WIP - Append brute force attack protection (#1506)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm

@@ -140,21 +140,21 @@ sub display {
         );
     }
 
-    # 1.4 Brute-Force attack detected
+    # # 1.4 Brute-Force attack detected
-    elsif ( $req->{error} == PE_WAIT ) {
+    # elsif ( $req->{error} == PE_WAIT ) {
-        $self->logger->debug('Display: waiting before retrying authentication');
+    #     $self->logger->debug('Display: waiting before retrying authentication');
-        $self->logger->debug('Hidden values -> '. Dumper( $req->{portalHiddenFormValues}));
+    #     $self->logger->debug('Hidden values -> '. Dumper( $req->{portalHiddenFormValues}));
-        $skinfile       = 'info';
+    #     $skinfile       = 'info';
-        %templateParams = (
+    #     %templateParams = (
-            AUTH_ERROR      => $self->error,
+    #         AUTH_ERROR      => $self->error,
-            AUTH_ERROR_TYPE => $req->error_type,
+    #         AUTH_ERROR_TYPE => $req->error_type,
-            MSG             => '<span trspan="' . "PE$req->{error}" . '">">' . "PE$req->{error}" . '</span>',
+    #         MSG             => '<span trspan="' . "PE$req->{error}" . '">">' . "PE$req->{error}" . '</span>',
-            URL             => $req->{urldc},
+    #         URL             => $req->{urldc},
-            HIDDEN_INPUTS   => $self->buildHiddenForm($req),
+    #         HIDDEN_INPUTS   => $self->buildHiddenForm($req),
-            ACTIVE_TIMER    => $req->data->{activeTimer},
+    #         ACTIVE_TIMER    => $req->data->{activeTimer},
-            FORM_METHOD     => $self->conf->{infoFormMethod},
+    #         FORM_METHOD     => $self->conf->{infoFormMethod},
-        );
+    #     );
-    }
+    # }
 
     # 1.4 OpenID menu page
     elsif ($req->{error} == PE_OPENID_EMPTY
@@ -330,6 +330,7 @@ sub display {
         # * Logout message
         # * Bad URL error
         elsif ($req->{error} == PE_LOGOUT_OK
+            or $req->{error} == PE_WAIT
             or $req->{error} == PE_BADURL )
         {
             %templateParams = (

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm

@@ -1,6 +1,5 @@
 package Lemonldap::NG::Portal::Plugins::BruteForceProtection;
 
-use Data::Dumper;
 use strict;
 use Mouse;
 use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_WAIT);
@@ -21,40 +20,41 @@ sub run {
     my ( $self, $req ) = @_;
 
     my $countFailed          = 0;
-    my $lastFailedLoginEpoch = 0;
+    my @lastFailedLoginEpoch = ();
 
-    # Last failed login epoch before this authentication -> Auth_N-1
+    # Auth_N-2 failed login epoch
     if ( defined $req->sessionInfo->{_loginHistory}->{failedLogin} ) {
         $countFailed = @{ $req->sessionInfo->{_loginHistory}->{failedLogin} };
     }
-    if ( defined $req->sessionInfo->{_loginHistory}->{failedLogin}->[1] ){ 
+
-        $lastFailedLoginEpoch = $req->sessionInfo->{_loginHistory}->{failedLogin}->[1]->{_utime}
+    $self->logger->debug( " Number of failedLogin = $countFailed" );
+    return PE_OK if ( $countFailed < 3 );
+
+    foreach ( 0 .. 2 ) {
+        if ( defined $req->sessionInfo->{_loginHistory}->{failedLogin}->[$_] )
+        {
+            push @lastFailedLoginEpoch,
+                $req->sessionInfo->{_loginHistory}->{failedLogin}->[$_]
+                ->{_utime};
+        }
     }
 
-    # If Auth. N-1 older than 10 minutes -> another try allowed
+    # If Auth_N-2 older than 5 minutes -> another try allowed
-    if ( ( time - $lastFailedLoginEpoch ) > 600 ) {
+    return PE_OK
-        $lastFailedLoginEpoch = 0;
+        if ( ( $lastFailedLoginEpoch[0] - $lastFailedLoginEpoch[2] ) > 300 );
-    }
 
     # Delta between the two last failed logins -> Auth_N - Auth_N-1
-    my $delta = time - $lastFailedLoginEpoch;
+    my $delta = time - $lastFailedLoginEpoch[1];
 
-    $self->logger->debug( " successLogin -> " . Dumper( $req->sessionInfo->{_loginHistory}->{successLogin} ) );
+    $self->logger->debug( " Local time = " . time );
-    $self->logger->debug( " failedLogin -> " . Dumper( $req->sessionInfo->{_loginHistory}->{failedLogin} ) );
+    $self->logger->debug(" Delta time - lastFailedLoginN-1 = $delta");
-    $self->logger->debug(" Number of failedLogin -> $countFailed");
-    $self->logger->debug(" Last failedLogin epoch -> $lastFailedLoginEpoch");
-    $self->logger->debug( " Local time = " . localtime );
-    $self->logger->debug(" Delta Auth_N - Auth_N-1 = $delta");
 
