added: possibility to ban if a session cookie is incorrect (when we are using encoded cookies)
added: possibility to ban if a client tries to hijack the session cookie added: possibility to ban if a client did not send a session cookie renamed: ezc functions: login_cannot_login -> ipban_is_login_allowed_from_this_ip (and the return value was changed) login_when_available_login -> ipban_current_ip_expires_time added: config options: // after how many broken encoded cookie we should ban the current IP // default: 2 (value in the range <0 - 65535>) size_t broken_encoded_cookie_treshold; // after how many incorrect session identifiers (or session indices) we should ban the current IP // do not set this value too low, as people connecting from the same IP address (from behind a NAT) // would be banned if they have an old session cookie remembered in the browser // default: 128 (value in the range <0 - 65535>) size_t session_hijacking_treshold; // after how many times a client will be banned if it did not send a session cookie // default: 1000 (value in the range <0 - 65535>) size_t no_session_cookie_treshold; git-svn-id: svn://ttmath.org/publicrep/winix/trunk@995 e52654a7-88a9-db11-a3e9-0013d4bc506e
This commit is contained in:
parent
76314aab10
commit
c9bf20201b
|
@ -634,8 +634,6 @@ void App::Make()
|
|||
if( cur.session->ip_ban && cur.session->ip_ban->IsIPBanned() )
|
||||
{
|
||||
PT::Date date(cur.session->ip_ban->expires);
|
||||
|
||||
log << log2 << "App: this IP address is banned until to: " << date << " UTC" << logend;
|
||||
slog << logerror << T("this_ip_is_banned_until") << ' ' << date << " UTC" << logend;
|
||||
|
||||
cur.request->status = WINIX_ERR_PERMISSION_DENIED;
|
||||
|
|
|
@ -218,9 +218,12 @@ void Config::AssignValues(bool stdout_is_closed)
|
|||
session_max = Size(L"session_max", 1000000);
|
||||
session_cookie_encode = Bool(L"session_cookie_encode", false);
|
||||
session_keys_file = Text(L"session_keys_file");
|
||||
session_allow_index_difference = Size(L"session_allow_index_difference", 8);
|
||||
session_index_time_increment = Long(L"session_index_time_increment", 30);
|
||||
session_key_renew_time = Size(L"session_key_renew_time", 172800); // 2 days
|
||||
session_allow_index_difference = Size(L"session_allow_index_difference", 8);
|
||||
session_index_time_increment = Long(L"session_index_time_increment", 30);
|
||||
session_key_renew_time = Size(L"session_key_renew_time", 172800); // 2 days
|
||||
broken_encoded_cookie_treshold = Size(L"broken_encoded_cookie_treshold", 2);
|
||||
session_hijacking_treshold = Size(L"session_hijacking_treshold", 128);
|
||||
no_session_cookie_treshold = Size(L"no_session_cookie_treshold", 1000);
|
||||
|
||||
compression = Bool(L"compression", true);
|
||||
compression_page_min_size = Size(L"compression_page_min_size", 512);
|
||||
|
@ -299,6 +302,7 @@ void Config::AssignValues(bool stdout_is_closed)
|
|||
incorrect_login_cannot_login_treshold = Size(L"incorrect_login_cannot_login_treshold", 20);
|
||||
incorrect_login_cannot_login_delay = Size(L"incorrect_login_cannot_login_delay", 1800);
|
||||
|
||||
|
||||
pid_file = Text(L"pid_file", L"");
|
||||
}
|
||||
|
||||
|
|
|
@ -233,6 +233,20 @@ public:
|
|||
// default: 172800 = 2 days (max: 2678400 = 1 month, min: 10)
|
||||
size_t session_key_renew_time;
|
||||
|
||||
// after how many broken encoded cookie we should ban the current IP
|
||||
// default: 2 (value in the range <0 - 65535>)
|
||||
size_t broken_encoded_cookie_treshold;
|
||||
|
||||
// after how many incorrect session identifiers (or session indices) we should ban the current IP
|
||||
// do not set this value too low, as people connecting from the same IP address (from behind a NAT)
|
||||
// would be banned if they have an old session cookie remembered in the browser
|
||||
// default: 128 (value in the range <0 - 65535>)
|
||||
size_t session_hijacking_treshold;
|
||||
|
||||
// after how many times a client will be banned if it did not send a session cookie
|
||||
// default: 1000 (value in the range <0 - 65535>)
|
||||
size_t no_session_cookie_treshold;
|
||||
|
||||
// allow the winix output to be compressed
|
||||
// default: true
|
||||
bool compression;
|
||||
|
@ -672,7 +686,7 @@ public:
|
|||
|
||||
// how many incorrect logins there must have been passed to display a captcha
|
||||
// next to the login form
|
||||
// default: 3
|
||||
// default: 3 (value in the range <0 - 65535>)
|
||||
size_t incorrect_login_captcha_treshold;
|
||||
|
||||
// the way how we prevent to login if there are too many incorrect login attempts
|
||||
|
