Append BruteForceProtection (#1506)

This commit is contained in:
Christophe Maudoux 2018-09-28 19:50:01 +02:00
parent 1662f471bb
commit d4eb025de3
6 changed files with 1404 additions and 218 deletions

View File

@ -20,6 +20,8 @@ sub defaultValues {
'available2F' => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
'bruteForceProtection' => 1,
'bruteForceProtectionMaxAge' => 300,
'bruteForceProtectionTempo' => 30,
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,

View File

@ -611,6 +611,14 @@ sub attributes {
'default' => 1,
'type' => 'bool'
},
'bruteForceProtectionMaxAge' => {
'default' => 300,
'type' => 'int'
},
'bruteForceProtectionTempo' => {
'default' => 30,
'type' => 'int'
},
'captcha_login_enabled' => {
'default' => 0,
'type' => 'bool'

File diff suppressed because it is too large Load Diff

View File

@ -23,6 +23,9 @@ my @notManagedAttributes = (
# Second factor engine and lists of 2F modules
'sfEngine', 'available2FSelfRegistration', 'available2F',
# Brute forece attack protection parameters
'bruteForceProtectionMaxAge', 'bruteForceProtectionTempo',
# Metadatas (added by manager itself)
'cfgAuthor', 'cfgAuthorIP', 'cfgNum', 'cfgDate', 'cfgLog', 'cfgVersion',

View File

@ -19,6 +19,7 @@ sub init {1}
sub run {
my ( $self, $req ) = @_;
my $MaxAge = 0;
my $countFailed = 0;
my @lastFailedLoginEpoch = ();
@ -27,7 +28,7 @@ sub run {
$countFailed = @{ $req->sessionInfo->{_loginHistory}->{failedLogin} };
}
$self->logger->debug( " Number of failedLogin = $countFailed" );
$self->logger->debug(" Number of failedLogin = $countFailed");
return PE_OK if ( $countFailed < 3 );
foreach ( 0 .. 2 ) {
@ -39,19 +40,20 @@ sub run {
}
}
# If Auth_N-2 older than 5 minutes -> another try allowed
# If Auth_N-2 older than MaxAge -> another try allowed
$MaxAge = $lastFailedLoginEpoch[0] - $lastFailedLoginEpoch[2];
$self->logger->debug( " MaxAge = $MaxAge" );
return PE_OK
if ( ( $lastFailedLoginEpoch[0] - $lastFailedLoginEpoch[2] ) > 300 );
if ( $MaxAge > $self->conf->{bruteForceProtectionMaxAge} );
# Delta between the two last failed logins -> Auth_N - Auth_N-1
my $delta = time - $lastFailedLoginEpoch[1];
$self->logger->debug( " Local time = " . time );
$self->logger->debug(" Delta time - lastFailedLoginN-1 = $delta");
$self->logger->debug(" Delta = $delta");
# Delta between the two last failed logins < 30s => wait
return PE_OK unless ( $delta < 31 );
return PE_OK
unless ( $delta <= $self->conf->{bruteForceProtectionTempo} );
# Account locked
shift @{ $req->sessionInfo->{_loginHistory}->{failedLogin} };
return PE_WAIT;