Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1065 Commits
2 Branches
Tree: b4fb8c0c52
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4fb8c0c52'
${ noResults }
Gazelle/classes/loginwatch.class.php

loginwatch.class.php 7.9KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305 
  1. <?php

  2. declare(strict_types = 1);

  3. 

  4. /**

  5.  * Adapted from

  6.  * https://github.com/OPSnet/Gazelle/blob/master/app/LoginWatch.php

  7.  *

  8.  * Unknown status as of 2020-12-12

  9.  */

  10. 

  11. class LoginWatch

  12. {

  13.     protected $watchId;

  14. 

  15.     /**

  16.      * Set the context of a watched IP address (to save passing it in to each method call).

  17.      * On a virgin login with no previous errors there may not even be a watch yet

  18.      * @param int ID of the watch

  19.      */

  20.     public function setWatch($watchId)

  21.     {

  22.         if (!is_null($watchId)) {

  23.             $this->watchId = $watchId;

  24.         }

  25.         return $this;

  26.     }

  27. 

  28.     /**

  29.      * Find a login watch by IP address

  30.      * @param string IPv4 address

  31.      * @return array [watchId, nrAttemtps, nrBans, bannedUntil]

  32.      */

  33.     public function findByIp(string $ipaddr): ?array

  34.     {

  35.         # Default: remote host

  36.         if (empty($ipaddr)) {

  37.             $ipaddr = $_SERVER['REMOTE_ADDR'];

  38.         }

  39. 

  40.         return G::$DB->row("

  41.         SELECT

  42.           `ID`,

  43.           `Attempts`,

  44.           `Bans`,

  45.           `BannedUntil`

  46.         FROM

  47.           `login_attempts`

  48.         WHERE

  49.           `IP` = '$ipaddr'

  50.         ");

  51.     }

  52. 

  53.     /**

  54.      * Create a new login watch on an userid/username/ipaddress

  55.      * @param string IPv4 address

  56.      * @param string|null $capture The username captured on the form

  57.      * @param int $userId

  58.      * @return int ID of watch

  59.      */

  60.     public function create(string $ipaddr, ?string $capture, int $userId = 0)

  61.     {

  62.         G::$DB->prepare_query("

  63.         INSERT INTO `login_attempts`(`IP`, `Capture`, `UserID`)

  64.         VALUES('$ipaddr', '$capture', '$userId')

  65.         ");

  66. 

  67.         G::$DB->exec_prepared_query();

  68.         return ($this->watchId = G::$DB->inserted_id());

  69.     }

  70. 

  71.     /**

  72.      * Record another failure attempt on this watch. If the user has not

  73.      * logged in recently from this IP address then subsequent logins

  74.      * will be blocked for increasingly longer times, otherwise 1 minute.

  75.      *

  76.      * @param int $userId The ID of the user

  77.      * @param string $ipaddr The IP the user is coming from

  78.      * @param string $capture The username captured on the form

  79.      * @return int 1 if the watch was updated

  80.      */

  81.     public function increment(int $userId, string $ipaddr, ?string $capture): int

  82.     {

  83.         $seen = G::$DB->query("

  84.         SELECT

  85.           1

  86.         FROM

  87.           `users_history_ips`

  88.         WHERE

  89.           (

  90.             `EndTime` IS NULL

  91.             OR `EndTime` > NOW() - INTERVAL 1 WEEK

  92.           )

  93.           AND `UserID` = '$userId'

  94.           AND `IP` = '$ipaddr'

  95.         ");

  96. 

  97.         $delay = $seen ? 60 : LOGIN_ATTEMPT_BACKOFF[min($this->nrAttempts(), count(LOGIN_ATTEMPT_BACKOFF)-1)];

  98.         G::$DB->prepare_query("

  99.             UPDATE `login_attempts` SET

  100.                 `Attempts` = `Attempts` + 1,

  101.                 `LastAttempt` = now(),

  102.                 `BannedUntil` = now() + INTERVAL '$delay' SECOND,

  103.                 `UserID` = '$userId',

  104.                 `Capture` ='$capture' 

  105.             WHERE `ID` = '$this->watchId' 

  106.             ");

  107.         return G::$DB->affected_rows();

  108.     }

  109. 

  110.     /**

  111.      * Ban subsequent attempts to login from this watched IP address for 6 hours

  112.      * @param int $attempts How many attempts so far?

  113.      * @param string the username captured on the form (which may not even be a valid user)

  114.      * @param int $userId user ID of a valid user (or 0 if invalid username)

  115.      * @return int 1 if the watch was banned

  116.      */

  117.     public function ban(int $attempts, ?string $capture, int $userId = 0): int

  118.     {

  119.         G::$DB->prepare_query("

  120.         UPDATE

  121.           `login_attempts`

  122.         SET

  123.           `Bans` = `Bans` + 1,

  124.           `LastAttempt` = NOW(),

  125.           `BannedUntil` = NOW() + INTERVAL 6 HOUR,

  126.           `Attempts` = '$attempts',

  127.           `Capture` = '$capture',

  128.           `UserID` = '$userId'

  129.         WHERE

  130.           `ID` = '$this->watchId'

  131.         ");

  132. 

  133.         G::$DB->exec_prepared_query();

  134.         return G::$DB->affected_rows();

  135.     }

  136. 

  137.     /**

  138.      * When does the login ban expire?

