3 if (!defined('GNUSOCIAL')) { exit(1); }
5 class AntiBrutePlugin extends Plugin {
6 protected $failed_attempts = 0;
7 protected $unauthed_user = null;
8 protected $client_ip = null;
10 const FAILED_LOGIN_IP_SECTION = 'failed_login_ip';
12 public function initialize()
14 // This probably needs some work. For example with IPv6 you can easily generate new IPs...
15 $client_ip = common_client_ip();
16 $this->client_ip = $client_ip[0] ?: $client_ip[1]; // [0] is proxy, [1] should be the real IP
19 public function onStartCheckPassword($nickname, $password, &$authenticatedUser)
21 if (common_is_email($nickname)) {
22 $this->unauthed_user = User::getKV('email', common_canonical_email($nickname));
24 $this->unauthed_user = User::getKV('nickname', Nickname::normalize($nickname));
27 if (!$this->unauthed_user instanceof User) {
28 // Unknown username continue processing StartCheckPassword (maybe uninitialized LDAP user etc?)
32 $this->failed_attempts = (int)$this->unauthed_user->getPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip);
34 case $this->failed_attempts >= 5:
35 common_log(LOG_WARNING, sprintf('Multiple failed login attempts for user %s from IP %s - brute force attack?',
36 $this->unauthed_user->getNickname(), $this->client_ip));
37 // 5 seconds is a good max waiting time anyway...
38 sleep($this->failed_attempts % 5 + 1);
40 case $this->failed_attempts > 0:
41 common_debug(sprintf('Previously failed login on user %s from IP %s - sleeping %u seconds.',
42 $this->unauthed_user->getNickname(), $this->client_ip, $this->failed_attempts));
43 sleep($this->failed_attempts);
46 // No sleeping if it's our first failed attempt.
52 public function onEndCheckPassword($nickname, $password, $authenticatedUser)
54 if ($authenticatedUser instanceof User) {
55 // We'll trust this IP for this user and remove failed logins for the database..
56 $authenticatedUser->delPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip);
60 // See if we have an unauthed user from before. If not, it might be because the User did
61 // not exist yet (such as autoregistering with LDAP, OpenID etc.).
62 if ($this->unauthed_user instanceof User) {
63 // And if the login failed, we'll increment the attempt count.
64 common_debug(sprintf('Failed login tests for user %s from IP %s',
65 $this->unauthed_user->getNickname(), $this->client_ip));
66 $this->unauthed_user->setPref(self::FAILED_LOGIN_IP_SECTION, $this->client_ip, ++$this->failed_attempts);
71 public function onPluginVersion(array &$versions)
73 $versions[] = array('name' => 'AntiBrute',
74 'version' => GNUSOCIAL_VERSION,
75 'author' => 'Mikael Nordfeldth',
76 'homepage' => 'http://gnu.io/',
78 // TRANS: Plugin description.
79 _m('Anti bruteforce method(s).'));