Add web login attack detection/prevention. Two changes:
* Add slots to users table to track number of failures in the last N seconds. If a threshold is passed (currently 4 failures in the last minute), the web login is disabled. Note that I do not disable the ops shell login at this time. Aging is passive; the values are cleared when login is successful, or when more then one minute has passed since the last failure. In other words, a burst of failures will disable the login, but failures over time are okay. * Add login_failures table to do exactly the same as above, except it is on an IP basis (REMOTE_ADDR in the server). Currently the threshold is 8 failures in the last two minutes, at which time all logins from that IP are disabled. In both cases email is sent to tbops (and the user). The constants are defined at the top of www/tbauth.in, rather then as site variables, to avoid pounding the DB when an attack is being launched. To clear a user freeze, go to the user profile page and use the "toggle" near the bottom. To clear an IP freeze: delete from login_failures were IP='22.214.171.124'
Showing with 162 additions and 20 deletions