diff --git a/bin/v-change-user-rkey b/bin/v-change-user-rkey new file mode 100644 index 00000000..6a11eed2 --- /dev/null +++ b/bin/v-change-user-rkey @@ -0,0 +1,60 @@ +#!/bin/bash +# info: change user rkey +# options: USER +# +# The function changes user's RKEY value. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument definition +user=$1 + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +if [ "$user" = "root" ]; then + check_result $E_FORBIDEN "Changing root password is forbiden" +fi + +check_args '1' "$#" 'USER' +is_format_valid 'user' +is_object_valid 'user' 'USER' "$user" +is_object_unsuspended 'user' 'USER' "$user" + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +hash=$(generate_password) +d=$(date +%s) + +# Changing RKEY value +update_user_value "$user" '$RKEY' "$hash" + +#check if RKEYEXP exists +if [ -z "$(grep RKEYEXP $USER_DATA/user.conf)" ]; then + sed -i "s/^RKEY/RKEYEXP='$d'\nRKEY/g" $USER_DATA/user.conf +else + update_user_value "$user" '$RKEYEXP' "$d" +fi + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_history "changed rkey" +log_event "$OK" "$ARGUMENTS" + +exit diff --git a/bin/v-log-failed-login b/bin/v-log-failed-login new file mode 100644 index 00000000..76bfd36a --- /dev/null +++ b/bin/v-log-failed-login @@ -0,0 +1,31 @@ +#!/bin/bash +# info: log failed login attempt +# options: USER [IP] +# +# The function log failed login attempt + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument definition +user=$1 +ip=${2-127.0.0.1} + +time_n_date=$(date +'%T %F') +time=$(echo "$time_n_date" |cut -f 1 -d \ ) +date=$(echo "$time_n_date" |cut -f 2 -d \ ) + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit 0 diff --git a/web/reset/index.php b/web/reset/index.php index e4a7608f..9a42b2cb 100644 --- a/web/reset/index.php +++ b/web/reset/index.php @@ -2,6 +2,7 @@ session_start(); define('NO_AUTH_REQUIRED',true); $TAB = 'RESET PASSWORD'; +$v_ip = $_SERVER['REMOTE_ADDR']; if (isset($_SESSION['user'])) { header("Location: /list/user"); @@ -11,35 +12,72 @@ if (isset($_SESSION['user'])) { include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if ((!empty($_POST['user'])) && (empty($_POST['code']))) { + + // Check token + if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) { + die("Wrong token or missing token"); + } + $v_user = escapeshellarg($_POST['user']); $user = $_POST['user']; + $email = $_POST['email']; $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user"; exec ($cmd." ".$v_user." json", $output, $return_var); if ( $return_var == 0 ) { $data = json_decode(implode('', $output), true); - $rkey = $data[$user]['RKEY']; - $fname = $data[$user]['FNAME']; - $lname = $data[$user]['LNAME']; - $contact = $data[$user]['CONTACT']; - $to = $data[$user]['CONTACT']; - $subject = __('MAIL_RESET_SUBJECT',date("Y-m-d H:i:s")); - $hostname = exec('hostname'); - $from = __('MAIL_FROM',$hostname); - if (!empty($fname)) { - $mailtext = __('GREETINGS_GORDON_FREEMAN',$fname,$lname); - } else { - $mailtext = __('GREETINGS'); - } - $mailtext .= __('PASSWORD_RESET_REQUEST',$hostname.":".$_SERVER['SERVER_PORT'],$user,$rkey,$hostname.":".$_SERVER['SERVER_PORT'],$user,$rkey); - if (!empty($rkey)) send_email($to, $subject, $mailtext, $from); unset($output); + exec("/usr/bin/sudo /usr/local/vesta/bin/v-get-user-value ".$v_user." RKEYEXP", $output, $return_var); + $rkeyexp = trim(implode('', $output)); + if (strlen($rkeyexp)>9) $rkeyexp=intval($rkeyexp); + unset($output); + if ($rkeyexp === null || $rkeyexp < time() - 900) { + if ($email == $data[$user]['CONTACT']) { + exec("/usr/bin/sudo /usr/local/vesta/bin/v-change-user-rkey ".$v_user, $output, $return_var); + unset($output); + $CMD="/usr/bin/sudo /usr/local/vesta/bin/v-get-user-value ".$v_user." RKEY"; + exec($CMD, $output, $return_var); + $rkey = trim(implode('', $output)); + //unset($output); + //echo $rkey; exit; + //echo $CMD."\n
