Limit the amount of attempts for the login in your cms [CMS Security]

[Nicholas]

Hello I am a certified PHP developer I have my own brute force script...
First you must run this sql code into your phpmyadmin/navicat

CREATE TABLE `login_attempts` (
  `attempt_number` INT(11) NOT NULL,
  `time` VARCHAR(255) NOT NULL,
  `ip_addr` VARCHAR(255) NOT NULL,
  PRIMARY KEY (`ip_addr`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

In your configuration file add this line of code

define("MAX_LOGIN_ATTEMPTS", number of attempts you want it to be);
// make sure it is a number not a string
// so it would 0 instead of "0"

Now create a file name * brute.class.php *
then put this code below in it

<?php
class brute_force {
    public $db = "";
    public $connectionstring = "";
    function __construct($db_host, $db_user, $db_pass, $db_name) {
        $this->connectionstring = "" . $db_host . ", " . $db_user . ", " . $db_pass . ", " . $db_name  . "";
        $this->db = new mysqli($this->connectionstring);
    }
    private function getLoginAttempts() {
        $date = date("Y-m-d");
        $connecting_ip = $_SERVER["REMOTE_ADDR"];
        if (!$connecting_ip) {
            return PHP_INT_MAX;
        }
        $query = "SELECT attempt_number FROM login_attempts WHERE ip_addr = ? AND time = ?";
        if (!isset($lgt)) {
            $lgt = $this->db->prepare($query);
        }
        $lgt->bind_param("ss", $connecting_ip, $date);
        $lgt->execute();
        $lgt->store_result();
        if ($lgt->num_rows == 1) {
            $lgt->bind_result($login_attempts_number);
            $lgt->fetch();
            return intval($login_attempts_number);
        } else {
            return 0;
        }
    }
    function insertLoginAttempt() {
        $date = date("Y-m-d");
        $connecting_ip = $_SERVER["REMOTE_ADDR"];
        $current_attempts = $this->getLoginAttempts();
        if ($current_attempts > 0) {
            $new_attempts = $current_attempts + 1;
            $query = "UPDATE login_attempts SET attempt_number = ?, time = ? WHERE ip_addr = ?";
            if (!isset($lut)) {
                $lut = $this->db->prepare($query);
            }
            $lut->bind_param("iss", $new_attempts, $date, $connecting_ip);
            $lut->execute();
            return true;
        } else {
            $new_interval = 1;
            if (!isset($lit)) {
                $lit = $this->db->prepare("INSERT INTO login_attempts (attempt_number, time, ip_addr) VALUES (?, ?, ?)");
            }
            $lit->bind_param("iss", $new_interval, $date, $connecting_ip);
            $lit->execute();
            return true;
        }

    }
    function checkBruteForce() {
        $current_attempts = $this->getLoginAttempts();
        if ($current_attempts > MAX_LOGIN_ATTEMPTS) {
            return true;
        } else {
            return false;
        }
    }
}
?>

Then on you login page call the class and initiate it with the code below

include "path/to/file/brute.class.php";
$brute = new brute_force(database_host, database_user, database_pass, database_name);

change the vars to your db connection details, and put that at the top of your page.
Then you can validate it by.

if ($brute->checkBruteForce() == true) {
    // login is locked because of too many attempts, unlocks after a day
} else {
    $brute->insertLoginAttempt();
    // code if user fails login
}

I hope this helps with your habbo retro, revcms is not secure so I wanna help make retros secure. If you have any problems contact my Skype at nenglish0820
I have an example on a retro called Vox Hotel,

You must be registered for see links

 

[BIOS]

Ineffective method, if bots were sent to brute-force your site then the database would hog server resources due to all the requests from the bots, would recommend storing/comparing the attempts using alternate means.

Nice release though I guess after all it is an improvement for the CMS, may be somewhat helpful to some.

 

[Nicholas]

Ineffective method, if bots were sent to brute-force your site then the database would hog server resources due to all the requests from the bots, would recommend storing/comparing the attempts using alternate means.

Nice release though I guess after all it is an improvement for the CMS, may be somewhat helpful to some.

What do you mean by hog server resources

 

[BIOS]

What do you mean by hog server resources

Well let's say someone sent thousands of bots to perform a dictionary attack on your site in hopes of guessing a correct user login, all of those bots would be requesting and updating data stored in the database, meaning your server would require more resources (CPU, RAM etc) to be able to keep up with the large amounts of requests it is receiving otherwise your server may become very slow and ultimately the experience of the legitimate users on the site and client would be affected by this.

 

[Nicholas]

Well let's say someone sent thousands of bots to perform a dictionary attack on your site in hopes of guessing a correct user login, all of those bots would be requesting and updating data stored in the database, meaning your server would require more resources (CPU, RAM etc) to be able to keep up with the large amounts of requests it is receiving otherwise your server may become very slow and ultimately the experience of the legitimate users on the site and client would be affected by this.

My brute force script does not update or insert attempts etc if the login is locked

 

[BIOS]

My brute force script does not update or insert attempts etc if the login is not locked

It uses two methods that interact with the database, checkBruteForce() & insertLoginAttempt() which select and update data respectively.

Basically if a large amount of bots were to try perform a dictionary attack on your site with this setup and your server is unable to process those requests, there's a chance your site & client is going to start lagging or become unavailable to some legitimate users.

 

[Nicholas]

It uses two methods that interact with the database, checkBruteForce() & insertLoginAttempt() which select and update data respectively.

Basically if a large amount of bots were to try perform a dictionary attack on your site with this setup and your server is unable to process those requests, there's a chance your site & client is going to start lagging or become unavailable to some legitimate users.

If someone used a bot, after the 10th attempt the insert login attempt function does not execute but the select does. So you do have a point. I am probably gonna add recaptcha after the 5th attempt.

 

[BIOS]

If someone used a bot, after the 10th attempt the insert login attempt function does not execute but the select does. So you do have a point. I am probably gonna add recaptcha after the 5th attempt.

Yes but you need to think if there were a thousand bots attempting to brute-force your site, that small 10 attempts could result in 10,000 possible database requests.

 

[Nicholas]

Yes but you need to think if there were a thousand bots attempting to brute-force your site, that small 10 attempts could result in 10,000 possible database requests.

Not if i add a recaptcha that does not include database requests

 

[BIOS]

Not if i add a recaptcha that does not include database requests

Yeah, if you add recaptcha then it'd be harder to perform these types of attacks, you probably wouldn't even need this in that case.

 

[Nicholas]

Yeah, if you add recaptcha then it'd be harder to perform these types of attacks, you probably wouldn't even need this in that case.

But yea thanks for the advice always looking for ways to make a better cms!

 

[BIOS]

But yea thanks for the advice always looking for ways to make a better cms!

No problem