@ -683,7 +697,7 @@ public:
|
|||
int incorrect_login_cannot_login_mode;
|
||||
|
||||
// after how many incorrect login attempts we do the incorrect_login_cannot_login_mode action
|
||||
// default: 20
|
||||
// default: 20 (value in the range <0 - 65535>)
|
||||
size_t incorrect_login_cannot_login_treshold;
|
||||
|
||||
// used when incorrect_login_cannot_login_mode is zero
|
||||
|
|
28
core/ipban.h
28
core/ipban.h
|
@ -87,11 +87,21 @@ struct IPBan
|
|||
// the ban level to a greater value
|
||||
time_t expires;
|
||||
|
||||
|
||||
// how many incorrect login attempts there are
|
||||
unsigned int incorrect_login_events;
|
||||
unsigned short int incorrect_login_events;
|
||||
|
||||
// in the future there can be more *_events fields
|
||||
// how many incorrect encoded cookie were sent
|
||||
// only used if config.session_cookie_encode is true and session_keys_file is defined
|
||||
unsigned short int broken_encoded_cookie_events;
|
||||
|
||||
// how many incorrect session identifiers were sent
|
||||
unsigned short int session_hijacking_events;
|
||||
|
||||
// client didn't send a session cookie
|
||||
// it can be a bot or just someone wants to DOS the server
|
||||
// (a new session will be create)
|
||||
unsigned short int no_session_cookie_events;
|
||||
|
||||
|
||||
bool HasFlag(int flag) const
|
||||
|
@ -123,7 +133,7 @@ struct IPBan
|
|||
}
|
||||
|
||||
|
||||
void AddNextBanLevel(time_t level1_expires, time_t level2_expires, time_t level3_expires)
|
||||
void IncrementBanLevel(time_t level1_expires, time_t level2_expires, time_t level3_expires)
|
||||
{
|
||||
if( HasFlag(WINIX_IPBAN_FLAG_BAN_LEVEL3) )
|
||||
{
|
||||
|
@ -164,14 +174,20 @@ struct IPBan
|
|||
flags = 0;
|
||||
last_used = 0;
|
||||
expires = 0;
|
||||
incorrect_login_events = 0;
|
||||
incorrect_login_events = 0;
|
||||
broken_encoded_cookie_events = 0;
|
||||
session_hijacking_events = 0;
|
||||
no_session_cookie_events = 0;
|
||||
}
|
||||
|
||||
|
||||
void ClearAfterRemovingBan()
|
||||
void ResetEventsCounters()
|
||||
{
|
||||
ClearFlag(WINIX_IPBAN_FLAG_ACTIVE);
|
||||
incorrect_login_events = 0;
|
||||
incorrect_login_events = 0;
|
||||
broken_encoded_cookie_events = 0;
|
||||
session_hijacking_events = 0;
|
||||
no_session_cookie_events = 0;
|
||||
expires = 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -127,6 +127,9 @@ bool SessionManager::EncodeSessionId(long id, unsigned int index, std::wstring &
|
|||
}
|
||||
|
||||
|
||||
/*
|
||||
* IMPROVE ME we need a better algorithm
|
||||
*/
|
||||
long SessionManager::CreateSessionId()
|
||||
{
|
||||
long id;
|
||||
|
@ -179,6 +182,7 @@ SessionContainer::Iterator i = session_tab.End();
|
|||
|
||||
if( i != session_tab.End() )
|
||||
{
|
||||
is_session_set = true;
|
||||
session = &(*i);
|
||||
session->new_session = true;
|
||||
session->SetTimesTo(cur->request->start_time);
|
||||
|
@ -190,7 +194,7 @@ SessionContainer::Iterator i = session_tab.End();
|
|||
else
|
||||
{
|
||||
// there is a problem with generating a new session id
|
||||
log << log1 << "SM: cannot create a session id (temporary used: with id 0)" << logend;
|
||||
log << log1 << "SM: cannot create a session id" << logend;
|
||||
SetTemporarySession();
|
||||
}
|
||||
}
|
||||
|
@ -198,14 +202,18 @@ SessionContainer::Iterator i = session_tab.End();
|
|||
|
||||
void SessionManager::SetTemporarySession()
|
||||
{
|
||||
is_session_set = true;
|
||||
|
||||
session = &temporary_session;
|
||||
session->Clear(false);
|
||||
session->SetTimesTo(cur->request->start_time);
|
||||
session->new_session = false; // temporary session was initialized at the beginning
|
||||
|
||||
log << log2 << "SM: using temporary session" << logend;
|
||||
}
|
||||
|
||||
|
||||
unsigned int SessionManager::SetSessionCalcDifference(Session & ses, unsigned int index)
|
||||
unsigned int SessionManager::CalculateIndexDifference(Session & ses, unsigned int index)
|
||||
{
|
||||
unsigned int difference;
|
||||
|
||||
|
@ -233,15 +241,103 @@ void SessionManager::SetSessionPutLogInfo(Session & ses, bool has_index, unsigne
|
|||
|
||||
|
||||
|
||||
bool SessionManager::SetSessionFromCookie(long id, bool has_index, unsigned int index)
|
||||
void SessionManager::IncrementBanLevel(IPBan * ip_ban)
|
||||
{
|
||||
unsigned int difference = 0;
|
||||
ip_ban->SetFlag(WINIX_IPBAN_FLAG_ACTIVE);
|
||||
|
||||
SessionContainer::Iterator s = session_tab.FindById(id);
|
||||
ip_ban->IncrementBanLevel(cur->request->start_time + (time_t)config->ban_level_1_delay,
|
||||
cur->request->start_time + (time_t)config->ban_level_2_delay,
|
||||
