plugins/AntiBrute/AntiBrutePlugin.php

   1 <?php
   2
   3 if (!defined('GNUSOCIAL')) { exit(1); }
   4
   5 class AntiBrutePlugin extends Plugin {
   6     protected $failed_attempts = 0;
   7     protected $unauthed_user = null;
   8     protected $client_ip = null;
   9
  10     const FAILED_LOGIN_IP_SECTION = 'failed_login_ip';
  11
  12     public function onStartCheckPassword($nickname, $password, &$authenticatedUser)
  13     {
  14         if (common_is_email($nickname)) {
  15             $this->unauthed_user = User::getKV('email', common_canonical_email($nickname));
  16         } else {
  17             $this->unauthed_user = User::getKV('nickname', Nickname::normalize($nickname));
  18         }
  19
  20         if (!$this->unauthed_user instanceof User) {
  21             // Unknown username continue processing StartCheckPassword (maybe uninitialized LDAP user etc?)
  22             return true;
  23         }
  24
  25         // This probably needs some work. For example with IPv6 you can easily generate new IPs...
  26         $client_ip = common_client_ip();
  27         $this->client_ip = $client_ip[0] ?: $client_ip[1];   // [0] is proxy, [1] should be the real IP
  28         $this->failed_attempts = (int)$this->unauthed_user->getPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip);
  29         switch (true) {
  30         case $this->failed_attempts >= 5:
  31             common_log(LOG_WARNING, sprintf('Multiple failed login attempts for user %s from IP %s - brute force attack?',
  32                                  $this->unauthed_user->getNickname(), $this->client_ip));
  33             // 5 seconds is a good max waiting time anyway...
  34             sleep($this->failed_attempts % 5 + 1);
  35             break;
  36         case $this->failed_attempts > 0:
  37             common_debug(sprintf('Previously failed login on user %s from IP %s - sleeping %u seconds.',
  38                                  $this->unauthed_user->getNickname(), $this->client_ip, $this->failed_attempts));
  39             sleep($this->failed_attempts);
  40             break;
  41         default:
  42             // No sleeping if it's our first failed attempt.
  43         }
  44
  45         return true;
  46     }
  47
  48     public function onEndCheckPassword($nickname, $password, $authenticatedUser)
  49     {
  50         if ($authenticatedUser instanceof User) {
  51             // We'll trust this IP for this user and remove failed logins for the database..
  52             $authenticatedUser->delPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip);
  53             return true;
  54         }
  55
  56         // See if we have an unauthed user from before. If not, it might be because the User did
  57         // not exist yet (such as autoregistering with LDAP, OpenID etc.).
  58         if ($this->unauthed_user instanceof User) {
  59             // And if the login failed, we'll increment the attempt count.
  60             common_debug(sprintf('Failed login tests for user %s from IP %s',
  61                                  $this->unauthed_user->getNickname(), $this->client_ip));
  62             $this->unauthed_user->setPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip, ++$this->failed_attempts);
  63         }
  64         return true;
  65     }
  66
  67     public function onPluginVersion(&$versions)
  68     {
  69         $versions[] = array('name' => 'AntiBrute',
  70                             'version' => GNUSOCIAL_VERSION,
  71                             'author' => 'Mikael Nordfeldth',
  72                             'homepage' => 'http://gnu.io/',
  73                             'description' =>
  74                             // TRANS: Plugin description.
  75                             _m('Anti bruteforce method(s).'));
  76         return true;
  77     }
  78 }