added: possibility to ban if a session cookie is incorrect (when we are using encoded cookies)
added: possibility to ban if a client tries to hijack the session cookie
added: possibility to ban if a client did not send a session cookie
renamed: ezc functions:
login_cannot_login -> ipban_is_login_allowed_from_this_ip (and the return value was changed)
login_when_available_login -> ipban_current_ip_expires_time
added: config options:
// after how many broken encoded cookie we should ban the current IP
// default: 2 (value in the range <0 - 65535>)
size_t broken_encoded_cookie_treshold;
// after how many incorrect session identifiers (or session indices) we should ban the current IP
// do not set this value too low, as people connecting from the same IP address (from behind a NAT)
// would be banned if they have an old session cookie remembered in the browser
// default: 128 (value in the range <0 - 65535>)
size_t session_hijacking_treshold;
// after how many times a client will be banned if it did not send a session cookie
// default: 1000 (value in the range <0 - 65535>)
size_t no_session_cookie_treshold;
git-svn-id: svn://ttmath.org/publicrep/winix/trunk@995 e52654a7-88a9-db11-a3e9-0013d4bc506e
This commit is contained in:
@@ -139,45 +139,38 @@ return result;
|
||||
|
||||
|
||||
|
||||
void Login::AddBanInfo()
|
||||
void Login::CheckBan()
|
||||
{
|
||||
IPBan * ip_ban = cur->session->ip_ban;
|
||||
|
||||
if( !ip_ban )
|
||||
ip_ban = &session_manager->AddIPToBanList(cur->request->ip);
|
||||
|
||||
ip_ban->last_used = cur->request->start_time;
|
||||
|
||||
if( ip_ban->expires != 0 && cur->request->start_time >= ip_ban->expires )
|
||||
{
|
||||
// the 'ip block' has expired
|
||||
ip_ban->ClearAfterRemovingBan();
|
||||
log << log3 << "Login: removing the IP block for logging" << logend;
|
||||
ip_ban = &session_manager->AddIPToBanList(cur->request->ip, cur->request->start_time);
|
||||
cur->session->ip_ban = ip_ban;
|
||||
}
|
||||
|
||||
if( ip_ban->incorrect_login_events < config->incorrect_login_cannot_login_treshold )
|
||||
{
|
||||
ip_ban->incorrect_login_events += 1;
|
||||
|
||||
if( ip_ban->incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
|
||||
}
|
||||
else
|
||||
{
|
||||
log << log2 << "Login: too many incorrect login attempts from this IP" << logend;
|
||||
|
||||
if( config->incorrect_login_cannot_login_mode == 0 )
|
||||
{
|
||||
// don't set WINIX_IPBAN_FLAG_ACTIVE here for IPBan::IsIPBanned() to return false (in CannotLoginFrom)
|
||||
ip_ban->expires = cur->request->start_time + (time_t)config->incorrect_login_cannot_login_delay;
|
||||
time_t expires = cur->request->start_time + (time_t)config->incorrect_login_cannot_login_delay;
|
||||
|
||||
if( ip_ban->expires < expires )
|
||||
ip_ban->expires = expires;
|
||||
|
||||
PT::Date date(ip_ban->expires);
|
||||
log << log2 << "Login: logging from this IP address has been blocked until to: " << date << " UTC" << logend;
|
||||
}
|
||||
else
|
||||
if( config->incorrect_login_cannot_login_mode == 1 )
|
||||
{
|
||||
ip_ban->SetFlag(WINIX_IPBAN_FLAG_ACTIVE);
|
||||
ip_ban->AddNextBanLevel(cur->request->start_time + (time_t)config->ban_level_1_delay,
|
||||
cur->request->start_time + (time_t)config->ban_level_2_delay,
|
||||
cur->request->start_time + (time_t)config->ban_level_3_delay);
|
||||
PT::Date date(ip_ban->expires);
|
||||
log << log2 << "Login: this IP address has been banned until to: " << date << " UTC" << logend;
|
||||
session_manager->IncrementBanLevel(ip_ban);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -215,6 +208,11 @@ bool Login::CannotLoginFrom(const IPBan & ipban)
|
||||
if( ipban.IsIPBanned() )
|
||||
return true;
|
||||
|
||||
/*
|
||||
* if incorrect_login_cannot_login_mode is equal to one then we only
|
||||
* block logging (there is no a ban actually -- neither the active flag is enabled
|
||||
* nor any ban_level is set)
|
||||
*/
|
||||
if( ipban.expires != 0 &&
|
||||
cur->request->start_time < ipban.expires &&
|
||||
ipban.incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
|
||||
@@ -274,7 +272,7 @@ long user_id;
|
||||
|
||||
if( check_abuse && !CheckAbuse() )
|
||||
{
|
||||
AddBanInfo();
|
||||
CheckBan();
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -291,7 +289,7 @@ long user_id;
|
||||
}
|
||||
else
|
||||
{
|
||||
AddBanInfo();
|
||||
CheckBan();
|
||||
}
|
||||
|
||||
return false;
|
||||
|
||||
@@ -70,7 +70,7 @@ private:
|
||||
|
||||
void ClearTmpStruct();
|
||||
bool CheckPasswords(const std::wstring & password);
|
||||
void AddBanInfo();
|
||||
void CheckBan();
|
||||
bool CheckAbuse();
|
||||
|
||||
UserPass up, up2;
|
||||
|
||||
Reference in New Issue
Block a user