Not logged in. · Lost password · Register
Forum: General Help and Support Plugins RSS
More secure authentication backend
(updated simple.auth.php)
Avatar
Vilda #1
Member since May 2010 · 7 posts
Group memberships: Members
Show profile · Link to this post
Subject: More secure authentication backend
Hi,

I tried to develop new authentication backend. It bans users IP address after defined false login attempt at defined time.
Simple idea is written here: http://forum.dokuwiki.org/thread/5431

Instalation
1. unpack attached file
1. copy ban.class.php to inc\auth directory
2. login as admin
3. at settings section set authtype to ban.

Configuration
Open inc\auth\ban.class.php and read instructions at the file. Default is 3 attempts at 15 minutes.

Additional info
Creates automatically conf\ban.auth.php file with list of IP address and unixtimestamp of unsuccessful logins. Syntax is
IpAddress:unixTimeStampOfFalseAttempt
IpAddress:unixTimeStampOfFalseAttempt
IpAddress:unixTimeStampOfFalseAttempt
IpAddress:unixTimeStampOfFalseAttempt
IpAddress:unixTimeStampOfFalseAttempt
...

Changelog
Version 0.5
 - updated for release 2012-10-13 "Adora Belle"
 - constructor updated to OOP
 - removed unsed parts of code
Version 0.4
 - initial version

Try to test it. Any comments welcomed.

Vilda
The author has attached one file to this post:
ban.class.zip 1.5 kBytes
You have no permission to open this file.
This post was edited 4 times, last on 2013-01-28, 19:25 by Vilda.
Edit reason: Updated attachment
Avatar
andi (Administrator) #2
User title: splitbrain
Member since May 2006 · 3303 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
This makes it pretty easy to run a Denial-of-Service attack on a account. I can effectively lock you out from your account by repeatingly submit wrong passwords for your account.
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
andi (Administrator) #3
User title: splitbrain
Member since May 2006 · 3303 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by andi:
This makes it pretty easy to run a Denial-of-Service attack on a account. I can effectively lock you out from your account by repeatingly submit wrong passwords for your account.

Ah no. Forget what I said. That would require to run my attack from your IP address...
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
Vilda #4
Member since May 2010 · 7 posts
Group memberships: Members
Show profile · Link to this post
Yes, doensn't mather what account you try to hack. You IP address is blocked just for login proccess. Displayed error message is still the same - hacker don't know if username/pass is wrong or is blocked.

Simply - after defined interval/number of attempts scirpt returns false before name/pass is checked.
Avatar
einer #5
Member since Mar 2011 · 1 post
Group memberships: Members
Show profile · Link to this post
Found this plugin and yeah, its helpful indeed.
I added an email notification based on bash to get informed as someone is banned. But it would be nice, if you can integrate something directly into your plugin. My workaround had some delay in fact of getting invoked by cron.
Avatar
Vilda #6
Member since May 2010 · 7 posts
Group memberships: Members
Show profile · Link to this post
Quote by einer:
Found this plugin and yeah, its helpful indeed.
I added an email notification based on bash to get informed as someone is banned. But it would be nice, if you can integrate something directly into your plugin. My workaround had some delay in fact of getting invoked by cron.

Hi,

thanks for your idea. It is easy to integrate it. But sorry, I dont think, that is good idea to ingegrate it this way.

Why you need it?

If wiki sends you IP address at every attempt, your mailbox will be full of these messages. Imagine, that your wiki is attacked by login robot. You would recieve millions of emails.

Maybe, It could be optional (not everybody needs it), wiki could inform you by mail and send you IP, when somebody try login thousand (or definded) times from same IP or make admin plugin with counted statistics of banned IPs.

Have a nice day
Avatar
csachs #7
Member since Jun 2011 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Release 2012-10-13 "Adora Belle"
This nice plugin worked all the time without any issue. But after updating to release 2012-10-13 "Adora Belle" the dokuwiki doesn´t start anymore. Is there any update for this plugin available?
Avatar
Vilda #8
Member since May 2010 · 7 posts
Group memberships: Members
Show profile · Link to this post
Quote by csachs:
This nice plugin worked all the time without any issue. But after updating to release 2012-10-13 "Adora Belle" the dokuwiki doesn´t start anymore. Is there any update for this plugin available?
Not yet, I have noticed yesterday, that new version of dokuiwiki is out. I havent upgraded my wiki yet. New version will be posted soon (aprox 14 days - upgrade, coding, tests...).

Thanks for your notice.
Avatar
Vilda #9
Member since May 2010 · 7 posts
Group memberships: Members
Show profile · Link to this post
New version is available.
Avatar
csachs #10
Member since Jun 2011 · 2 posts
Group memberships: Members
Show profile · Link to this post
It´s working perfectly now.
Thank you very much, Vilda!
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2018-06-21, 12:07:12 (UTC +02:00)