Skip to content

Commit

Permalink
Merge pull request #2115 from jaapmarcus/feature/reset-pw-f2b
Browse files Browse the repository at this point in the history 
Improve securtity against csfr/bruteforce
  • Loading branch information
@jaapmarcus
jaapmarcus committed Sep 8, 2021
2 parents e4364b7 + 926a9c6 commit 9e37a51
Show file tree
Hide file tree
Showing 8 changed files with 127 additions and 95 deletions.
10 changes: 9 additions & 1 deletion bin/v-log-user-login
View file
Expand Up @@ -8,6 +8,9 @@ ip=$2
status=$3
session_id=$4
user_agent=$5
authlog="${6-no}"
reason="${7}"


active="yes"
if [ "$status" = "failed" ]; then
Expand All @@ -24,7 +27,7 @@ source $HESTIA/conf/hestia.conf
# Verifications #
#----------------------------------------------------------#

check_args '2' "$#" 'USER IP SESSION_ID USER_AGENT'
check_args '2' "$#" 'USER IP SESSION_ID USER_AGENT [AUTHLOG] [REASON]'
is_format_valid 'user' 'ip'
is_object_valid 'user' 'USER' "$user"

Expand All @@ -43,8 +46,13 @@ fi

echo "DATE='$date' TIME='$time' IP='$ip' ACTION='login' STATUS='$status' USER_AGENT='$user_agent' SESSION='$session_id' ACTIVE='$active'" >> $USER_DATA/auth.log

if [ "$authlog" = "yes" ]; then
echo "$date $time $user $ip failed to login ($reason)" >> $HESTIA/log/auth.log
fi

#----------------------------------------------------------#
# Hestia #
#----------------------------------------------------------#

echo "Test" >> $HESTIA/log/system.log
exit
114 changes: 61 additions & 53 deletions web/login/index.php
View file
@@ -1,6 +1,6 @@
<?php

define('NO_AUTH_REQUIRED',true);
define('NO_AUTH_REQUIRED', true);
// Main include
include($_SERVER['DOCUMENT_ROOT'] . '/inc/main.php');

Expand All @@ -27,14 +27,14 @@
} else {
$v_user = escapeshellarg($_GET['loginas']);
$v_impersonator = escapeshellarg($_SESSION['user']);
exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
if ( $return_var == 0 ) {
exec(HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
if ($return_var == 0) {
$data = json_decode(implode('', $output), true);
reset($data);
$_SESSION['look'] = key($data);
// Log impersonation events
exec (HESTIA_CMD . 'v-log-action ' . $v_impersonator . " 'Info' 'Security' 'Logged in as another user (User: $v_user)'", $output, $return_var);
exec (HESTIA_CMD . "v-log-action system 'Warning' 'Security' 'User impersonation session started (User: $v_user, Administrator: $v_impersonator)'", $output, $return_var);
exec(HESTIA_CMD . 'v-log-action ' . $v_impersonator . " 'Info' 'Security' 'Logged in as another user (User: $v_user)'", $output, $return_var);
exec(HESTIA_CMD . "v-log-action system 'Warning' 'Security' 'User impersonation session started (User: $v_user, Administrator: $v_impersonator)'", $output, $return_var);
// Reset account details for File Manager to impersonated user
unset($_SESSION['_sf2_attributes']);
unset($_SESSION['_sf2_meta']);
Expand All @@ -51,14 +51,14 @@
header('Location: /list/user/');
exit;
}

// Obtain account properties
$v_user = escapeshellarg($_SESSION[(($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look']))) ? 'look' : 'user']);

exec (HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
exec(HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
$data = json_decode(implode('', $output), true);
unset($output);
unset($output);

// Determine package features and land user at the first available page
if ($data[$user]['WEB_DOMAINS'] !== '0') {
header('Location: /list/web/');
Expand Down Expand Up @@ -87,40 +87,41 @@
exit;
}

function authenticate_user($user, $password, $twofa = ''){
function authenticate_user($user, $password, $twofa = '')
{
unset($_SESSION['login']);
if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
$v_user = escapeshellarg($user);
$ip = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
if (isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
$v_user = escapeshellarg($user);
$ip = $_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
$ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
}
}
}
$v_ip = escapeshellarg($ip);
$v_user_agent = escapeshellarg($user_agent);
$v_ip = escapeshellarg($ip);
$v_user_agent = escapeshellarg($user_agent);

// Get user's salt
$output = '';
exec (HESTIA_CMD . 'v-get-user-salt ' . $v_user . ' ' . $v_ip . ' json' , $output, $return_var);
$pam = json_decode(implode('', $output), true);
if ( $return_var > 0 ) {
sleep(2);
$error = '<a class="error">' . _('Invalid username or password') . '</a>';
return $error;
// Get user's salt
$output = '';
exec(HESTIA_CMD . 'v-get-user-salt ' . $v_user . ' ' . $v_ip . ' json', $output, $return_var);
$pam = json_decode(implode('', $output), true);
if ($return_var > 0) {
sleep(2);
$error = '<a class="error">' . _('Invalid username or password') . '</a>';
return $error;
} else {
$salt = $pam[$user]['SALT'];
$method = $pam[$user]['METHOD'];

if ($method == 'md5' ) {
if ($method == 'md5') {
$hash = crypt($password, '$1$' . $salt . '$');
}
if ($method == 'sha-512' ) {
if ($method == 'sha-512') {
$hash = crypt($password, '$6$rounds=5000$' . $salt . '$');
$hash = str_replace('$rounds=5000', '', $hash);
}
if ($method == 'des' ) {
if ($method == 'des') {
$hash = crypt($password, $salt);
}