cur->request->start_time + (time_t)config->ban_level_3_delay);
|
||||
|
||||
PT::Date date(ip_ban->expires);
|
||||
log << log2 << "SM: this IP address has been banned to: " << date << " UTC" << logend;
|
||||
}
|
||||
|
||||
|
||||
void SessionManager::SetFirstExpirationTime(IPBan * ip_ban)
|
||||
{
|
||||
time_t expiry = cur->request->start_time + (time_t)config->ban_level_1_delay;
|
||||
|
||||
if( ip_ban->expires < expiry )
|
||||
ip_ban->expires = expiry;
|
||||
}
|
||||
|
||||
|
||||
|
||||
void SessionManager::BrokenCookieCheckBan()
|
||||
{
|
||||
if( !current_ip_ban )
|
||||
current_ip_ban = &AddIPToBanList(cur->request->ip, cur->request->start_time);
|
||||
|
||||
if( current_ip_ban->broken_encoded_cookie_events < config->broken_encoded_cookie_treshold )
|
||||
{
|
||||
current_ip_ban->broken_encoded_cookie_events += 1;
|
||||
SetFirstExpirationTime(current_ip_ban);
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "SM: too many incorrect encoded cookies were sent from this IP" << logend;
|
||||
IncrementBanLevel(current_ip_ban);
|
||||
SetTemporarySession();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void SessionManager::IncorrectSessionCheckBan()
|
||||
{
|
||||
if( !current_ip_ban )
|
||||
current_ip_ban = &AddIPToBanList(cur->request->ip, cur->request->start_time);
|
||||
|
||||
if( current_ip_ban->session_hijacking_events < config->session_hijacking_treshold )
|
||||
{
|
||||
current_ip_ban->session_hijacking_events += 1;
|
||||
SetFirstExpirationTime(current_ip_ban);
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "SM: too many incorrect sessions identifiers were sent from this IP" << logend;
|
||||
IncrementBanLevel(current_ip_ban);
|
||||
SetTemporarySession();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void SessionManager::NoSessionCookieCheckBan()
|
||||
{
|
||||
if( !current_ip_ban )
|
||||
current_ip_ban = &AddIPToBanList(cur->request->ip, cur->request->start_time);
|
||||
|
||||
if( current_ip_ban->no_session_cookie_events < config->no_session_cookie_treshold )
|
||||
{
|
||||
current_ip_ban->no_session_cookie_events += 1;
|
||||
SetFirstExpirationTime(current_ip_ban);
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "SM: too many times you have not sent a session cookie" << logend;
|
||||
IncrementBanLevel(current_ip_ban);
|
||||
SetTemporarySession();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
bool SessionManager::IsSessionCorrect(long id, bool has_index, unsigned int index,
|
||||
const SessionContainer::Iterator & s, unsigned int & difference)
|
||||
{
|
||||
difference = 0;
|
||||
|
||||
if( id == 0 )
|
||||
{
|
||||
log << log3 << "SM: id 0 is reserved for the temporary session" << logend;
|
||||
IncorrectSessionCheckBan();
|
||||
return false;
|
||||
}
|
||||
|
||||
if( s == session_tab.End() )
|
||||
{
|
||||
log << log3 << "SM: there is no a session with id: " << id << logend;
|
||||
IncorrectSessionCheckBan();
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -253,34 +349,51 @@ unsigned int difference = 0;
|
|||
|
||||
if( has_index )
|
||||
{
|
||||
difference = SetSessionCalcDifference(*s, index);
|
||||
difference = CalculateIndexDifference(*s, index);
|
||||
|
||||
if( (size_t)difference > config->session_allow_index_difference )
|
||||
{
|
||||
log << log2 << "SM: an incorrect session index for session: " << id
|
||||
<< ", index difference: " << (size_t)difference << logend;
|
||||
|
||||
IncorrectSessionCheckBan();
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// that session is in the table
|
||||
session = &(*s);
|
||||
session->new_session = false;
|
||||
session->last_time = cur->request->start_time;
|
||||
session->last_date = cur->request->start_date;
|
||||
return true;
|
||||
}
|
||||
|
||||
if( session->id_index_changed + config->session_index_time_increment < cur->request->start_time )
|
||||
|
||||
bool SessionManager::SetSessionFromCookie(long id, bool has_index, unsigned int index)
|
||||
{
|
||||
unsigned int difference;
|
||||
bool is_session_correct;
|
||||
|
||||
SessionContainer::Iterator s = session_tab.FindById(id);
|
||||
is_session_correct = IsSessionCorrect(id, has_index, index, s, difference);
|
||||
|
||||
if( is_session_correct )
|
||||
{
|
||||
session->id_index += 1;
|
||||
session->id_index_changed = cur->request->start_time;
|
||||
is_session_set = true;
|
||||
session = &(*s);
|
||||
session->new_session = false;
|
||||
session->last_time = cur->request->start_time;
|
||||
session->last_date = cur->request->start_date;
|
||||
|
||||
if( session->id_index_changed + config->session_index_time_increment < cur->request->start_time )
