Ratings | | Unique User Downloads | | Download Rankings |
66% | | Total: 982 | | All time: 3,704 This week: 455 |
|
Description | | Author |
This class can be used to limit the number of times an user fails to login.
It keeps track in a MySQL database the number of a time an user with a given IP address fails to attempt to login.
When the number of failed login attempts exceeded a given limit, the class sets a cookie that is used to determine that the user is blocked while the cookie does not expire. | |
|
Recommendations
Example
<?php
// Example of a simple login using LogLimiter.
// We will see how LogLimiter can helps us to avoid bruteforces attacks.
// Setting the configuration
$attempts = 5; // Max attempts before blocking
$delay = 10; // Time of blocking (minutes)
$elapse = 10; // Time after restart attempts counting (minutes)
// Connecting to database
$db = @mysql_connect('db_host', 'db_user', 'db_password');
if (!$db) die("Sorry Buzz, there's a problem: ".mysql_errno().": ".mysql_error());
if (!@mysql_select_db('db_name', $db)) die("Sorry Buzz, there's a problem: ".mysql_errno().": ".mysql_error());
// Login datas:
$login_u = "buzzlightyear"; // Username
$login_p = "zurgdaddy"; // Password
// OT: It would be a great login for Buzz, woudn't it? ;)
// Including LogLimiter class file
include_once "loglimiter.class.php";
// Getting an istance of LogLimiter
$LL = new LogLimiter($db, $attempts, $delay, $elapse);
if (isset($_POST['user'])) {
// First of all, sanitize your input data!
$user = strip_tags(trim($_POST['user']));
$pwd = strip_tags(trim($_POST['pwd']));
// This is not good sanitizing if you have to do SQL queries!
// Use something like mysql_real_escape_string(strip_tags(trim($string))) if you have to!
if ($LL->dbBlock()) { // $LL->dbBlock() tells us if this IP has reached the max attempts number (if TRUE).
$LL->ckGen(); // Generate the cookie block. Don't trust in this, deleting cookie is simple for everyone.
die("Sorry, but we are not enjoyed by your bruteforce attempt, damned Zurg!"); // Are you scared, my dear b14ck h4t h4x0r? :P
// If you want to be bastard, you can delete the die() statement and put here a sleep(many_many_seconds) statement.
// The bruteforce script will be freezed for many_many_seconds.. Poor b14ck h4t h4x0r. :'(
}
if (($user==$login_u)&&($pwd==$login_p)) { // If the login data are right..
$LL->login(); // $LL->login() cleans the database table db_ip from the failed attempts of this IP address.
echo "Welcome Buzz. Enjoyed in your holidays with your dear daddy? :P";
}
else {
$LL->fail(); // $LL->fail() logs the failed attempts of this IP address, blocks and logs the cracking attempt if the max attempt number is reached.
// A log-viewer is not included in LogLimiter yet (and probably it will never be): write it by yourself in your own control-panel!
echo "Wrong username/password, Buzz.. Your daddy annoyed you so much to make you forget you credentials? :P";
}
}
else { // Print the login form.
echo "<html>\n<head>\n<title>Space Ranges HQ</title>\n</head>\n<body>\n";
// $LL->ckBlock() works like $LL->dbBlock(). It checks the block cookie. If theres a block cookie, it return TRUE.
if ($LL->ckBlock()) echo "Sorry, you reached the max login attempts. Wait for ".$config["delay"]." minutes and try again.";
else {
echo '<form name="login" method="post">';
echo 'Username: <input type="text" name="user" value="" /><br />';
echo 'Password: <input type="password" name="pwd" value="" /><br />';
echo '<input type="submit" value="Login" /></form>';
}
echo "<body>\n<html>";
}
?>
|
Details
== LogLimiter
== A PHP class for login attempts abuse preventing.
= What is LogLimiter
LogLimiter implements an easy way to limit the login attempts from an user
in a time period, for preventing things like bruteforces attacks.
= Using LogLimiter
LogLimiter usage is simple. It is explained in the example file, moreover
the class file is heavily commented.
The only thing you need to do is to create the MySQL tables of LogLimiter
(use the tables.sql dump file).
= LogLimiter License
LogLimiter has not a license. Simply do what you want.
I just enjoyed coding Token, don't care about.
= Author contacts
Website: http://sydarex.org
Email: sydarex@gmail.com
= Notes
This is, in fact, a re-release of LogLimiter; I had already released it
time ago.
The only difference is the license change.
|
Applications that use this package |
|
No pages of applications that use this class were specified.
If you know an application of this package, send a message to the author to add a link here.