plugins/AntiBrute/AntiBrutePlugin.php

   1 <?php
   2
   3 if (!defined('GNUSOCIAL')) { exit(1); }
   4
   5 class AntiBrutePlugin extends Plugin {
   6     protected $failed_attempts = 0;
   7     protected $unauthed_user = null;
   8     protected $client_ip = null;
   9
  10     const FAILED_LOGIN_IP_SECTION = 'failed_login_ip';
  11
  12     public function initialize()
  13     {
  14         // This probably needs some work. For example with IPv6 you can easily generate new IPs...
  15         $client_ip = common_client_ip();
  16         $this->client_ip = $client_ip[0] ?: $client_ip[1];   // [0] is proxy, [1] should be the real IP
  17     }
  18
  19     public function onStartCheckPassword($nickname, $password, &$authenticatedUser)
  20     {
  21         if (common_is_email($nickname)) {
  22             $this->unauthed_user = User::getKV('email', common_canonical_email($nickname));
  23         } else {
  24             $this->unauthed_user = User::getKV('nickname', Nickname::normalize($nickname));
  25         }
  26
  27         if (!$this->unauthed_user instanceof User) {
  28             // Unknown username continue processing StartCheckPassword (maybe uninitialized LDAP user etc?)
  29             return true;
  30         }
  31
  32         $this->failed_attempts = (int)$this->unauthed_user->getPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip);
  33         switch (true) {
  34         case $this->failed_attempts >= 5:
  35             common_log(LOG_WARNING, sprintf('Multiple failed login attempts for user %s from IP %s - brute force attack?',
  36                                  $this->unauthed_user->getNickname(), $this->client_ip));
  37             // 5 seconds is a good max waiting time anyway...
  38             sleep($this->failed_attempts % 5 + 1);
  39             break;
  40         case $this->failed_attempts > 0:
  41             common_debug(sprintf('Previously failed login on user %s from IP %s - sleeping %u seconds.',
  42                                  $this->unauthed_user->getNickname(), $this->client_ip, $this->failed_attempts));
  43             sleep($this->failed_attempts);
  44             break;
  45         default:
  46             // No sleeping if it's our first failed attempt.
  47         }
  48
  49         return true;
  50     }
  51
  52     public function onEndCheckPassword($nickname, $password, $authenticatedUser)
  53     {
  54         if ($authenticatedUser instanceof User) {
  55             // We'll trust this IP for this user and remove failed logins for the database..
  56             $authenticatedUser->delPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip);
  57             return true;
  58         }
  59
  60         // See if we have an unauthed user from before. If not, it might be because the User did
  61         // not exist yet (such as autoregistering with LDAP, OpenID etc.).
  62         if ($this->unauthed_user instanceof User) {
  63             // And if the login failed, we'll increment the attempt count.
  64             common_debug(sprintf('Failed login tests for user %s from IP %s',
  65                                  $this->unauthed_user->getNickname(), $this->client_ip));
  66             $this->unauthed_user->setPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip, ++$this->failed_attempts);
  67         }
  68         return true;
  69     }
  70
  71     public function onPluginVersion(array &$versions)
  72     {
  73         $versions[] = array('name' => 'AntiBrute',
  74                             'version' => GNUSOCIAL_VERSION,
  75                             'author' => 'Mikael Nordfeldth',
  76                             'homepage' => 'http://gnu.io/',
  77                             'description' =>
  78                             // TRANS: Plugin description.
  79                             _m('Anti bruteforce method(s).'));
  80         return true;
  81     }
  82 }