|
||||
{
|
||||
session->id_index += 1;
|
||||
session->id_index_changed = cur->request->start_time;
|
||||
}
|
||||
|
||||
if( cur->request->method == Request::get )
|
||||
session->last_time_get = cur->request->start_time;
|
||||
|
||||
SetSessionPutLogInfo(*session, has_index, difference);
|
||||
}
|
||||
|
||||
if( cur->request->method == Request::get )
|
||||
session->last_time_get = cur->request->start_time;
|
||||
|
||||
SetSessionPutLogInfo(*session, has_index, difference);
|
||||
|
||||
return true;
|
||||
return is_session_correct;
|
||||
}
|
||||
|
||||
|
||||
|
@ -296,6 +409,7 @@ bool SessionManager::SetSessionFromCookie(const std::wstring & cookie)
|
|||
if( !session_id_manager.DecodeToken(cookie, id, index) )
|
||||
{
|
||||
log << log2 << "SM: an incorrect cookie string was sent" << logend;
|
||||
BrokenCookieCheckBan();
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -309,45 +423,52 @@ bool SessionManager::SetSessionFromCookie(const std::wstring & cookie)
|
|||
}
|
||||
|
||||
|
||||
|
||||
void SessionManager::SetSession()
|
||||
bool SessionManager::IsIPBanned()
|
||||
{
|
||||
current_ip_ban = ban_tab.FindIP(cur->request->ip);
|
||||
|
||||
if( current_ip_ban && current_ip_ban->IsIPBanned() )
|
||||
if( current_ip_ban )
|
||||
{
|
||||
if( current_ip_ban->expires != 0 && cur->request->start_time >= current_ip_ban->expires )
|
||||
{
|
||||
log << log2 << "SM: removing a ban from this IP and resetting events counter" << logend;
|
||||
current_ip_ban->ClearAfterRemovingBan();
|
||||
log << log2 << "SM: resetting events counters for this IP" << logend;
|
||||
current_ip_ban->ResetEventsCounters();
|
||||
}
|
||||
else
|
||||
if( current_ip_ban->IsIPBanned() )
|
||||
{
|
||||
PT::Date date = current_ip_ban->expires;
|
||||
log << log2 << "SM: this ip is bannned to: " << date << logend;
|
||||
SetTemporarySession();
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
void SessionManager::SetSession()
|
||||
{
|
||||
is_session_set = false;
|
||||
|
||||
if( !IsIPBanned() )
|
||||
{
|
||||
CookieTab::iterator i = cur->request->cookie_tab.find(config->http_session_id_name);
|
||||
|
||||
if( i != cur->request->cookie_tab.end() )
|
||||
{
|
||||
if( !SetSessionFromCookie(i->second) )
|
||||
cur->request->cookie_tab.erase(i);
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "SM: this ip is bannned, using a temporary session" << logend;
|
||||
SetTemporarySession();
|
||||
session->ip_ban = current_ip_ban;
|
||||
return;
|
||||
NoSessionCookieCheckBan();
|
||||
}
|
||||
}
|
||||
|
||||
CookieTab::iterator i = cur->request->cookie_tab.find(config->http_session_id_name);
|
||||
|
||||
if( i == cur->request->cookie_tab.end() )
|
||||
{
|
||||
if( !is_session_set )
|
||||
CreateSession();
|
||||
}
|
||||
else
|
||||
{
|
||||
if( !SetSessionFromCookie(i->second) )
|
||||
{
|
||||
// there is no such a session
|
||||
// deleting the old cookie
|
||||
cur->request->cookie_tab.erase(i);
|
||||
|
||||
// and creating a new one
|
||||
CreateSession();
|
||||
}
|
||||
}
|
||||
|
||||
session->ip_ban = current_ip_ban;
|
||||
}
|
||||
|
@ -578,6 +699,15 @@ IPBan & SessionManager::AddIPToBanList(int ip)
|
|||
}
|
||||
|
||||
|
||||
IPBan & SessionManager::AddIPToBanList(int ip, time_t cur_time)
|
||||
{
|
||||
IPBan & ban = ban_tab.AddIP(ip);
|
||||
ban.last_used = cur_time;
|
||||
|
||||
return ban;
|
||||
}
|
||||
|
||||
|
||||
size_t SessionManager::BanListSize()
|
||||
{
|
||||
return ban_tab.Size();
|
||||
|
|
|
@ -74,6 +74,8 @@ public:
|
|||
void DeleteSessions(); // deleting all sessions
|
||||
bool ChangeSessionId(long old_id);
|
||||
|
||||
void IncrementBanLevel(IPBan * ip_ban);
|
||||
|
||||
void InitTmpSession();
|
||||
void InitBanList();
|
||||
void InitCookieEncoding();
|
||||
|
@ -93,6 +95,7 @@ public:
|
|||
size_t MarkAllSessionsToRemove(long user_id);
|
||||
|
||||
IPBan & AddIPToBanList(int ip);
|
||||
IPBan & AddIPToBanList(int ip, time_t cur_time);
|
||||
size_t BanListSize();
|
||||
IPBan & GetIPBan(size_t index);
|
||||
void RemoveIPBan(int ip);
|
||||
|
@ -107,34 +110,35 @@ private:
|
|||
Config * config;
|
||||
Cur * cur;
|
||||
System * system;
|
||||
|
||||
LastContainer * last_container;
|
||||
|
||||
// current session - set by SetSession()
|
||||
Session * session;
|
||||
|
||||
SessionContainer session_tab;
|
||||
IPBanContainer ban_tab;
|
||||
|
||||
IPBan * current_ip_ban;
|
||||
|
||||
// session with id 0
|
||||
bool is_session_set;
|
||||
Session temporary_session;
|
||||
|
||||
SessionIdManager session_id_manager;
|
||||
|
||||
bool IsSession(long s);
|
||||
|
||||
|
||||
