Search

A new extension, "Anti Brute Force" is now available for download. Comments and feedback can be left here but if you discover any issues, please post it on the issue tracker on GitHub.

I welcome your feedback and comments. I will put this into a large website and can't wait to see it in action in a large environment. From previous experiences, I know I will see lots of failures entries!

Do not hesitate to clone, modify and request a pull!

This seems very useful. I posted an issue #1, but i also have a suggestion: would it be possible to allow user to recover password through e-mail? There could be a link there (in "banned" message) that points to password recovery page. Or link that sends e-mail with new password, without a need to enter e-mail address or user name (username would be the same as the one who tried to login). That would help user access pages without a need to wait for administrator, and it would inform user when someone tried to access his/her account.

Awesome! This would be great for the Members extension as well.

@ahwayakchih: I will check the issue right now. As for your suggestion, I think this would allow an evil program to 'un-banned' his IP and then the extension would be point less.. If you feel like your users will type-in the wrong password a lot of time, set the failed count to something like 10 or 20 or the banned time for just 5 min. For users, it will take long to reach this number of failed attempts and if they reach it, the deserve to be blocked! Brute Force software will hit the 20 failed count in maybe 1 min so you will still be protected.

@Lewis: Yes, the next step is to make is compatible with Members ext :) Does the members ext provides any delegates or a way to hook up failed and success logins.

I really appreciate your comments and feedback.

Nitriques,

I think this would allow an evil program to 'un-banned' his IP and then the extension would be point less

I do not think so, because "evil ones" would have to have access to the e-mail account, in which case they would not need to use brute force to "guess" the password in the first place. I'm not saying that it should automatically un-ban IP as soon as "send me new password" is clicked. It could un-ban it only after link/one-time access from e-mail is used. Your extension could clear one-time access if someone would try to use wrong access code, i.e., if someone would try to "guess" access code sent in e-mail.

@ahwayakchih:

Never though of it that way. If I resume your thoughts, this could be the potential workflow
- Click on the "send me password" already build in Symphony
- Add a link/Replace the email send to the client with the new password
- The link looks something like /extensions/antibruteforce/un_banned/big-bad-ass-hash
- Gets redirected to the login page

Just not sure about step #2 if using the forgot password link. Maybe we should build a custom "send me unbanned link" to bypass step #2

I would offer this as a configurable setting: You could disable/enable the unbanned via email functionality

Wanna help me on the code ?

Anti Brute Force updated to version 1.0.1 on 2nd of July 2011

Nitriques, you could generate own e-mail and codes, but i think it would be easier to just output link to "retrieve password" page, and add some checks before blocking pages for banned IPs (to allow to retrieve password :). Check content.login.php file to see if you could just call some of the Symphony pages.

One thing i noticed when checking your extension code is that it does not block access to pages early enough. Pages are built before AdminPagePreGenerate delegate is called, so they will handle any $_POST actions that are sent to Symphony :(. I guess that it would be nice if Symphony had one delegate that is called before anything else happens (well... before pages and their code are handled, because engine has to be in place before calling delegates :).

@ahwayakchih: I already started to build this functionality... I will build a custom page that inherits contentLogin.

The thing you notice, I notice it too: https://github.com/Solutions-Nitriques/antibruteforce/issues/3

We should build a list of wanted delegates... I hope there will be a lot more in Sym 3

But do not know how to fix it. Should not be "that bad" don't you think ?

Nitriques, i posted comment on issue page - no point in spamming this thread with development process discussions :).

The earliest backend delegate is InitaliseAdminPageHead

@Lewis: Yes, the next step is to make is compatible with Members ext :) Does the members ext provides any delegates or a way to hook up failed and success logins.

Not currently, but it should/will.

brendo, thanks. You're right. It is called before AdministrationPage calls its view() (where all the $_POST handling happens), so it should be enough to block banned users.

@brendo, @ahwayakchih: Thanks, I updated my code and will push it soon

Anti Brute Force updated to version 1.0.2 on 4th of July 2011

@ahwayakchih: The extension now features the cool option you requested. You can now enable in Preference the "Send an unband link via email" feature.

@everybody: The new version has a break in compatibility
UNINSTALL old version and RE-INSTALL the new version.

You will loose settings. Go to preferences to set them back.

Thanks for reporting any issue/comment/feedback.

Anti Brute Force updated to version 1.1 on 17th of July 2011

As I discuss with @ahwayakchih on github, the extensions now features a Colored Lists feature which is my best attempt to prevent botnet brute force attacks.

White list : never gets banned
Black list: banned forever, no unband via email possible
Grey list: serve a threshold before auto blacklisting

New settings are available.

Hope you guys like it and that it secures tightly all your Symphony Powered sites

@Nitriques - I updated this extension for Symphony 2.3 and sent you a Pull Request.

Pulled !

Anti Brute Force updated to version 1.3.1 on 6th of January 2013

I'm looking to use this with the members extension - for registration as well as login. You mention in the readme: "A Facade/Singleton class -ABF- for developers to leverage antibruteforce capabilities (ex.: email reports or use with the member extension)"

I don't suppose you could elaborate a little for me - how would I actually get this working with members?

Any help hugely appreciated!

(Super appreciative of your extensions by the way, it seems half the ones I use come from you!)

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details