-# If Delta between the two last failed logins < 10s and more than 2 failedLogins => waiting = failedLogins * 10s
+    # Delta between the two last failed logins < 30s => wait
-    if ( $countFailed > 2 and ( $delta < 10 ) ) {
+    return PE_OK unless ( $delta < 31 );
     
-        #sleep $countFailed * 10;
+    # Account locked
+    shift @{ $req->sessionInfo->{_loginHistory}->{failedLogin} };
     return PE_WAIT;
-
-    }
-
-    return PE_OK;
 }
 
 1;

lemonldap-ng-portal/site/htdocs/static/languages/ar.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"You're not authorized to access to this host",
 "PE85":" الموقع البعيد يطلب جلسة جديدة (ولم يتم تحميل برنامج ترقية الجلسة).\nسجل الخروج و أعد المحاولة",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"قبول",
 "accessDenied":"ليس لديك إذن بالدخول لهذا التطبيق",

lemonldap-ng-portal/site/htdocs/static/languages/de.json

@@ -85,7 +85,7 @@
 "PE83":"U2F-Überprüfung fehlgeschlagen. Versuchen Sie es erneut oder wenden Sie sich an Ihren Administrator",
 "PE84":"Sie sind nicht berechtigt, auf diesen Host zuzugreifen",
 "PE85":"Die Gegenseite fragt nach einer neueren Sitzung (und das UpgradeSession-Plugin wurde nicht geladen). Abmelden und erneut versuchen",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Akzeptieren",
 "accessDenied":"Sie haben keine Zugriffsberechtigung für diese Anwendung",

lemonldap-ng-portal/site/htdocs/static/languages/en.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"You're not authorized to access to this host",
 "PE85":"The remote site ask for a newer session (and UpgradeSession plugin isn't loaded). Logout and retry",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",

lemonldap-ng-portal/site/htdocs/static/languages/es.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"You're not authorized to access to this host",
 "PE85":"The remote site ask for a newer session (and UpgradeSession plugin isn't loaded). Logout and retry",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",

lemonldap-ng-portal/site/htdocs/static/languages/fr.json

@@ -85,7 +85,7 @@
 "PE83":"La vérification U2F a échoué. Réessayez ou contactez votre administrateur",
 "PE84":"Vous n'êtes pas autorisé à accéder à ce site",
 "PE85":"Le site souhaite une authentification plus récente (et le plugin UpgradeSession n'est pas chargé). Déconnectez-vous et réessayez",
-"PE86":"Vous devez attendre avant de pouvoir vous ré-authentifier",
+"PE86":"Votre compte est verrouillé. Vous devez attendre 30s avant de vous ré-authentifier.",
 "2fRegRequired":"Ce service requiert une authentification à deux facteurs. Enregistrez un équipement ici et retournez au portail.",
 "accept":"Accepter",
 "accessDenied":"Vous n'avez pas les droits d'accès à cette application",

lemonldap-ng-portal/site/htdocs/static/languages/it.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"Non sei autorizzato ad accedere a questo host",
 "PE85":"Il sito remoto richiede una sessione più recente (e il plug-in di UpgradeSession non viene caricato). Disconnetti e riprova",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accetta",
 "accessDenied":"Non hai un'autorizzazione di accesso per questa applicazione",

lemonldap-ng-portal/site/htdocs/static/languages/nl.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"You're not authorized to access to this host",
 "PE85":"The remote site ask for a newer session (and UpgradeSession plugin isn't loaded). Logout and retry",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",

lemonldap-ng-portal/site/htdocs/static/languages/pt.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"You're not authorized to access to this host",
 "PE85":"The remote site ask for a newer session (and UpgradeSession plugin isn't loaded). Logout and retry",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",

lemonldap-ng-portal/site/htdocs/static/languages/ro.json

@@ -85,7 +85,7 @@
 "PE83":"U2F verification failed. Retry or contact your administrator",
 "PE84":"You're not authorized to access to this host",
 "PE85":"The remote site ask for a newer session (and UpgradeSession plugin isn't loaded). Logout and retry",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",

lemonldap-ng-portal/site/htdocs/static/languages/vi.json

@@ -85,7 +85,7 @@
 "PE83":"Xác minh U2F không thành công",
 "PE84":"Bạn không được phép truy cập vào máy chủ lưu trữ này",
 "PE85":"Trang web từ xa yêu cầu một phiên mới (và plugin UpgradeSession không được tải). Đăng xuất và thử lại ",
-"PE86":"You must wait before trying to authenticate again",
+"PE86":"Your account is locked. You must wait 30s before authenticate again",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Chấp nhận",
 "accessDenied":"Bạn không có quyền truy cập vào ứng dụng này",