"; + //var_dump($rkey); exit; + $fname = $data[$user]['FNAME']; + $lname = $data[$user]['LNAME']; + $contact = $data[$user]['CONTACT']; + $to = $data[$user]['CONTACT']; + $subject = __('MAIL_RESET_SUBJECT',date("Y-m-d H:i:s")); + $hostname = exec('hostname'); + $from = __('MAIL_FROM',$hostname); + if (!empty($fname)) { + $mailtext = __('GREETINGS_GORDON_FREEMAN',$fname,$lname); + } else { + $mailtext = __('GREETINGS'); + } + $mailtext .= __('PASSWORD_RESET_REQUEST',$hostname.":".$_SERVER['SERVER_PORT'],$user,$rkey,$hostname.":".$_SERVER['SERVER_PORT'],$user,$rkey); + if (!empty($rkey)) { + send_email($to, $subject, $mailtext, $from); + header("Location: /reset/?action=code&user=".$_POST['user']); + } + } else { + $ERROR = "".__('User and email not matched').""; + exec("/usr/bin/sudo /usr/local/vesta/bin/v-log-failed-login " . $v_user . " " . $v_ip, $output, $return_var); + } + } else { + $ERROR = "".__('Please wait 15 minutes before sending a new request').""; + } + } else { + $ERROR = "".__('User and email not matched').""; } - - header("Location: /reset/?action=code&user=".$_POST['user']); - exit; + unset($output); } if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['password'])) ) { + + // Check token + if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) { + die("Wrong token or missing token"); + } + if ( $_POST['password'] == $_POST['password_confirm'] ) { $v_user = escapeshellarg($_POST['user']); $user = $_POST['user']; @@ -47,26 +85,42 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass exec ($cmd." ".$v_user." json", $output, $return_var); if ( $return_var == 0 ) { $data = json_decode(implode('', $output), true); + unset($output); $rkey = $data[$user]['RKEY']; if (hash_equals($rkey, $_POST['code'])) { - $v_password = tempnam("/tmp","vst"); - $fp = fopen($v_password, "w"); - fwrite($fp, $_POST['password']."\n"); - fclose($fp); - $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password"; - exec ($cmd." ".$v_user." ".$v_password, $output, $return_var); - unlink($v_password); - if ( $return_var > 0 ) { - $ERROR = "".__('An internal error occurred').""; + unset($output); + exec("/usr/bin/sudo /usr/local/vesta/bin/v-get-user-value ".$v_user." RKEYEXP", $output, $return_var); + $rkeyexp = trim(implode('', $output)); + if (strlen($rkeyexp)>9) $rkeyexp=intval($rkeyexp); + unset($output); + if ($rkeyexp > time() - 900) { + $v_password = tempnam("/tmp","vst"); + $fp = fopen($v_password, "w"); + fwrite($fp, $_POST['password']."\n"); + fclose($fp); + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password"; + exec ($cmd." ".$v_user." ".$v_password, $output, $return_var); + unlink($v_password); + if ( $return_var > 0 ) { + sleep(5); + $ERROR = "".__('An internal error occurred').""; + } else { + $_SESSION['user'] = $_POST['user']; + header("Location: /"); + exit; + } } else { - $_SESSION['user'] = $_POST['user']; - header("Location: /"); - exit; + sleep(5); + $ERROR = "".__('Code has been expired').""; + exec("/usr/bin/sudo /usr/local/vesta/bin/v-log-failed-login " . $v_user . " " . $v_ip, $output, $return_var); } } else { + sleep(5); $ERROR = "".__('Invalid username or code').""; + exec("/usr/bin/sudo /usr/local/vesta/bin/v-log-failed-login " . $v_user . " " . $v_ip, $output, $return_var); } } else { + sleep(5); $ERROR = "".__('Invalid username or code').""; } } else { diff --git a/web/templates/reset_1.html b/web/templates/reset_1.html index b48f3706..87c9235a 100644 --- a/web/templates/reset_1.html +++ b/web/templates/reset_1.html @@ -5,13 +5,14 @@
- Vesta Control Panel + myVesta Control Panel
@@ -25,9 +26,19 @@ + + + + + + @@ -39,7 +50,7 @@ diff --git a/web/templates/reset_2.html b/web/templates/reset_2.html index 58c3b94f..94fd9fea 100644 --- a/web/templates/reset_2.html +++ b/web/templates/reset_2.html @@ -5,13 +5,14 @@
- Vesta Control Panel + myVesta Control Panel @@ -39,7 +40,7 @@ diff --git a/web/templates/reset_3.html b/web/templates/reset_3.html index 0cc54bda..3d5ebb9d 100644 --- a/web/templates/reset_3.html +++ b/web/templates/reset_3.html @@ -5,7 +5,7 @@ @@ -47,7 +48,7 @@
- Vesta Control Panel + myVesta Control Panel @@ -15,6 +15,7 @@ +