Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38003 Commits
638 Branches
1167 Tags
4.0 GiB
Tree: be674c19a5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'be674c19a5'
${ noResults }
nextcloud-server/lib/private/Security/Bruteforce/Throttler.php

307 lines
7.6 KiB
Raw Normal View History

Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
Fix others
10 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
JSON encode the values
10 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
Respect bruteforce settings in the Throttler Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
Respect bruteforce settings in the Throttler Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
dont get bruteforce delay twice
9 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
dont get bruteforce delay twice
9 years ago
Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)
10 years ago
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
  4. *
  5. * @author Lukas Reschke <lukas@statuscode.ch>
  6. *
  7. * @license GNU AGPL version 3 or any later version
  8. *
  9. * This program is free software: you can redistribute it and/or modify
  10. * it under the terms of the GNU Affero General Public License as
  11. * published by the Free Software Foundation, either version 3 of the
  12. * License, or (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU Affero General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU Affero General Public License
  20. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  21. *
  22. */
  24. namespace OC\Security\Bruteforce;
  26. use OCP\AppFramework\Utility\ITimeFactory;
  27. use OCP\IConfig;
  28. use OCP\IDBConnection;
  29. use OCP\ILogger;
  31. /**
  32. * Class Throttler implements the bruteforce protection for security actions in
  33. * Nextcloud.
  34. *
  35. * It is working by logging invalid login attempts to the database and slowing
  36. * down all login attempts from the same subnet. The max delay is 30 seconds and
  37. * the starting delay are 200 milliseconds. (after the first failed login)
  38. *
  39. * This is based on Paragonie's AirBrake for Airship CMS. You can find the original
  40. * code at https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/src/Engine/Security/AirBrake.php
  41. *
  42. * @package OC\Security\Bruteforce
  43. */
  44. class Throttler {
  45. const LOGIN_ACTION = 'login';
  47. /** @var IDBConnection */
  48. private $db;
  49. /** @var ITimeFactory */
  50. private $timeFactory;
  51. /** @var ILogger */
  52. private $logger;
  53. /** @var IConfig */
  54. private $config;
  56. /**
  57. * @param IDBConnection $db
  58. * @param ITimeFactory $timeFactory
  59. * @param ILogger $logger
  60. * @param IConfig $config
  61. */
  62. public function __construct(IDBConnection $db,
  63. ITimeFactory $timeFactory,
  64. ILogger $logger,
  65. IConfig $config) {
  66. $this->db = $db;
  67. $this->timeFactory = $timeFactory;
  68. $this->logger = $logger;
  69. $this->config = $config;
  70. }
  72. /**
  73. * Convert a number of seconds into the appropriate DateInterval
  74. *
  75. * @param int $expire
  76. * @return \DateInterval
  77. */
  78. private function getCutoff($expire) {
  79. $d1 = new \DateTime();
  80. $d2 = clone $d1;
  81. $d2->sub(new \DateInterval('PT' . $expire . 'S'));
  82. return $d2->diff($d1);
  83. }
  85. /**
  86. * Return the given subnet for an IPv4 address and mask bits
  87. *
  88. * @param string $ip
  89. * @param int $maskBits
  90. * @return string
  91. */
  92. private function getIPv4Subnet($ip,
  93. $maskBits = 32) {
  94. $binary = \inet_pton($ip);
  95. for ($i = 32; $i > $maskBits; $i -= 8) {
  96. $j = \intdiv($i, 8) - 1;
  97. $k = (int) \min(8, $i - $maskBits);
  98. $mask = (0xff - ((pow(2, $k)) - 1));
  99. $int = \unpack('C', $binary[$j]);
  100. $binary[$j] = \pack('C', $int[1] & $mask);
  101. }
  102. return \inet_ntop($binary).'/'.$maskBits;
  103. }
  105. /**
  106. * Return the given subnet for an IPv6 address and mask bits
  107. *
  108. * @param string $ip
  109. * @param int $maskBits
  110. * @return string
  111. */
  112. private function getIPv6Subnet($ip, $maskBits = 48) {
  113. $binary = \inet_pton($ip);
  114. for ($i = 128; $i > $maskBits; $i -= 8) {
  115. $j = \intdiv($i, 8) - 1;
  116. $k = (int) \min(8, $i - $maskBits);
  117. $mask = (0xff - ((pow(2, $k)) - 1));
  118. $int = \unpack('C', $binary[$j]);
  119. $binary[$j] = \pack('C', $int[1] & $mask);
  120. }
  121. return \inet_ntop($binary).'/'.$maskBits;
  122. }
  124. /**
  125. * Return the given subnet for an IP and the configured mask bits
  126. *
  127. * Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
  128. * method for handling that specific type.
