forked from rDrama/rDrama
security: log invalid password attempts for admins
security: reduce login ratelimits from 1/second ->1/10 seconds security: reduce login ratelimits from 200/hr -> 100/hr security: reduce login ratelimits from 1000/day -> 500/daymaster
parent
31eb387c8d
commit
03cf8038f3
|
@ -223,6 +223,7 @@ PERMS = { # Minimum admin_level to perform action.
|
||||||
'SITE_SETTINGS_UNDER_ATTACK': 3,
|
'SITE_SETTINGS_UNDER_ATTACK': 3,
|
||||||
'SITE_CACHE_PURGE_CDN': 3,
|
'SITE_CACHE_PURGE_CDN': 3,
|
||||||
'SITE_CACHE_DUMP_INTERNAL': 2,
|
'SITE_CACHE_DUMP_INTERNAL': 2,
|
||||||
|
'SITE_WARN_ON_INVALID_AUTH': 1,
|
||||||
'NOTIFICATIONS_ADMIN_PING': 2,
|
'NOTIFICATIONS_ADMIN_PING': 2,
|
||||||
'NOTIFICATIONS_HOLE_INACTIVITY_DELETION': 2,
|
'NOTIFICATIONS_HOLE_INACTIVITY_DELETION': 2,
|
||||||
'NOTIFICATIONS_HOLE_CREATION': 2,
|
'NOTIFICATIONS_HOLE_CREATION': 2,
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
from urllib.parse import urlencode
|
from urllib.parse import urlencode
|
||||||
from files.mail import *
|
from files.mail import *
|
||||||
from files.__main__ import app, limiter
|
from files.__main__ import app, get_CF, limiter
|
||||||
from files.helpers.const import *
|
from files.helpers.const import *
|
||||||
from files.helpers.regex import *
|
from files.helpers.regex import *
|
||||||
from files.helpers.actions import *
|
from files.helpers.actions import *
|
||||||
|
@ -74,7 +74,7 @@ def check_for_alts(current:User):
|
||||||
|
|
||||||
|
|
||||||
@app.post("/login")
|
@app.post("/login")
|
||||||
@limiter.limit("1/second;6/minute;200/hour;1000/day")
|
@limiter.limit("1/10 seconds;6/minute;100/hour;500/day")
|
||||||
def login_post():
|
def login_post():
|
||||||
template = ''
|
template = ''
|
||||||
|
|
||||||
|
@ -97,8 +97,8 @@ def login_post():
|
||||||
|
|
||||||
|
|
||||||
if request.values.get("password"):
|
if request.values.get("password"):
|
||||||
|
|
||||||
if not account.verifyPass(request.values.get("password")):
|
if not account.verifyPass(request.values.get("password")):
|
||||||
|
log_failed_admin_login_attempt(account, "password")
|
||||||
time.sleep(random.uniform(0, 2))
|
time.sleep(random.uniform(0, 2))
|
||||||
return render_template("login.html", failed=True)
|
return render_template("login.html", failed=True)
|
||||||
|
|
||||||
|
@ -126,6 +126,7 @@ def login_post():
|
||||||
|
|
||||||
if not account.validate_2fa(request.values.get("2fa_token", "").strip()):
|
if not account.validate_2fa(request.values.get("2fa_token", "").strip()):
|
||||||
hash = generate_hash(f"{account.id}+{now}+2fachallenge")
|
hash = generate_hash(f"{account.id}+{now}+2fachallenge")
|
||||||
|
log_failed_admin_login_attempt(account, "2FA Token")
|
||||||
return render_template("login_2fa.html",
|
return render_template("login_2fa.html",
|
||||||
v=account,
|
v=account,
|
||||||
time=now,
|
time=now,
|
||||||
|
@ -143,6 +144,17 @@ def login_post():
|
||||||
if is_site_url(redir): return redirect(redir)
|
if is_site_url(redir): return redirect(redir)
|
||||||
return redirect('/')
|
return redirect('/')
|
||||||
|
|
||||||
|
def log_failed_admin_login_attempt(account:User, type:str):
|
||||||
|
if not account or account.admin_level < PERMS['SITE_WARN_ON_INVALID_AUTH']: return
|
||||||
|
ip = get_CF()
|
||||||
|
print(f"Admin user from {ip} failed to login to account {account.user_name} (invalid {type})!")
|
||||||
|
try:
|
||||||
|
with open(f"/admin_failed_logins", "r+", encoding="utf-8") as f:
|
||||||
|
t = str(time.strftime("%d/%B/%Y %H:%M:%S UTC", time.gmtime(time.time())))
|
||||||
|
f.write(f"{t}, {ip}, {account.username}, {type}\n")
|
||||||
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
def on_login(account, redir=None):
|
def on_login(account, redir=None):
|
||||||
session["lo_user"] = account.id
|
session["lo_user"] = account.id
|
||||||
session["login_nonce"] = account.login_nonce
|
session["login_nonce"] = account.login_nonce
|
||||||
|
|
Loading…
Reference in New Issue