Expand All @@ -137,7 +138,7 @@ function authenticate_user($user, $password, $twofa = ''){
// Remove tmp file
unlink($v_hash);
// Check API answer
if ( $return_var > 0 ) {
if ($return_var > 0) {
sleep(2);
$error = '<a class="error">' . _('Invalid username or password') . '</a>';
$v_session_id = escapeshellarg($_POST['token']);
Expand All @@ -146,14 +147,14 @@ function authenticate_user($user, $password, $twofa = ''){
} else {

// Get user specific parameters
exec (HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
exec(HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
$data = json_decode(implode('', $output), true);
unset($output);
unset($output);
if ($data[$user]['LOGIN_DISABLED'] === 'yes') {
sleep(2);
$error = '<a class="error">' . _('Invalid username or password') . '</a>';
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Login disabled for this user"', $output, $return_var);
return $error;
}

Expand All @@ -164,35 +165,43 @@ function authenticate_user($user, $password, $twofa = ''){
sleep(2);
$error = '<a class="error">' . _('Invalid username or password') . '</a>';
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Ip not in allowed list"', $output, $return_var);
return $error;
}
}

if ($data[$user]['TWOFA'] != '') {
exec(HESTIA_CMD . "v-check-user-2fa " . $v_user . " " . $v_twofa, $output, $return_var);
$error = "<a class=\"error\">" . _('Invalid or missing 2FA token') . "</a>";
if(empty($twofa)){
exec(HESTIA_CMD . "v-check-user-2fa " . $v_user . " " . $v_twofa, $output, $return_var);
$error = "<a class=\"error\">" . _('Invalid or missing 2FA token') . "</a>";
if (empty($twofa)) {
$_SESSION['login']['username'] = $user;
$_SESSION['login']['password'] = $password;
return false;
}else{
} else {
$v_twofa = escapeshellarg($twofa);
exec(HESTIA_CMD .'v-check-user-2fa '.$v_user.' '.$v_twofa, $output, $return_var);
unset($output);
if ( $return_var > 0 ) {
if ($return_var > 0) {
sleep(2);
$error = '<a class="error">' ._ ('Invalid or missing 2FA token') . '</a>';
$error = '<a class="error">' ._('Invalid or missing 2FA token') . '</a>';
$_SESSION['login']['username'] = $user;
$_SESSION['login']['password'] = $password;
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD.'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
if (isset($_SESSION['failed_twofa'])) {
//allow a few failed attemps before start of logging.
if ($_SESSION['failed_twofa'] > 2) {
exec(HESTIA_CMD.'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Invalid or missing 2FA token"', $output, $return_var);
}
$_SESSION['failed_twofa']++;
} else {
$_SESSION['failed_twofa'] = 1;
}
unset($_POST['twofa']);
return $error;
}
}
}

// Define session user
$_SESSION['user'] = key($data);
$v_user = $_SESSION['user'];
Expand All @@ -216,10 +225,10 @@ function authenticate_user($user, $password, $twofa = ''){

// Define language
$output = '';
exec (HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
exec(HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
$languages = json_decode(implode('', $output), true);
$_SESSION['language'] = (in_array($data[$v_user]['LANGUAGE'], $languages)) ? $data[$user]['LANGUAGE'] : 'en';

// Regenerate session id to prevent session fixation
session_regenerate_id(true);

Expand All @@ -232,7 +241,7 @@ function authenticate_user($user, $password, $twofa = ''){
if ($_SESSION['userContext'] === 'admin') {
header('Location: /list/user/');
} else {
if($data[$user]['WEB_DOMAINS'] != '0') {
if ($data[$user]['WEB_DOMAINS'] != '0') {
header('Location: /list/web/');
} elseif ($data[$user]['DNS_DOMAINS'] != '0') {
header('Location: /list/dns/');
Expand Down Expand Up @@ -264,10 +273,10 @@ function authenticate_user($user, $password, $twofa = ''){
return false;
}
}
if (preg_match('/^[[:alnum:]][-|\.|_[:alnum:]]{0,28}[[:alnum:]]$/',$_POST['user'])) {
if (preg_match('/^[[:alnum:]][-|\.|_[:alnum:]]{0,28}[[:alnum:]]$/', $_POST['user'])) {
$_SESSION['login']['username'] = $_POST['user'];
}else{
$user = '';
} else {
$user = '';
}
if (!empty($_SESSION['login']['username']) && !empty($_SESSION['login']['password']) && !empty($_POST['twofa'])) {
$error = authenticate_user($_SESSION['login']['username'], $_SESSION['login']['password'], $_POST['twofa']);
Expand All @@ -282,12 +291,12 @@ function authenticate_user($user, $password, $twofa = ''){
// Detect language
if (empty($_SESSION['language'])) {
$output = '';
exec (HESTIA_CMD . 'v-list-sys-config json', $output, $return_var);
exec(HESTIA_CMD . 'v-list-sys-config json', $output, $return_var);
$config = json_decode(implode('', $output), true);
$lang = $config['config']['LANGUAGE'];

$output = '';
exec (HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
exec(HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
$languages = json_decode(implode('', $output), true);
$_SESSION['language'] = (in_array($lang, $languages)) ? $lang : 'en';
}
Expand All @@ -302,7 +311,6 @@ function authenticate_user($user, $password, $twofa = ''){
} elseif (empty($_SESSION['login']['username'])) {
require_once('../templates/pages/login/login' . (($_SESSION['LOGIN_STYLE'] != 'old') ? '' : '_a') . '.html');
} elseif (empty($_POST['password'])) {

require_once('../templates/pages/login/login_1.html');
} else {
require_once('../templates/pages/login/login' . (($_SESSION['LOGIN_STYLE'] != 'old') ? '' : '_a') . '.html');
Expand Down

0 comments on commit 9e37a51

Please sign in to comment.