;
 	Fun::Ln			fun_ln;
 	Fun::Ls			fun_ls;
+	Fun::IPBanFun	fun_ipban;
 	Fun::Man		fun_man;
 	Fun::Meta		fun_meta;
 	Fun::Mkdir		fun_mkdir;
@@ -129,6 +131,7 @@ public:
 	void SetSystem(System * psystem);
 	void SetTemplates(Templates * ptemplates);
 	void SetSynchro(Synchro * psynchro);
+	void SetSessionManager(SessionManager * pmanager);
 
 	FunctionBase * Find(const std::wstring & function_name);
 	Error CheckSpecialFile(const Item & item);
@@ -163,6 +166,7 @@ private:
 	System  * system;
 	Synchro * synchro;
 	Templates * templates;
+	SessionManager * session_manager;
 
 	std::wstring temp;
 	HTMLFilter html_filter;

functions/ipban.cpp

@@ -0,0 +1,43 @@
+/*
+ * This file is a part of Winix
+ * and is not publicly distributed
+ * 
+ * Copyright (c) 2012, Tomasz Sowa
+ * All rights reserved.
+ * 
+ */
+ 
+#include "ipban.h"
+#include "functions.h"
+
+
+
+namespace Fun
+{
+
+IPBanFun::IPBanFun()
+{
+	fun.url = L"ipban";
+}
+
+
+
+bool IPBanFun::HasAccess()
+{
+	return cur->session->puser && cur->session->puser->super_user;
+}
+
+
+void IPBanFun::MakePost()
+{
+
+}
+
+
+void IPBanFun::MakeGet()
+{
+
+}
+
+
+} // namespace

functions/ipban.h

@@ -0,0 +1,36 @@
+/*
+ * This file is a part of Winix
+ * and is not publicly distributed
+ * 
+ * Copyright (c) 2012, Tomasz Sowa
+ * All rights reserved.
+ * 
+ */
+ 
+#ifndef headerfile_winix_functions_ipban
+#define headerfile_winix_functions_ipban
+
+#include "functionbase.h"
+
+
+
+namespace Fun
+{
+
+// IPBanFun in order to not confused with IPBan from core winix
+class IPBanFun : public FunctionBase
+{
+public:
+
+	IPBanFun();
+
+	bool HasAccess();
+	void MakePost();
+	void MakeGet();
+
+};
+
+
+} // namespace
+
+#endif

functions/login.cpp

@@ -6,7 +6,8 @@
  * All rights reserved.
  * 
  */
- 
+
+#include "core/sessionmanager.h"
 #include "login.h"
 #include "utf8/utf8.h"
 
@@ -64,7 +65,12 @@ bool Login::CheckPasswords(const std::wstring & password)
 		return false;
 	}
 
-return up.pass == up2.pass;
+	bool result = (up.pass == up2.pass);
+
+	if( !result )
+		log << log2 << "Login: incorrect login/password" << logend;
+
+return result;
 }
 
 
@@ -85,7 +91,7 @@ bool result;
 	}
 	else
 	{
-		log << log1 << "Login: there is no a user: " << login << " in the database (or an error)" << logend;
+		log << log2 << "Login: there is no a user name: " << login << logend;
 		result = false;
 	}
 
