09 Failed Logins

Started by Mindless, July 21, 2012, 08:33:34 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

denede

in the latest rev, the bark function is not in the file, and the file is a little different

Mindless

Credits to Retro, pdq, putyn and Ezero for this one Also the original creators.
Various changes done for 09
Xhtml valid

Run the sql :
 
Code (sql) Select
CREATE TABLE `failedlogins` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `ip` varchar(15) collate utf8_unicode_ci NOT NULL default '',
  `added` int(11) NOT NULL,
  `banned` enum('yes','no') collate utf8_unicode_ci NOT NULL default 'no',
  `attempts` int(10) NOT NULL default '0',
  PRIMARY KEY  (`id`)
  ) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

   
Code (sql) Select
ALTER TABLE `failedlogins` ADD INDEX (`ip`)
ALTER TABLE `users` ADD INDEX (`ip`)

   
@ file include/config.php add :   
   
Code (php) Select
$TBDEV['failedlogins'] = 5; // Max failed logins before ip ban

Under the torrent folder filepath line add :

Code (php) Select
$TBDEV['dictbreaker'] = ROOT_PATH.'/dictbreaker';

For defined directories use

Code (php) Select
$TBDEV['dictbreaker'] = ROOT_DIR.'/dictbreaker';

And remember to create a new folder in root named dictbreaker with a index.html or .htaccess inside it - chmod to 777
   
@File login.php under the require_once bittorrent.php add :

Code (php) Select
dbconn();

Find this :

Code (php) Select
$HTMLOUT = '';

Under it add this function :
   
Code (php) Select
//== 09 failed logins - thanks to pdq/Retro
function left ()
{
global $TBDEV;
$total = 0;
$ip = sqlesc(getip());
$fail = mysql_query("SELECT SUM(attempts) FROM failedlogins WHERE ip=$ip") or sqlerr(__FILE__, __LINE__);
list($total) = mysql_fetch_row($fail);
$left = $TBDEV['failedlogins'] - $total;
if ($left <= 2)
$left = "<font color='red' size='4'>" . $left . "</font>";
else
$left = "<font color='green' size='4'>" . $left . "</font>";
return $left;
}
//== End Failed logins

   
Find this line :

Code (php) Select
<p>Note: You need cookies enabled to log in.</p>

Under it add
   
Code (php) Select
<b>[{$TBDEV['failedlogins']}]</b> Failed logins in a row will ban your ip from access<br />You have <b> " . left () ." </b> login attempt(s) remaining.<br /><br />
 
@File takelogin.php under the require_once bittorrent.php add :

Code (php) Select
$sha = sha1($_SERVER['REMOTE_ADDR']);
if (is_file('' . $TBDEV['dictbreaker'] . '/' . $sha) && filemtime('' . $TBDEV['dictbreaker'] . '/' . $sha) > (time()-8)) {
@fclose(@fopen('' . $TBDEV['dictbreaker'] . '/' . $sha, 'w'));
die('Minimum 8 seconds between login attempts :)');
}


Just under that place this function :

Code (php) Select
// 09 failed logins thanks to pdq - Retro
function failedloginscheck () {
global $TBDEV;
$total = 0;
$ip = sqlesc(getip());
$res = mysql_query("SELECT SUM(attempts) FROM failedlogins WHERE ip=$ip") or sqlerr(__FILE__, __LINE__);
list($total) = mysql_fetch_row($res);
if ($total >= $TBDEV['failedlogins']) {
mysql_query("UPDATE failedlogins SET banned = 'yes' WHERE ip=$ip") or sqlerr(__FILE__, __LINE__);
stderr("Login Locked!", "You have been <b>Exceeded</b> the allowed maximum login attempts without successful login, therefore your ip address <b>(".htmlspecialchars($ip).")</b> has been locked for 24 hours.");
}
}
//==End


Next find this :

Code (php) Select
function bark($text = 'Username or password incorrect')
    {
    global $lang;
    stderr($lang['tlogin_failed'], $text);
    }

   
Replace it with this :

Code (php) Select
function bark($text = 'Username or password incorrect')
    {
    global $lang;
    @fclose(@fopen(''.$TBDEV['dictbreaker'].'/' . sha1($_SERVER['REMOTE_ADDR']), 'w'));
    stderr($lang['tlogin_failed'], $text);
    }

   
Under the above function add :

Code (php) Select
failedloginscheck ();
   
Find this  :