  139.      * @return string datestamp of expiry

  140.      */

  141.     public function bannedUntil(): ?string

  142.     {

  143.         return G::$DB->scalar("

  144.         SELECT

  145.           `BannedUntil`

  146.         FROM

  147.           `login_attempts`

  148.         WHERE

  149.           `ID` = '$this->watchId'

  150.         ");

  151.     }

  152. 

  153.     /**

  154.      * If the login ban was in the past then they get 6 more shots

  155.      * @return int 1 if a prior ban was cleared

  156.      */

  157.     public function clearPriorBan(): int

  158.     {

  159.         G::$DB->prepare_query("

  160.         UPDATE

  161.           `login_attempts`

  162.         SET

  163.           `BannedUntil` = NULL,

  164.           `Attempts` = 0

  165.         WHERE

  166.           `BannedUntil` < NOW()

  167.           AND `ID` = '$this->watchId'

  168.         ");

  169. 

  170.         G::$DB->exec_prepared_query();

  171.         return G::$DB->affected_rows();

  172.     }

  173. 

  174.     /**

  175.      * If the login was successful, clear prior attempts

  176.      * @return int 1 if an update was made

  177.      */

  178.     public function clearAttempts(): int

  179.     {

  180.         G::$DB->prepare_query("

  181.         UPDATE

  182.           `login_attempts`

  183.         SET

  184.           `Attempts` = 0

  185.         WHERE

  186.           `ID` = '$this->watchId'

  187.         ");

  188. 

  189.         G::$DB->exec_prepared_query();

  190.         return $this->db->affected_rows();

  191.     }

  192. 

  193.     /**

  194.      * How many attempts have been made on this watch?

  195.      * @return int Number of attempts

  196.      */

  197.     public function nrAttempts(): int

  198.     {

  199.         return (int) G::$DB->scalar("

  200.         SELECT

  201.           `Attempts`

  202.         FROM

  203.           `login_attempts`

  204.         WHERE

  205.           `ID` = '$this->watchId'

  206.         ") ?? 0;

  207.     }

  208. 

  209.     /**

  210.      * Get the list of login failures

  211.      * @return array list [ID, ipaddr, userid, LastAttempt (datetime), Attempts, BannedUntil (datetime), Bans]

  212.      */

  213.     public function activeList(string $orderBy, string $orderWay): array

  214.     {

  215.         G::$DB->prepare_query("

  216.         SELECT

  217.           w.`ID` AS id,

  218.           w.`IP` AS ipaddr,

  219.           w.`UserID` AS user_id,

  220.           w.`LastAttempt` AS last_attempt,

  221.           w.`Attempts` AS attempts,

  222.           w.`BannedUntil` AS banned_until,

  223.           w.`Bans` AS bans,

  224.           w.`Capture`,

  225.           um.`Username` AS username,

  226.           (ip.`FromIP` IS NOT NULL) AS banned

  227.         FROM

  228.           `login_attempts` w

  229.         LEFT JOIN `users_main` um ON

  230.           (um.`ID` = w.`UserID`)

  231.         LEFT JOIN `ip_bans` ip ON

  232.           (ip.`FromIP` = INET_ATON(w.`IP`))

  233.         WHERE

  234.           (

  235.             w.`BannedUntil` > NOW()

  236.             OR w.`LastAttempt` > NOW() - INTERVAL 6 HOUR

  237.           )

  238.         ORDER BY

  239.           '$orderBy' '$orderWay'

  240.         ");

  241. 

  242.         G::$DB->exec_prepared_query();

  243.         return G::$DB->to_array('id', MYSQLI_ASSOC, false);

  244.     }

  245. 

  246.     /**

  247.      * Ban the IP addresses pointed to by the IDs that are on login watch.

  248.      * @param array list of IDs to ban.

  249.      * @return number of addresses banned

  250.      */

  251.     public function setBan(int $userId, string $reason, array $list): int

  252.     {

  253.         if (!$list) {

  254.             return 0;

  255.         }

  256. 

  257.         $reason = trim($reason);

  258.         $n = 0;

  259. 

  260.         foreach ($list as $id) {

  261.             $ipv4 = G::$DB->scalar("

  262.             SELECT

  263.               INET_ATON(`IP`)

  264.             FROM

  265.               `login_attempts`

  266.             WHERE

  267.               `ID` = '$id'

  268.             ");

  269. 

  270.             G::$DB->prepared_query("

  271.             INSERT IGNORE

  272.             INTO `ip_bans`(`UserID`, `Reason`, `FromIP`, `ToIP`)

  273.             VALUES('$userId', '$reason', '$ipv4', '$ipv4')

  274.             ");

  275. 

  276.             G::$DB->exec_prepared_query();

  277.             $n += $this->db->affected_rows();

  278.         }

  279. 

  280.         return $n;

  281.     }

  282. 

  283.     /**

  284.      * Clear the list of IDs that are on login watch.

  285.      * @param array list of IDs to clear.

  286.      * @return number of rows removed

  287.      */

  288.     public function setClear(array $list): int

  289.     {

  290.         if (!$list) {

  291.             return 0;

  292.         }

  293. 

  294.         G::$DB->prepare_query("

  295.         DELETE

  296.         FROM

  297.           `login_attempts`

  298.         WHERE

  299.           `ID` IN(".placeholders($list).")

  300.         ", ...$list);

  301. 

  302.         G::$DB->exec_prepared_query();

  303.         return G::$DB->affected_rows();

  304.     }

  305. }