Slimmer bruteforce prevention

sections/login/index.php

@@ -180,7 +180,7 @@ if (isset($_REQUEST['act']) && $_REQUEST['act'] == 'recover') {
 
     // Either a form for the user's email address, or a success message
     require('recover_step1.php');
-  } // End if (step 1)
+  }
 
 } // End password recovery
 
@@ -189,81 +189,24 @@ else {
   $Validate->SetFields('username', true, 'regex', 'You did not enter a valid username.', array('regex' => USERNAME_REGEX));
   $Validate->SetFields('password', '1', 'string', 'You entered an invalid password.', array('minlength' => '6', 'maxlength' => '307200'));
 
-  $DB->query("
-    SELECT ID, Attempts, Bans, BannedUntil
-    FROM login_attempts
-    WHERE IP = '".db_string($_SERVER['REMOTE_ADDR'])."'");
-  // Todo: handle IP encryption
-  list($AttemptID, $Attempts, $Bans, $BannedUntil) = $DB->next_record();
+  list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']));
 
   // Function to log a user's login attempt
-  function log_attempt($UserID) {
-    global $DB, $Cache, $AttemptID, $Attempts, $Bans, $BannedUntil;
-    if (!apc_exists('DBKEY')) { return; }
-    $IPStr = $_SERVER['REMOTE_ADDR'];
-    $IPA = substr($IPStr, 0, strcspn($IPStr, '.'));
-    $IP = Tools::ip_to_unsigned($IPStr);
-    if ($AttemptID) { // User has attempted to log in recently
-      $Attempts++;
-      if ($Attempts > 5) { // Only 6 allowed login attempts, ban user's IP
-        $BannedUntil = time_plus(60 * 60 * 6);
-        $DB->query("
-          UPDATE login_attempts
-          SET
-            LastAttempt = '".sqltime()."',
-            Attempts = '".db_string($Attempts)."',
-            BannedUntil = '".db_string($BannedUntil)."',
-            Bans = Bans + 1
-          WHERE ID = '".db_string($AttemptID)."'");
-
-        if ($Bans > 9) { // Automated bruteforce prevention
-          $DB->query("
-            SELECT Reason
-            FROM ip_bans
-            WHERE $IP BETWEEN FromIP AND ToIP");
-          if ($DB->has_results()) {
-            //Ban exists already, only add new entry if not for same reason
-            list($Reason) = $DB->next_record(MYSQLI_BOTH, false);
-            if ($Reason != 'Automated ban per >60 failed login attempts') {
-              $DB->query("
-                UPDATE ip_bans
-                SET Reason = CONCAT('Automated ban per >60 failed login attempts AND ', Reason)
-                WHERE FromIP = $IP
-                  AND ToIP = $IP");
-            }
-          } else {
-            //No ban
-            $DB->query("
-              INSERT IGNORE INTO ip_bans
-                (FromIP, ToIP, Reason)
-              VALUES
-                ('".$IP."','".$IP."', 'Automated ban per >60 failed login attempts')");
-            $Cache->delete_value("ip_bans_$IPA");
-          }
-        }
-      } else {
-        // User has attempted fewer than 6 logins
-        $DB->query("
-          UPDATE login_attempts
-          SET
-            LastAttempt = '".sqltime()."',
-            Attempts = '".db_string($Attempts)."',
-            BannedUntil = '0000-00-00 00:00:00'
-          WHERE ID = '".db_string($AttemptID)."'");
-      }
-    } else { // User has not attempted to log in recently
-      $Attempts = 1;
-      $DB->query("
-        INSERT INTO login_attempts
-          (UserID, IP, LastAttempt, Attempts)
-        VALUES
-          ('".db_string($UserID)."', '".db_string(DBCrypt::encrypt($IPStr))."', '".sqltime()."', 1)");
+  function log_attempt() {
+    global $DB, $Cache, $Attempts;
+    $Attempts = ($Attempts ?? 0) + 1;
+    $Cache->cache_value('login_attempts_'.db_string($_SERVER['REMOTE_ADDR']), array($Attempts, ($Attempts > 5)), 60*60*$Attempts);
+    $AllAttempts = $Cache->get_value('login_attempts');
+    $AllAttempts[$_SERVER['REMOTE_ADDR']] = time()+(60*60*$Attempts);
+    foreach($AllAttempts as $IP => $Time) {
+      if ($Time < time()) { unset($AllAttempts[$IP]); }
     }
-  } // end log_attempt function
+    $Cache->cache_value('login_attempts', $AllAttempts, 0);
+  }
 