  129. *
  130. * @param string $ip
  131. * @return string
  132. */
  133. private function getSubnet($ip) {
  134. if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
  135. return $this->getIPv4Subnet(
  136. $ip,
  137. 32
  138. );
  139. }
  140. return $this->getIPv6Subnet(
  141. $ip,
  142. 128
  143. );
  144. }
  146. /**
  147. * Register a failed attempt to bruteforce a security control
  148. *
  149. * @param string $action
  150. * @param string $ip
  151. * @param array $metadata Optional metadata logged to the database
  152. */
  153. public function registerAttempt($action,
  154. $ip,
  155. array $metadata = []) {
  156. // No need to log if the bruteforce protection is disabled
  157. if($this->config->getSystemValue('auth.bruteforce.protection.enabled', true) === false) {
  158. return;
  159. }
  161. $values = [
  162. 'action' => $action,
  163. 'occurred' => $this->timeFactory->getTime(),
  164. 'ip' => $ip,
  165. 'subnet' => $this->getSubnet($ip),
  166. 'metadata' => json_encode($metadata),
  167. ];
  169. $this->logger->notice(
  170. sprintf(
  171. 'Bruteforce attempt from "%s" detected for action "%s".',
  172. $ip,
  173. $action
  174. ),
  175. [
  176. 'app' => 'core',
  177. ]
  178. );
  180. $qb = $this->db->getQueryBuilder();
  181. $qb->insert('bruteforce_attempts');
  182. foreach($values as $column => $value) {
  183. $qb->setValue($column, $qb->createNamedParameter($value));
  184. }
  185. $qb->execute();
  186. }
  188. /**
  189. * Check if the IP is whitelisted
  190. *
  191. * @param string $ip
  192. * @return bool
  193. */
  194. private function isIPWhitelisted($ip) {
  195. $keys = $this->config->getAppKeys('bruteForce');
  196. $keys = array_filter($keys, function($key) {
  197. $regex = '/^whitelist_/S';
  198. return preg_match($regex, $key) === 1;
  199. });
  201. if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
  202. $type = 4;
  203. } else if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
  204. $type = 6;
  205. } else {
  206. return false;
  207. }
  209. $ip = inet_pton($ip);
  211. foreach ($keys as $key) {
  212. $cidr = $this->config->getAppValue('bruteForce', $key, null);
  214. $cx = explode('/', $cidr);
  215. $addr = $cx[0];
  216. $mask = (int)$cx[1];
  218. // Do not compare ipv4 to ipv6
  219. if (($type === 4 && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) ||
  220. ($type === 6 && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
  221. continue;
  222. }
  224. $addr = inet_pton($addr);
  226. $valid = true;
  227. for($i = 0; $i < $mask; $i++) {
  228. $part = ord($addr[(int)($i/8)]);
  229. $orig = ord($ip[(int)($i/8)]);
  231. $part = $part & (15 << (1 - ($i % 2)));
  232. $orig = $orig & (15 << (1 - ($i % 2)));
  234. if ($part !== $orig) {
  235. $valid = false;
  236. break;
  237. }
  238. }
  240. if ($valid === true) {
  241. return true;
  242. }
  243. }
  245. return false;
  247. }
  249. /**
  250. * Get the throttling delay (in milliseconds)
  251. *
  252. * @param string $ip
  253. * @param string $action optionally filter by action
  254. * @return int
  255. */
  256. public function getDelay($ip, $action = '') {
  257. if ($this->isIPWhitelisted($ip)) {
  258. return 0;
  259. }
  261. $cutoffTime = (new \DateTime())
  262. ->sub($this->getCutoff(43200))
  263. ->getTimestamp();
  265. $qb = $this->db->getQueryBuilder();
  266. $qb->select('*')
  267. ->from('bruteforce_attempts')
  268. ->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
  269. ->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
  271. if ($action !== '') {
  272. $qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));
  273. }
  275. $attempts = count($qb->execute()->fetchAll());
  277. if ($attempts === 0) {
  278. return 0;
  279. }
  281. $maxDelay = 30;
  282. $firstDelay = 0.1;
  283. if ($attempts > (8 * PHP_INT_SIZE - 1)) {
  284. // Don't ever overflow. Just assume the maxDelay time:s
  285. $firstDelay = $maxDelay;
  286. } else {
  287. $firstDelay *= pow(2, $attempts);
  288. if ($firstDelay > $maxDelay) {
  289. $firstDelay = $maxDelay;
  290. }
  291. }
  292. return (int) \ceil($firstDelay * 1000);
  293. }
  295. /**
  296. * Will sleep for the defined amount of time
  297. *
  298. * @param string $ip
  299. * @param string $action optionally filter by action
  300. * @return int the time spent sleeping
  301. */
  302. public function sleepDelay($ip, $action = '') {
  303. $delay = $this->getDelay($ip, $action);
  304. usleep($delay * 1000);
  305. return $delay;
  306. }
  307. }