long CreateSessionId();
|
||||
void CreateSession();
|
||||
bool IsSessionCorrect(long id, bool has_index, unsigned int index, const SessionContainer::Iterator & s, unsigned int & difference);
|
||||
bool SetSessionFromCookie(long id, bool has_index, unsigned int index);
|
||||
bool SetSessionFromCookie(const std::wstring & cookie);
|
||||
void SetTemporarySession();
|
||||
unsigned int SetSessionCalcDifference(Session & ses, unsigned int index);
|
||||
unsigned int CalculateIndexDifference(Session & ses, unsigned int index);
|
||||
void SetSessionPutLogInfo(Session & ses, bool has_index, unsigned int difference);
|
||||
bool IsIPBanned();
|
||||
void SetFirstExpirationTime(IPBan * ip_ban);
|
||||
void BrokenCookieCheckBan();
|
||||
void IncorrectSessionCheckBan();
|
||||
void NoSessionCookieCheckBan();
|
||||
|
||||
// second thread
|
||||
|
||||
/*
|
||||
* second thread
|
||||
*/
|
||||
int deleted;
|
||||
virtual void Work();
|
||||
void CheckSession(SessionContainer::Iterator & i);
|
||||
|
|
|
@ -139,45 +139,38 @@ return result;
|
|||
|
||||
|
||||
|
||||
void Login::AddBanInfo()
|
||||
void Login::CheckBan()
|
||||
{
|
||||
IPBan * ip_ban = cur->session->ip_ban;
|
||||
|
||||
if( !ip_ban )
|
||||
ip_ban = &session_manager->AddIPToBanList(cur->request->ip);
|
||||
|
||||
ip_ban->last_used = cur->request->start_time;
|
||||
|
||||
if( ip_ban->expires != 0 && cur->request->start_time >= ip_ban->expires )
|
||||
{
|
||||
// the 'ip block' has expired
|
||||
ip_ban->ClearAfterRemovingBan();
|
||||
log << log3 << "Login: removing the IP block for logging" << logend;
|
||||
ip_ban = &session_manager->AddIPToBanList(cur->request->ip, cur->request->start_time);
|
||||
cur->session->ip_ban = ip_ban;
|
||||
}
|
||||
|
||||
if( ip_ban->incorrect_login_events < config->incorrect_login_cannot_login_treshold )
|
||||
{
|
||||
ip_ban->incorrect_login_events += 1;
|
||||
|
||||
if( ip_ban->incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "Login: too many incorrect login attempts from this IP" << logend;
|
||||
|
||||
if( config->incorrect_login_cannot_login_mode == 0 )
|
||||
{
|
||||
// don't set WINIX_IPBAN_FLAG_ACTIVE here for IPBan::IsIPBanned() to return false (in CannotLoginFrom)
|
||||
ip_ban->expires = cur->request->start_time + (time_t)config->incorrect_login_cannot_login_delay;
|
||||
time_t expires = cur->request->start_time + (time_t)config->incorrect_login_cannot_login_delay;
|
||||
|
||||
if( ip_ban->expires < expires )
|
||||
ip_ban->expires = expires;
|
||||
|
||||
PT::Date date(ip_ban->expires);
|
||||
log << log2 << "Login: logging from this IP address has been blocked until to: " << date << " UTC" << logend;
|
||||
}
|
||||
else
|
||||
if( config->incorrect_login_cannot_login_mode == 1 )
|
||||
{
|
||||
ip_ban->SetFlag(WINIX_IPBAN_FLAG_ACTIVE);
|
||||
ip_ban->AddNextBanLevel(cur->request->start_time + (time_t)config->ban_level_1_delay,
|
||||
cur->request->start_time + (time_t)config->ban_level_2_delay,
|
||||
cur->request->start_time + (time_t)config->ban_level_3_delay);
|
||||
PT::Date date(ip_ban->expires);
|
||||
log << log2 << "Login: this IP address has been banned until to: " << date << " UTC" << logend;
|
||||
session_manager->IncrementBanLevel(ip_ban);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -215,6 +208,11 @@ bool Login::CannotLoginFrom(const IPBan & ipban)
|
|||
if( ipban.IsIPBanned() )
|
||||
return true;
|
||||
|
||||
/*
|
||||
* if incorrect_login_cannot_login_mode is equal to one then we only
|
||||
* block logging (there is no a ban actually -- neither the active flag is enabled
|
||||
* nor any ban_level is set)
|
||||
*/
|
||||
if( ipban.expires != 0 &&
|
||||
cur->request->start_time < ipban.expires &&
|
||||
ipban.incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
|
||||
|
@ -274,7 +272,7 @@ long user_id;
|
|||
|
||||
if( check_abuse && !CheckAbuse() )
|
||||
{
|
||||
AddBanInfo();
|
||||
CheckBan();
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -291,7 +289,7 @@ long user_id;
|
|||
}
|
||||
else
|
||||
{
|
||||
AddBanInfo();
|
||||
CheckBan();
|
||||
}
|
||||
|
||||
return false;
|
||||
|
|
|
@ -70,7 +70,7 @@ private:
|
|||
|
||||
void ClearTmpStruct();
|
||||
bool CheckPasswords(const std::wstring & password);
|
||||
void AddBanInfo();
|
||||
void CheckBan();
|
||||
bool CheckAbuse();
|
||||
|
||||
UserPass up, up2;
|
||||
|
|
|
@ -2,7 +2,15 @@
|
|||
|
||||
<h1>{access_denied}</h1>
|
||||
|
||||
<p>{access_denied_msg}</p>
|
||||
<p>{access_denied_msg}
|
||||
|
||||
[if ipban_is_current_ip_banned]
|
||||
<br>
|
||||
{ipban_your_ip_is_banned} [ipban_current_ip_expires_time].