   // If user has submitted form
   if (isset($_POST['username']) && !empty($_POST['username']) && isset($_POST['password']) && !empty($_POST['password'])) {
-    if (strtotime($BannedUntil) > time()) {
+    if ($Banned) {
       header("Location: login.php");
       die();
     }
@@ -282,7 +225,7 @@ else {
         WHERE Username = '".db_string($_POST['username'])."'
           AND Username != ''");
       list($UserID, $PermissionID, $CustomPermissions, $PassHash, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2));
-      if (strtotime($BannedUntil) < time()) {
+      if (!$Banned) {
         if ($UserID && Users::check_password($_POST['password'], $PassHash)) {
           // Update hash if better algorithm available
           if (password_needs_rehash($PassHash, PASSWORD_DEFAULT)) {
@@ -303,7 +246,6 @@ else {
               setcookie('session', $Cookie, 0, '/', '', true, true);
             }
 
-            //TODO: another tracker might enable this for donors, I think it's too stupid to bother adding that
             // Because we <3 our staff
             $Permissions = Permissions::get_permissions($PermissionID);
             $CustomPermissions = unserialize($CustomPermissions);
@@ -348,7 +290,7 @@ else {
               die();
             }
           } else {
-            log_attempt($UserID);
+            log_attempt();
             if ($Enabled == 2) {
 
               // Save the username in a cookie for the disabled page
@@ -360,19 +302,19 @@ else {
             setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
           }
         } else {
-          log_attempt($UserID);
+          log_attempt();
 
           $Err = 'Your username or password was incorrect.';
           setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
         }
 
       } else {
-        log_attempt($UserID);
+        log_attempt();
         setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
       }
 
     } else {
-      log_attempt('0');
+      log_attempt();
       setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
     }
   }

sections/login/login.php

@@ -2,18 +2,10 @@
   <span id="no-cookies" class="hidden warning">You appear to have cookies disabled.<br /><br /></span>
   <noscript><span class="warning"><?=SITE_NAME?> requires JavaScript to function properly. Please enable JavaScript in your browser.</span><br /><br /></noscript>
 <?
-if (strtotime($BannedUntil) < time()) {
+if (!$Banned) {
 ?>
   <form class="auth_form" name="login" id="loginform" method="post" action="login.php">
 <?
-
-  if (!empty($BannedUntil) && $BannedUntil != '0000-00-00 00:00:00') {
-    $DB->query("
-      UPDATE login_attempts
-      SET BannedUntil = '0000-00-00 00:00:00', Attempts = '0'
-      WHERE ID = '".db_string($AttemptID)."'");
-    $Attempts = 0;
-  }
   if (isset($Err)) {
 ?>
   <span class="warning"><?=$Err?><br /><br /></span>
@@ -48,7 +40,7 @@ if (strtotime($BannedUntil) < time()) {
 <?
 } else {
 ?>
-  <span class="warning">You are banned from logging in for another <?=time_diff($BannedUntil)?>.</span>
+  <span class="warning">You are banned from logging in for a few hours.</span>
 <?
 }
 

sections/schedule/hourly/lower_login_attempts.php

@@ -1,11 +0,0 @@
-<?
-//------------- Lower Login Attempts ------------------------------------//
-
-$DB->query("
-  UPDATE login_attempts
-  SET Attempts = Attempts - 1
-  WHERE Attempts > 0");
-$DB->query("
-  DELETE FROM login_attempts
-  WHERE LastAttempt < '".time_minus(3600 * 24 * 90)."'");
-?>

sections/tools/managers/login_watch.php

@@ -3,27 +3,22 @@ if (!check_perms('admin_login_watch')) {
   error(403);
 }
 
-if (isset($_POST['submit']) && isset($_POST['id']) && $_POST['submit'] == 'Unban' && is_number($_POST['id'])) {
+if (isset($_POST['submit']) && isset($_POST['ip']) && $_POST['submit'] == 'Unban') {
   authorize();
-  $DB->query('
-    DELETE FROM login_attempts
-    WHERE ID = '.$_POST['id']);
+  $Cache->delete_value('login_attempts_'.$_POST['ip']);
 }
 
