aorimn / dokuwiki-tokenbucketauth Goto Github PK
View Code? Open in Web Editor NEWDokuWiki plugin to prevent brute force attacks by delaying them
DokuWiki plugin to prevent brute force attacks by delaying them
I have an install on Greebo – which I should update – that at some point has stopped sending emails when it blocks an IP address. I can't find a mechanism to test; other emails from the wiki are working, however. Looking at the code the plugin is calling mail_send, which appears to be deprecated from Hogfather – so it will definitely stop working if I upgrade. I can't see why it's not working under Greebo though, as that function is still there?
Grateful for any help to get notified when someone locks themselves out!
Hello ,
I get many of the following entries in the "deprecated" logs.
(I'm running Jack Jackrum):
2023-06-19 12:55:53require(admin.php) is deprecated. It was called from require() in /var/www/html/usrnm-dokuwiki/lib/plugins/tokenbucketauth/admin.php:13 Autoloading should be used instead!
It would be great if this could be fixed I guess (I'm not familiar with what these log entries mean, sorry). The plugin still seems to work for now, though.
Best,
-a-
Hi,
I tested the plugin in weatherwax.
I setup the following in configuration settings (admin account):
tba_block_time: 600
tba_nb_attempt: 3
tba_mean_time: 300
If I enter 3 times in a row a wrong password together with a given user name. I then get an email telling me the corresponding IP address is now blocked. However, I can immediately login successfully if I proved the correct password for that username.
So, to me it seems like the plugin is doing nothing since brute-force attacks could still be successful.
I can provide the list of plugins that I have installed if you think there might be a conflict or something.
Best,
-a-
PS:
I get the same behavior in Binky.
This extension does not work with the latest dokuwiki version. It could be nice to either update it or at least warn users that it will break their install.
Hi :)
I am currently running Greebo and considering upgrading to Hogfather.
Is this plugin compatible with Hogfather?
Thanks
-a-
Hello,
Nice plugin, thank you.
I have found a small problem though. when an IP has never been seen, $ts = $this->users_tracker[$ip];
is NULL, and trying to loop on NULL a few lines later, emits an « invalid argument for foreach » warning that I can't prevent at my webhoster
I could solve this by replacing line 121
foreach($ts as $onets)
with
if($ts) foreach($ts as $onets)
/Schplurtz
Hi again.
I found another issue with tokenbucketauth. This problem only appears
after DokuWiki configuration manager is used. tba/action.php
expects,
$conf['plugin']['tokenbucketauth']['tba_whitelist']
to be an array
but, it is not possible to save arrays using DokuWiki configuration manager.
https://www.dokuwiki.org/devel:configuration#configuration_metadata mentions
only scalar values : string, boolean, number.
As soon as DW configuration manager is used, DW tries to convert whitelist
default value to a string and fails. This may pass unnoticed
though, if one wants to set something else and does not scroll down to tba
settings.
The result, is that, either a default empty value or the user entered value
is stored in dw/conf/local.php
as a string, not an array.
When one tries to log in, tba/action.php
is really unhappy line 89, as
shown here
My solution to this problem is to
'127.0.0.1'
as default value (not array( '127.0.0.1')
) in tba/conf/default.php
tba/action.php
: split the string value in an array, and then check if the remote IP is in the array. The line should read : if(in_array($ip, preg_split( '/[\s,]+/', $this->getConf('tba_whitelist'), 0, PREG_SPLIT_NO_EMPTY )))
Here is the patch I successfully used https://gist.github.com/schplurtz/55d6d712514a70562990 to solve this.
regards,
Schplurtz.
Hi,
Maybe I spoke too fast. Here is what I posted on the previous tread AFTER it was closed:
"almost... actually now I have the following problem.
I set the following timing:
IP blocked for 1h if password is wrong 3 times in the last 1h.
Once an IP is banned it cannot access the wiki (for the next 1h).
now if I remove the IP from the list of banned IP, it can still not access the wiki (for the next 1h) even though the credentials are OK...
weird
Best,
-a-
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.