|
||||
[end]
|
||||
|
||||
</p>
|
||||
|
||||
|
||||
</div>
|
||||
|
||||
|
|
|
@ -4,12 +4,15 @@
|
|||
|
||||
[if ipban_tab]
|
||||
|
||||
<table>
|
||||
<table class="ipban_table">
|
||||
|
||||
<tr>
|
||||
<th>{ipban_col_id}</th>
|
||||
<th>{ipban_col_ip_address}</th>
|
||||
<th>{ipban_col_login_failures}</th>
|
||||
<th>{ipban_col_broken_cookie}</th>
|
||||
<th>{ipban_session_hijacking}</th>
|
||||
<th>{ipban_no_session_cookie}</th>
|
||||
<th>{ipban_col_login_allowed}</th>
|
||||
<th>{ipban_col_ban_level}</th>
|
||||
<th>{ipban_col_active_flag}</th>
|
||||
|
@ -24,6 +27,9 @@
|
|||
<td>[ipban_tab_id]</td>
|
||||
<td>[ipban_tab_ip]</td>
|
||||
<td>[ipban_tab_incorrect_login]</td>
|
||||
<td>[ipban_tab_broken_encoded_cookie]</td>
|
||||
<td>[ipban_tab_session_hijacking]</td>
|
||||
<td>[ipban_tab_no_session_cookie]</td>
|
||||
<td>[if ipban_tab_is_logging_allowed]{ipban_loggin_allowed}[else]{ipban_loggin_not_allowed}[end]</td>
|
||||
<td>[ipban_tab_ban_level]</td>
|
||||
<td>[if ipban_tab_has_active_flag]{ipban_has_active_flag}[end]</td>
|
||||
|
|
|
@ -7,9 +7,9 @@
|
|||
<a href="[doc_base_url][if-one dir_can_read_exec][dir][if-any item_is item_can_read][item_url]/[end][else]/[end]logout">{logout}</a></p>
|
||||
[else]
|
||||
|
||||
[if login_cannot_login]
|
||||
[if-no ipban_is_login_allowed_from_this_ip]
|
||||
<p>{login_cannot_login_from_this_ip}<br>
|
||||
{login_cannot_login_available} [login_when_available_login]</p>
|
||||
{login_cannot_login_available} [ipban_current_ip_expires_time]</p>
|
||||
[else]
|
||||
|
||||
<form method="post" action="[login_path]login">
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
winix_function_is "emacs"
|
||||
winix_function_is "env"
|
||||
winix_function_is "imgcrop"
|
||||
winix_function_is "ipban"
|
||||
winix_function_is "last"
|
||||
winix_function_is "ln"
|
||||
winix_function_is "locale"
|
||||
|
|
11
locale/en
11
locale/en
|
@ -164,7 +164,10 @@ ls_no_picture = There are not any pictures in this directory
|
|||
ipban_header = IP Banned
|
||||
ipban_col_id = Id
|
||||
ipban_col_ip_address = IP address
|
||||
ipban_col_login_failures = login failures
|
||||
ipban_col_login_failures = Login failures
|
||||
ipban_col_broken_cookie = Broken cookies
|
||||
ipban_session_hijacking = Session hijacking
|
||||
ipban_no_session_cookie = No session cookie
|
||||
ipban_col_login_allowed = Login allowed
|
||||
ipban_col_ban_level = Ban level
|
||||
ipban_col_active_flag = Active flag
|
||||
|
@ -177,7 +180,7 @@ ipban_has_active_flag = yes
|
|||
ipban_remove_ip = remove
|
||||
ipban_remove_all_ip = Remove all IP's from the list
|
||||
ipban_ban_list_empty = There are not any IP addresses banned at the moment.
|
||||
|
||||
ipban_your_ip_is_banned = Your IP address is banned on this server until to:
|
||||
|
||||
|
||||
man_header = Man
|
||||
|
@ -333,7 +336,9 @@ locale_select = Select language
|
|||
|
||||
|
||||
login_header = Login
|
||||
login_cannot_login_from_this_ip = We are sorry but there were too many incorrect login attempts from your IP address.