Code (php) Select
if ($row['passhash'] != make_passhash( $row['secret'], md5($password) ) )
    //if ($row['passhash'] != md5($row['secret'] . $password))
      bark();


Replace it with this :
   
Code (php) Select
//==09 Failed logins  - thanks to pdq - Retro
    if (!$row)
  {
    $ip = sqlesc(getip());
    $added = sqlesc(time());
    $fail = (mysql_fetch_row(mysql_query("select count(*) from failedlogins where ip=$ip"))) or sqlerr(__FILE__, __LINE__);
    if ($fail[0] == 0)
    mysql_query("INSERT INTO failedlogins (ip, added, attempts) VALUES ($ip, $added, 1)") or sqlerr(__FILE__, __LINE__);
    else
    mysql_query("UPDATE failedlogins SET attempts = attempts + 1 where ip=$ip") or sqlerr(__FILE__, __LINE__);
    @fclose(@fopen('' . $TBDEV['dictbreaker'] . '/' . sha1($_SERVER['REMOTE_ADDR']), 'w'));
    bark();
  }
    if ($row['passhash'] != make_passhash( $row['secret'], md5($password) ) ) {
    $ip = sqlesc(getip());
    $added = sqlesc(time());
    $fail = (mysql_fetch_row(mysql_query("select count(*) from failedlogins where ip=$ip"))) or sqlerr(__FILE__, __LINE__);
    if ($fail[0] == 0)
    mysql_query("INSERT INTO failedlogins (ip, added, attempts) VALUES ($ip, $added, 1)") or sqlerr(__FILE__, __LINE__);
    else
    mysql_query("UPDATE failedlogins SET attempts = attempts + 1 where ip=$ip") or sqlerr(__FILE__, __LINE__);
    @fclose(@fopen('' . $TBDEV['dictbreaker'] . '/' . sha1($_SERVER['REMOTE_ADDR']), 'w'));
    $to = ($row["id"]);
    $subject="Failed login";
  $msg = "[color=red]Security alert[/color]\n Account: ID=".$row['id']." Somebody (probably you, ".$username." !) tried to login but failed!". "\nTheir [b]Ip Address [/b] was : ". $ip . "\n If this wasn't you please report this event to a {$TBDEV['site_name']} staff member\n - Thank you.\n";
  $sql = "INSERT INTO messages (sender, receiver, msg, subject, added) VALUES('System', '$to', ". sqlesc($msg).", ". sqlesc($subject).", $added);";
  $res = mysql_query($sql) or sqlerr(__FILE__, __LINE__);
  stderr("Login failed !", "<b>Error</b>: Username or password entry incorrect <br />Have you forgotten your password? <a href='{$TBDEV['baseurl']}/recover.php'><b>Recover</b></a> your password !");
  //stderr("Login failed !", "<b>Error</b>: Username or password entry incorrect <br />Have you forgotten your password? <a href='{$TBDEV['baseurl']}/resetpw.php'><b>Recover</b></a> your password !");
  bark();
    }
    //== End

   
Find this line :

Code (php) Select
logincookie($row['id'], $row['passhash']);
   
Under it add :

Code (php) Select
$ip = sqlesc(getip());
    mysql_query("DELETE FROM failedlogins WHERE ip = $ip");


@File admin/index add :

Code (php) Select
<span class='btn'><a href='failedlogins.php'>{$lang['index_failed_logins']}</a></span>

@File admin.PHP add :

Code (php) Select
'failedlogins'     => 'failedlogins',

If its the last entry remove the ,

@File lang/en/lang_ad_index.php add :

Code (php) Select
'index_failed_logins' => 'Failed Logins',

Save and upload lang_failedlogins.php to lang/en/ :

Code (php) Select
<?php

$lang 
= array(

#failedlogin messages 
'failed_sorry' => "Sorry",
'failed_acc_deny' => "Access denied",
'failed_bad_id' => "Invalid Id",
'failed_success' => "Success",
'failed_message_ban' => "Member banned... redirecting in 2,1..",
'failed_message_unban' => "Ip ban Removed... redirecting in 2,1..",
'failed_message_deleted' => "Entry deleted... redirecting in 2,1..",
'failed_message_nothing' => "Nothing found !",
#failedlogin main
'failed_main_ip' => "Ip Address",
'failed_main_added' => "Added",
'failed_main_attempts' => "Attempts",
'failed_main_status' => "Status",
'failed_main_noban' => "Not banned",
'failed_main_remban' => "Remove ban",
'failed_main_banned' => "Banned",
'failed_main_ban' => "Ban",
'failed_main_delmessage' => "Are you wish to delete this attempt?",
'failed_main_delete' => "Delete",
'failed_main_logins' => "Failed Logins"

