EOSERV Forum > WebCP > Anti-Brute Force shit fix for WebCP
Page: << 1 >>
Anti-Brute Force shit fix for WebCP
Author Message
Post #199714 Anti-Brute Force shit fix for WebCP

Since there isn't yet an official fix, you can use this quick garbage to correction in your webcp common.php file around line 375. You will also need to add a new table in your server database named "webcp" with the columns "userip, account, lastlogin, attempts". This allows 10 failed login attempts per 5 minutes, but you can change it or pretty it up with custom values in the config.php or whatever. This should reduce a machine code cracking to several months up to a year on any dictionary word password.

$userip=$_SERVER['REMOTE_ADDR'];
   if (!empty($_SERVER['HTTP_CLIENT_IP']))
   {
        $userip = $_SERVER['HTTP_CLIENT_IP'];
   }
   elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
   {
       $userip = $_SERVER['HTTP_X_FORWARDED_FOR'];
   }
$now = time();
$lastlogin = 0;
$count = 0;
$tpl->statusstr = $statusstr;
$loginretry = true;
if (isset($_REQUEST['action']))
{
 switch ($_REQUEST['action'])
 {
  case 'logout':
   unset($sess->username);

  case 'login':
   if (isset($_POST['username'], $_POST['password']))
   {
    $password = hash('sha256',$salt.strtolower($_POST['username']).substr($_POST['password'],0,12));
    $checklogin = $db->SQL("SELECT username FROM accounts WHERE username = '$' AND password = '$'", strtolower($_POST['username']), $password);
    $currentlogin = $db->SQL("SELECT userip, account, lastlogin, attempts FROM webcp WHERE userip = '$' AND account = '$'", $userip, strtolower($_POST['username']));

    $lastlogin = $currentlogin[0]['lastlogin'];
    $count = $currentlogin[0]['attempts'];
    if (($count > 9) and (($lastlogin + 300) > $now))
    {
     $loginretry = false;
    }
    if (empty($currentlogin))
    {
     $db->SQL("INSERT INTO webcp (userip, account, lastlogin, attempts) VALUES ('$', '$', #, #)", $userip, strtolower($_POST['username']), $now, 1);
    }
    if ((empty($checklogin)) or (!$loginretry))
    { 
     $newcount = $count + 1;
     if ($loginretry)
     {
      $tpl->message = "Login failed.";
     }
     if (!$loginretry)
     {
      $tpl->message = "Login failed: Retry limit exceeded. Please try again later.";
     }
     $db->SQL("UPDATE webcp SET lastlogin = #, attempts = # WHERE userip = '$' AND account = '$'", $now, $newcount, $userip, strtolower($_POST['username']));
     break;
    }
    else
    {
     $db->SQL("UPDATE webcp SET lastlogin = #, attempts = # WHERE userip = '$' AND account = '$'", $now, 0, $userip, strtolower($_POST['username']));
     $sess->username = $checklogin[0]['username'];
     $tpl->message = "Logged in.";
    }
   }
   break;
 }
}

3 years, 15 weeks ago
Post #199715 Re: Anti-Brute Force shit fix for WebCP

Also there should be fix to account req packet.....

---
Remember when is not an organization nor a fucking group , it's simply an idea that we believe in
and live for.
The priority of Remember when should come before oxygen , as oxygen is cosmetic even life itself is
cosmetic,that's why offer our worthless lives to The "Remember when"
3 years, 15 weeks ago
Post #199716 Re: Anti-Brute Force shit fix for WebCP

I thought that was clamped via config in the official source, EE handles it slightly differently than EOSERV in that respect.

3 years, 15 weeks ago
Post #199717 Re: Anti-Brute Force shit fix for WebCP

Jesus christ use a pastebin or code tags or something.

BTW this can be bypassed by spoofing a Client-IP or X-Forwarded-For header. You'll have to configure your webserver to drop the headers or take that out.

3 years, 15 weeks ago
Post #199718 Re: Anti-Brute Force shit fix for WebCP
Apollo posted: (6th Apr 2016, 12:23 am)

I thought that was clamped via config in the official source, EE handles it slightly differently than EOSERV in that respect.


I was not speaking about the login packet or the account creation one.
I was speaking about the small packet that you includes only the id of the account you wanna create... i think clone doesn't have any limitation over that.

Edit :  sausage come on hes cleaning your shit.
---
Remember when is not an organization nor a fucking group , it's simply an idea that we believe in
and live for.
The priority of Remember when should come before oxygen , as oxygen is cosmetic even life itself is
cosmetic,that's why offer our worthless lives to The "Remember when"
3 years, 15 weeks ago
Post #199719 Re: Anti-Brute Force shit fix for WebCP

If I devote my day to rate-limiting things will you shut up about "Oh my god I can't make accounts with the same name as other accounts so exploitable"? Even if it was rate limited 100x slower you could still get a list of dictionary account names in only a few months.

3 years, 15 weeks ago
Post #199720 Re: Anti-Brute Force shit fix for WebCP

You never replied but here is the WebCP login rate limiting code being added: http://svn.eoserv.net/webcp?op=comp&compare[]=%2F@506&compare[]=%2F@513

It has been implemented on game.eoserv.net. Please leave my inbox in peace.

3 years, 15 weeks ago
Post #199722 Re: Anti-Brute Force shit fix for WebCP

Nice

3 years, 15 weeks ago
Post #199723 Re: Anti-Brute Force shit fix for WebCP

Heh. I like that IPv6 was thought of. Is anyone's WebCP even accessible via IPv6?

---
Wish upon a star!
3 years, 15 weeks ago
Post #199725 Re: Anti-Brute Force shit fix for WebCP
Plasmastar posted: (6th Apr 2016, 02:40 pm)

Heh. I like that IPv6 was thought of. Is anyone's WebCP even accessible via IPv6?


game.eoserv.net is. Slightly annoying since EO itself doesn't support IPv6, so you can't match up players and web users.
3 years, 15 weeks ago
Page: << 1 >>

EOSERV Forum > WebCP > Anti-Brute Force shit fix for WebCP