|
||||
login_cannot_login_from_this_ip = We are sorry but you cannot login from this IP address.
|
||||
#We are sorry but there were too many incorrect login attempts from your IP address.
|
||||
|
||||
login_cannot_login_available = The login process will be available since:
|
||||
|
||||
|
||||
|
|
16
locale/pl
16
locale/pl
|
@ -168,13 +168,16 @@ ls_no_picture = W tym katalogu nie ma żadnego obrazu
|
|||
|
||||
ipban_header = Lista zbanowanych adresów IP
|
||||
ipban_col_id = L.p.
|
||||
ipban_col_ip_address = adres IP
|
||||
ipban_col_login_failures = nieprawidłowe logowania
|
||||
ipban_col_login_allowed = możliwe logowanie
|
||||
ipban_col_ip_address = Adres IP
|
||||
ipban_col_login_failures = Nieprawidłowe logowania
|
||||
ipban_col_broken_cookie = Popsute ciastka
|
||||
ipban_session_hijacking = Podszywanie pod inną sesje
|
||||
ipban_no_session_cookie = Brak ciastka sesyjnego
|
||||
ipban_col_login_allowed = Możliwe logowanie
|
||||
ipban_col_ban_level = Rodzaj banu
|
||||
ipban_col_active_flag = Flaga active
|
||||
ipban_col_last_used = Ostatnio używany
|
||||
ipban_col_expires = Wygasza
|
||||
ipban_col_expires = Wygasa
|
||||
ipban_col_remove = Usuń
|
||||
ipban_loggin_allowed = tak
|
||||
ipban_loggin_not_allowed = nie
|
||||
|
@ -182,6 +185,7 @@ ipban_has_active_flag = tak
|
|||
ipban_remove_ip = usuń
|
||||
ipban_remove_all_ip = Usuń wszystkie adresy IP z listy
|
||||
ipban_ban_list_empty = W tej chwili nie ma żadnych zbanowanych adresów IP.
|
||||
ipban_your_ip_is_banned = Twój adres IP jest zablokowany aż do:
|
||||
|
||||
|
||||
meta_header = Meta
|
||||
|
@ -353,7 +357,9 @@ locale_select = Wybierz język
|
|||
|
||||
|
||||
login_header = Logowanie
|
||||
login_cannot_login_from_this_ip = Przepraszamy ale z twojego adresu IP było zbyt wiele prób nieprawidłowego logowania.
|
||||
login_cannot_login_from_this_ip = Przepraszamy ale nie możesz się zalogować z tego adresu IP.
|
||||
#Przepraszamy ale z twojego adresu IP było zbyt wiele prób nieprawidłowego logowania.
|
||||
|
||||
login_cannot_login_available = Ponowne logowanie będzie możliwe dopiero od:
|
||||
|
||||
uptime_header = Czas pracy systemu
|
||||
|
|
|
@ -44,6 +44,37 @@ namespace Winix
|
|||
|
||||
namespace TemplatesFunctions
|
||||
{
|
||||
|
||||
|
||||
void ipban_is_current_ip_banned(Info & i)
|
||||
{
|
||||
if( cur->session->ip_ban )
|
||||
{
|
||||
i.res = cur->session->ip_ban->IsIPBanned();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void ipban_current_ip_expires_time(Info & i)
|
||||
{
|
||||
if( cur->session->ip_ban && cur->session->ip_ban->expires != 0 )
|
||||
{
|
||||
PT::Date date = cur->session->ip_ban->expires;
|
||||
i.out << date << " UTC";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void ipban_is_login_allowed_from_this_ip(Info & i)
|
||||
{
|
||||
i.res = !functions->fun_login.CannotLoginFromCurrentIP();
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
static size_t ipban_index;
|
||||
|
||||
|
||||
|
@ -78,6 +109,26 @@ void ipban_tab_incorrect_login(Info & i)
|
|||
}
|
||||
|
||||
|
||||
void ipban_tab_broken_encoded_cookie(Info & i)
|
||||
{
|
||||
if( ipban_index < session_manager->BanListSize() )
|
||||
i.out << session_manager->GetIPBan(ipban_index).broken_encoded_cookie_events;
|
||||
}
|
||||
|
||||
|
||||
void ipban_tab_session_hijacking(Info & i)
|
||||
{
|
||||
if( ipban_index < session_manager->BanListSize() )
|
||||
i.out << session_manager->GetIPBan(ipban_index).session_hijacking_events;
|
||||
}
|
||||
|
||||
|
||||
void ipban_tab_no_session_cookie(Info & i)
|
||||
{
|
||||
if( ipban_index < session_manager->BanListSize() )
|
||||
i.out << session_manager->GetIPBan(ipban_index).no_session_cookie_events;
|
||||
}
|
||||
|
||||
|
||||
void ipban_tab_ban_level(Info & i)
|
||||
{
|
||||
|
|
|
@ -69,25 +69,8 @@ void login_path(Info & i)
|
|||
}
|
||||
|
||||
|
||||
void login_cannot_login(Info & i)
|
||||
{
|
||||
i.res = functions->fun_login.CannotLoginFromCurrentIP();