);

?>


Save and upload failedlogins.php to root :

Code (php) Select
<?php
/*
+------------------------------------------------
|   $Date$
|   $Revision$ 09 Final
|   $Failedlogins
|   $Author$ Bigjoos
|   $URL$
|   
|    ALTER TABLE `failedlogins` ADD INDEX (`ip`)
|    ALTER TABLE `users` ADD INDEX (`ip`)
|    
+------------------------------------------------
*/
require_once("include/bittorrent.php");
require_once 
ROOT_PATH.'/include/user_functions.php';
dbconn(false);
loggedinorreturn();

$lang array_mergeload_language('global'), load_language('failedlogins') );

if (
$CURUSER['class'] < UC_ADMINISTRATOR)
stderr($lang['failed_sorry'], "{$lang['failed_acc_deny']}");

$action = (isset($_GET['action']) ? $_GET['action'] : '');

$id = isset($_GET['id']) ? $_GET['id'] : '';

if (
$action == 'ban') {
mysql_query("UPDATE failedlogins SET banned = 'yes' WHERE id=".sqlesc($id)."");
header('Refresh: 2; url='.$TBDEV['baseurl'].'/failedlogins.php');
stderr($lang['failed_success'],"{$lang['failed_message_ban']}");
exit();
}

if (
$action == 'removeban') {
mysql_query("UPDATE failedlogins SET banned = 'no' WHERE id=".sqlesc($id)."") ;
header('Refresh: 2; url='.$TBDEV['baseurl'].'/failedlogins.php');
stderr($lang['failed_success'],"{$lang['failed_message_unban']}");
exit();
}

if (
$action == 'delete') {
mysql_query("DELETE FROM failedlogins WHERE id=".sqlesc($id)."");
header('Refresh: 2; url='.$TBDEV['baseurl'].'/failedlogins.php');
stderr($lang['failed_success'],"{$lang['failed_message_deleted']}");
exit();
}

$HTMLOUT ="";

$HTMLOUT .="<table border='1' cellspacing='0' cellpadding='5' width='80%'>\n";

$res mysql_query("SELECT f.*,u.id as uid, u.username FROM failedlogins as f LEFT JOIN users as u ON u.ip = f.ip ORDER BY f.added DESC") or sqlerr(__FILE__,__LINE__);

if (
mysql_num_rows($res) == 0)
  $HTMLOUT .="<tr><td colspan='2'><b>{$lang['failed_message_nothing']}</b></td></tr>\n";
else
{  
  
$HTMLOUT .="<tr><td class='colhead'>ID</td><td class='colhead' align='left'>{$lang['failed_main_ip']}</td><td class='colhead' align='left'>{$lang['failed_main_added']}</td>".
"<td class='colhead' align='left'>{$lang['failed_main_attempts']}</td><td class='colhead' align='left'>{$lang['failed_main_status']}</td></tr>\n";
  while (
$arr mysql_fetch_assoc($res))
  {
  
$HTMLOUT .="<tr><td align='left'><b>$arr[id]</b></td>
  <td align='left'><b>
$arr[ip]. ($arr['uid'] ? "<a href='{$TBDEV['baseurl']}/userdetails.php?id=$arr[uid]'>" "" ) . " " . ( $arr['username'] ? "($arr[username])" "" ) . "</a></b></td>
  <td align='left'><b>"
.get_date($arr['added'], ''1,0)."</b></td>
  <td align='left'><b>
$arr[attempts]</b></td>
  <td align='left'>"
.($arr['banned'] == "yes" "<font color='red'><b>{$lang['failed_main_banned']}</b></font> <a href='?action=removeban&amp;id=$arr[id]'><font color='green'>[<b>{$lang['failed_main_remban']}</b>]</font></a>" "<font color='green'><b>{$lang['failed_main_noban']}</b></font> <a href='?action=ban&amp;id=$arr[id]'><font color='red'>[<b>{$lang['failed_main_ban']}</b>]</font></a>")."  <a onclick=\"return confirm('{$lang['failed_main_delmessage']}');\" href='?action=delete&amp;id=$arr[id]'>[<b>{$lang['failed_main_delete']}</b>]</a></td></tr>\n";
  }
  }
$HTMLOUT .="</table>\n";
print 
stdhead($lang['failed_main_logins']) .$HTMLOUT stdfoot();
?>