 View::show_header('Login Watch');
 
-$DB->query('
-  SELECT
-    ID,
-    IP,
-    UserID,
-    LastAttempt,
-    Attempts,
-    BannedUntil,
-    Bans
-  FROM login_attempts
-  WHERE BannedUntil > "'.sqltime().'"
-  ORDER BY BannedUntil ASC');
+$AttemptIPs = $Cache->get_value('login_attempts');
+$AllAttempts = array();
+foreach($AttemptIPs as $IP => $Time) {
+  if (time() > $Time) { continue; }
+  list($Attempts, $Banned) = $Cache->get_value('login_attempts_'.$IP);
+  if (!isset($Attempts) && !isset($Banned)) { continue; }
+  $AllAttempts[] = [$IP, $Attempts, $Banned, $Time];
+}
+
 ?>
 <div class="thin">
   <div class="header">
@@ -32,26 +27,26 @@ $DB->query('
   <table width="100%">
     <tr class="colhead">
       <td>IP</td>
-      <td>User</td>
-      <td>Bans</td>
-      <td>Remaining</td>
+      <td>Attempts</td>
+      <td>Banned</td>
+      <td>Time</td>
       <td>Submit</td>
 <?  if (check_perms('admin_manage_ipbans')) { ?>
       <td>Submit</td>
 <?  } ?>
     </tr>
 <?
-while (list($ID, $IP, $UserID, $LastAttempt, $Attempts, $BannedUntil, $Bans) = $DB->next_record()) {
+while (list($IP, $Attempts, $Banned, $BannedUntil) = array_shift($AllAttempts)) {
 ?>
     <tr class="row">
       <td>
         <?=$IP?>
       </td>
       <td>
-        <? if ($UserID != 0) { echo Users::format_username($UserID, true, true, true, true); } ?>
+        <?=$Attempts?>
       </td>
       <td>
-        <?=$Bans?>
+        <?=($Banned?'Yes':'No')?>
       </td>
       <td>
         <?=time_diff($BannedUntil)?>
@@ -59,7 +54,7 @@ while (list($ID, $IP, $UserID, $LastAttempt, $Attempts, $BannedUntil, $Bans) = $
       <td>
         <form class="manage_form" name="bans" action="" method="post">
           <input type="hidden" name="auth" value="<?=$LoggedUser['AuthKey']?>" />
-          <input type="hidden" name="id" value="<?=$ID?>" />
+          <input type="hidden" name="ip" value="<?=$IP?>" />
           <input type="hidden" name="action" value="login_watch" />
           <input type="submit" name="submit" value="Unban" />
         </form>
@@ -68,11 +63,10 @@ while (list($ID, $IP, $UserID, $LastAttempt, $Attempts, $BannedUntil, $Bans) = $
       <td>
         <form class="manage_form" name="bans" action="" method="post">
           <input type="hidden" name="auth" value="<?=$LoggedUser['AuthKey']?>" />
-          <input type="hidden" name="id" value="<?=$ID?>" />
           <input type="hidden" name="action" value="ip_ban" />
           <input type="hidden" name="start" value="<?=$IP?>" />
           <input type="hidden" name="end" value="<?=$IP?>" />
-          <input type="hidden" name="notes" value="Banned per <?=$Bans?> bans on login watch." />
+          <input type="hidden" name="notes" value="Banned per <?=$Attempts?> bans on login watch." />
           <input type="submit" name="submit" value="IP Ban" />
         </form>
       </td>