|
||||
}
|
||||
|
||||
|
||||
void login_when_available_login(Info & i)
|
||||
{
|
||||
if( cur->session->ip_ban &&
|
||||
cur->session->ip_ban->expires != 0 )
|
||||
{
|
||||
PT::Date date(cur->session->ip_ban->expires);
|
||||
i.out << date << " UTC";
|
||||
}
|
||||
else
|
||||
{
|
||||
i.out << locale.Get(L"unknown");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void login_should_use_captcha(Info & i)
|
||||
|
|
|
@ -334,15 +334,21 @@ void Templates::CreateFunctions()
|
|||
/*
|
||||
ipban
|
||||
*/
|
||||
ezc_functions.Insert("ipban_tab", ipban_tab);
|
||||
ezc_functions.Insert("ipban_tab_id", ipban_tab_id);
|
||||
ezc_functions.Insert("ipban_tab_ip", ipban_tab_ip);
|
||||
ezc_functions.Insert("ipban_tab_incorrect_login", ipban_tab_incorrect_login);
|
||||
ezc_functions.Insert("ipban_tab_ban_level", ipban_tab_ban_level);
|
||||
ezc_functions.Insert("ipban_tab_has_active_flag", ipban_tab_has_active_flag);
|
||||
ezc_functions.Insert("ipban_tab_expires", ipban_tab_expires);
|
||||
ezc_functions.Insert("ipban_tab_last_used", ipban_tab_last_used);
|
||||
ezc_functions.Insert("ipban_tab_is_logging_allowed", ipban_tab_is_logging_allowed);
|
||||
ezc_functions.Insert("ipban_is_current_ip_banned", ipban_is_current_ip_banned);
|
||||
ezc_functions.Insert("ipban_current_ip_expires_time", ipban_current_ip_expires_time);
|
||||
ezc_functions.Insert("ipban_is_login_allowed_from_this_ip", ipban_is_login_allowed_from_this_ip);
|
||||
ezc_functions.Insert("ipban_tab", ipban_tab);
|
||||
ezc_functions.Insert("ipban_tab_id", ipban_tab_id);
|
||||
ezc_functions.Insert("ipban_tab_ip", ipban_tab_ip);
|
||||
ezc_functions.Insert("ipban_tab_incorrect_login", ipban_tab_incorrect_login);
|
||||
ezc_functions.Insert("ipban_tab_broken_encoded_cookie", ipban_tab_broken_encoded_cookie);
|
||||
ezc_functions.Insert("ipban_tab_session_hijacking", ipban_tab_session_hijacking);
|
||||
ezc_functions.Insert("ipban_tab_no_session_cookie", ipban_tab_no_session_cookie);
|
||||
ezc_functions.Insert("ipban_tab_ban_level", ipban_tab_ban_level);
|
||||
ezc_functions.Insert("ipban_tab_has_active_flag", ipban_tab_has_active_flag);
|
||||
ezc_functions.Insert("ipban_tab_expires", ipban_tab_expires);
|
||||
ezc_functions.Insert("ipban_tab_last_used", ipban_tab_last_used);
|
||||
ezc_functions.Insert("ipban_tab_is_logging_allowed", ipban_tab_is_logging_allowed);
|
||||
|
||||
|
||||
/*
|
||||
|
@ -461,10 +467,8 @@ void Templates::CreateFunctions()
|
|||
/*
|
||||
login
|
||||
*/
|
||||
ezc_functions.Insert("login_path", login_path);
|
||||
ezc_functions.Insert("login_cannot_login", login_cannot_login);
|
||||
ezc_functions.Insert("login_when_available_login", login_when_available_login);
|
||||
ezc_functions.Insert("login_should_use_captcha", login_should_use_captcha);
|
||||
ezc_functions.Insert("login_path", login_path);
|
||||
ezc_functions.Insert("login_should_use_captcha", login_should_use_captcha);
|
||||
|
||||
|
||||
/*
|
||||
|
|
|
@ -247,10 +247,16 @@ namespace TemplatesFunctions
|
|||
/*
|
||||
ipban
|
||||
*/
|
||||
void ipban_is_current_ip_banned(Info & i);
|
||||
void ipban_current_ip_expires_time(Info & i);
|
||||
void ipban_is_login_allowed_from_this_ip(Info & i);
|
||||
void ipban_tab(Info & i);
|
||||
void ipban_tab_id(Info & i);
|
||||
void ipban_tab_ip(Info & i);
|
||||
void ipban_tab_incorrect_login(Info & i);
|
||||
void ipban_tab_broken_encoded_cookie(Info & i);
|
||||
void ipban_tab_session_hijacking(Info & i);
|
||||
void ipban_tab_no_session_cookie(Info & i);
|
||||
void ipban_tab_ban_level(Info & i);
|
||||
void ipban_tab_has_active_flag(Info & i);
|
||||
void ipban_tab_expires(Info & i);
|
||||
|
@ -376,8 +382,6 @@ namespace TemplatesFunctions
|
|||
login
|
||||
*/
|
||||
void login_path(Info & i);
|
||||
void login_cannot_login(Info & i);
|
||||
void login_when_available_login(Info & i);
|
||||
void login_should_use_captcha(Info & i);
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue