config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) { return; } $ipAddress = new IpAddress($ip); if ($this->isBypassListed((string)$ipAddress)) { return; } $this->logger->notice( sprintf( 'Bruteforce attempt from "%s" detected for action "%s".', $ip, $action ), [ 'app' => 'core', ] ); $this->backend->registerAttempt( (string)$ipAddress, $ipAddress->getSubnet(), $this->timeFactory->getTime(), $action, $metadata ); } /** * Check if the IP is whitelisted */ public function isBypassListed(string $ip): bool { if (isset($this->ipIsWhitelisted[$ip])) { return $this->ipIsWhitelisted[$ip]; } if (!$this->config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) { $this->ipIsWhitelisted[$ip] = true; return true; } $keys = $this->config->getAppKeys('bruteForce'); $keys = array_filter($keys, function ($key) { return str_starts_with($key, 'whitelist_'); }); if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { $type = 4; } elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { $type = 6; } else { $this->ipIsWhitelisted[$ip] = false; return false; } $ip = inet_pton($ip); foreach ($keys as $key) { $cidr = $this->config->getAppValue('bruteForce', $key, null); $cx = explode('/', $cidr); $addr = $cx[0]; $mask = (int)$cx[1]; // Do not compare ipv4 to ipv6 if (($type === 4 && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) || ($type === 6 && !filter_var($addr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) { continue; } $addr = inet_pton($addr); $valid = true; for ($i = 0; $i < $mask; $i++) { $part = ord($addr[(int)($i / 8)]); $orig = ord($ip[(int)($i / 8)]); $bitmask = 1 << (7 - ($i % 8)); $part = $part & $bitmask; $orig = $orig & $bitmask; if ($part !== $orig) { $valid = false; break; } } if ($valid === true) { $this->ipIsWhitelisted[$ip] = true; return true; } } $this->ipIsWhitelisted[$ip] = false; return false; } /** * {@inheritDoc} */ public function showBruteforceWarning(string $ip, string $action = ''): bool { $attempts = $this->getAttempts($ip, $action); // 4 failed attempts is the last delay below 5 seconds return $attempts >= 4; } /** * {@inheritDoc} */ public function getAttempts(string $ip, string $action = '', float $maxAgeHours = 12): int { if ($maxAgeHours > 48) { $this->logger->error('Bruteforce has to use less than 48 hours'); $maxAgeHours = 48; } if ($ip === '' || isset($this->hasAttemptsDeleted[$action])) { return 0; } $ipAddress = new IpAddress($ip); if ($this->isBypassListed((string)$ipAddress)) { return 0; } $maxAgeTimestamp = (int)($this->timeFactory->getTime() - 3600 * $maxAgeHours); return $this->backend->getAttempts( $ipAddress->getSubnet(), $maxAgeTimestamp, $action !== '' ? $action : null, ); } /** * {@inheritDoc} */ public function getDelay(string $ip, string $action = ''): int { $attempts = $this->getAttempts($ip, $action); if ($attempts === 0) { return 0; } $firstDelay = 0.1; if ($attempts > $this->config->getSystemValueInt('auth.bruteforce.max-attempts', self::MAX_ATTEMPTS)) { // Don't ever overflow. Just assume the maxDelay time:s return self::MAX_DELAY_MS; } $delay = $firstDelay * 2 ** $attempts; if ($delay > self::MAX_DELAY) { return self::MAX_DELAY_MS; } return (int)\ceil($delay * 1000); } /** * {@inheritDoc} */ public function resetDelay(string $ip, string $action, array $metadata): void { // No need to log if the bruteforce protection is disabled if (!$this->config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) { return; } $ipAddress = new IpAddress($ip); if ($this->isBypassListed((string)$ipAddress)) { return; } $this->backend->resetAttempts( $ipAddress->getSubnet(), $action, $metadata, ); $this->hasAttemptsDeleted[$action] = true; } /** * {@inheritDoc} */ public function resetDelayForIP(string $ip): void { // No need to log if the bruteforce protection is disabled if (!$this->config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) { return; } $ipAddress = new IpAddress($ip); if ($this->isBypassListed((string)$ipAddress)) { return; } $this->backend->resetAttempts($ipAddress->getSubnet()); } /** * {@inheritDoc} */ public function sleepDelay(string $ip, string $action = ''): int { $delay = $this->getDelay($ip, $action); if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) { usleep($delay * 1000); } return $delay; } /** * {@inheritDoc} */ public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int { $delay = $this->getDelay($ip, $action); if (($delay === self::MAX_DELAY_MS) && $this->getAttempts($ip, $action, 0.5) > $this->config->getSystemValueInt('auth.bruteforce.max-attempts', self::MAX_ATTEMPTS)) { $this->logger->info('IP address blocked because it reached the maximum failed attempts in the last 30 minutes [action: {action}, ip: {ip}]', [ 'action' => $action, 'ip' => $ip, ]); // If the ip made too many attempts within the last 30 mins we don't execute anymore throw new MaxDelayReached('Reached maximum delay'); } if ($delay > 100) { $this->logger->info('IP address throttled because it reached the attempts limit in the last 30 minutes [action: {action}, delay: {delay}, ip: {ip}]', [ 'action' => $action, 'ip' => $ip, 'delay' => $delay, ]); } if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) { usleep($delay * 1000); } return $delay; } }