@@ -95,24 +101,157 @@ return result;
 }
 
 
+
+void Login::AddBanInfo()
+{
+	IPBan * ip_ban = cur->session->ip_ban;
+
+	if( !ip_ban )
+		ip_ban = &session_manager->AddIPToBanList(cur->request->ip);
+
+	ip_ban->last_used = cur->request->start_time;
+
+	if( ip_ban->expires != 0 && cur->request->start_time >= ip_ban->expires )
+	{
+		// the 'ip block' has expired
+		ip_ban->ClearAfterRemovingBan();
+		log << log3 << "Login: removing the IP block for logging" << logend;
+	}
+
+	if( ip_ban->incorrect_login_events < config->incorrect_login_cannot_login_treshold )
+		ip_ban->incorrect_login_events += 1;
+
+	if( ip_ban->incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
+	{
+		log << log2 << "Login: too many incorrect login attempts from this IP" << logend;
+
+		if( config->incorrect_login_cannot_login_mode == 0 )
+		{
+			// don't set WINIX_IPBAN_FLAG_ACTIVE here for IPBan::IsIPBanned() to return false (in CannotLoginFrom)
+			ip_ban->expires = cur->request->start_time + (time_t)config->incorrect_login_cannot_login_delay;
+			PT::Date date(ip_ban->expires);
+			log << log2 << "Login: logging from this IP address has been blocked until to: " << date << " UTC" << logend;
+		}
+		else
+		if( config->incorrect_login_cannot_login_mode == 1 )
+		{
+			ip_ban->SetFlag(WINIX_IPBAN_FLAG_ACTIVE);
+			ip_ban->AddNextBanLevel(cur->request->start_time + (time_t)config->ban_level_1_delay,
+									cur->request->start_time + (time_t)config->ban_level_2_delay,
+									cur->request->start_time + (time_t)config->ban_level_3_delay);
+			PT::Date date(ip_ban->expires);
+			log << log2 << "Login: this IP address has been banned until to: " << date << " UTC" << logend;
+		}
+	}
+}
+
+
+bool Login::ShouldUseCaptchaForCurrentIP()
+{
+	if( cur->session->ip_ban )
+		return ShouldUseCaptchaFor(*cur->session->ip_ban);
+
+return false;
+}
+
+
+bool Login::ShouldUseCaptchaFor(const IPBan & ipban)
+{
+	if( ipban.expires != 0 && cur->request->start_time >= ipban.expires )
+		return false; // the 'ip block' has expired (but incorrect_login_events has the old value)
+
+return ipban.incorrect_login_events >= config->incorrect_login_captcha_treshold;
+}
+
+
+bool Login::CannotLoginFromCurrentIP()
+{
+	if( cur->session->ip_ban )
+		return CannotLoginFrom(*cur->session->ip_ban);
+
+return false;
+}
+
+
+bool Login::CannotLoginFrom(const IPBan & ipban)
+{
+	if( ipban.IsIPBanned() )
+		return true;
+
+	if( ipban.expires != 0 &&
+		cur->request->start_time < ipban.expires &&
+		ipban.incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
+		return true;
+
+return false;
+}
+
+
+
+bool Login::CheckAbuse()
+{
+	time_t diff = (time_t)config->incorrect_login_min_time_between_get_post;
+
+	if( cur->session->last_time_get + diff > cur->request->start_time )
+	{
+		log << log2 << "Login: the minimum time between GET and POST have not passed" << logend;
+		return false;
+	}
+
+	if( ShouldUseCaptchaForCurrentIP() )
+	{
+		if( !system->rebus.CheckRebus() )
+		{
+			return false;
+		}
+	}
+
+return true;
+}
+
+
 bool Login::LoginUser(const std::wstring & login, const std::wstring & password, bool remember_me, bool use_ses_log)
 {
 long user_id;
 
 	if( cur->session->id == 0 )
 	{
-		log << log1 << "Login: can't login in a temporary session (skipped)" << logend;
+		log << log2 << "Login: can't login in a temporary session (skipped)" << logend;
 		return false;
 	}
 
+	if( CannotLoginFromCurrentIP() )
+	{
+		log << log2 << "Login: you cannot login from this IP address" << logend;
+		return false;
+	}
+
+	if( login.empty() )
+	{
+		log << log3 << "Login: login is empty (skipping)" << logend;
+		return false;
+	}
+
+	if( !CheckAbuse() )
+	{
+		AddBanInfo();
+		return false;
+	}
+
+
 	if( CheckUserPass(login, password, user_id) )
 	{
 		if( system->users.LoginUser(user_id, remember_me, use_ses_log) )
+		{
+			if( cur->session->ip_ban )
+				cur->session->ip_ban->incorrect_login_events = 0;
+
 			return true;
+		}
 	}
 	else
 	{
-		log << log2 << "Login: incorrect login/password" << logend;
+		AddBanInfo();
 	}
 
 return false;
@@ -130,6 +269,9 @@ void Login::MakePost()
 }
 
 
+void Login::MakeGet()
+{
+}
 
 
 } // namespace

functions/login.h

@@ -2,7 +2,7 @@
  * This file is a part of Winix
  * and is not publicly distributed
  * 
- * Copyright (c) 2010-2011, Tomasz Sowa
+ * Copyright (c) 2010-2012, Tomasz Sowa
  * All rights reserved.
  * 
  */
@@ -24,14 +24,26 @@ class Login : public FunctionBase
 public:
 
 	Login();
+
 	void MakePost();
+	void MakeGet();
+
+	bool ShouldUseCaptchaForCurrentIP();
+	bool ShouldUseCaptchaFor(const IPBan & ipban);
+
+	bool CannotLoginFromCurrentIP();
+	bool CannotLoginFrom(const IPBan & ipban);
+
 	bool CheckUserPass(const std::wstring & login, const std::wstring & password, long & user_id);
 	bool LoginUser(const std::wstring & login, const std::wstring & password, bool remember_me, bool use_ses_log = false);
 
+
 private:
 	
 	void ClearTmpStruct();
 	bool CheckPasswords(const std::wstring & password);
+	void AddBanInfo();
+	bool CheckAbuse();
 
 	UserPass up, up2;
 	std::string pass_decrypted;