• Leigh Stoller's avatar
    Add web login attack detection/prevention. Two changes: · b1de9fb2
    Leigh Stoller authored
    * Add slots to users table to track number of failures in the last N
      seconds. If a threshold is passed (currently 4 failures in the last
      minute), the web login is disabled. Note that I do not disable the
      ops shell login at this time. Aging is passive; the values are cleared
      when login is successful, or when more then one minute has passed
      since the last failure. In other words, a burst of failures will
      disable the login, but failures over time are okay.
    
    * Add login_failures table to do exactly the same as above, except it
      is on an IP basis (REMOTE_ADDR in the server). Currently the
      threshold is 8 failures in the last two minutes, at which time all
      logins from that IP are disabled.
    
    In both cases email is sent to tbops (and the user).
    
    The constants are defined at the top of www/tbauth.in, rather then as
    site variables, to avoid pounding the DB when an attack is being
    launched.
    
    To clear a user freeze, go to the user profile page and use the
    "toggle" near the bottom.
    
    To clear an IP freeze: delete from login_failures were IP='1.1.1.1'
    b1de9fb2
toggle.php 3.3 KB