github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-07-06 04:51:54 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Preventing brute-force reseting password

Browse source
This commit is contained in:
myvesta 2022-04-25 21:13:46 +02:00 committed by GitHub
parent add252bbd7
commit 547d5f0c5b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 195 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

60
bin/v-change-user-rkey Normal file
View file

@ -0,0 +1,60 @@
#!/bin/bash
# info: change user rkey
# options: USER
#
# The function changes user's RKEY value.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
if [ "$user" = "root" ]; then
check_result $E_FORBIDEN "Changing root password is forbiden"
fi
check_args '1' "$#" 'USER'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
hash=$(generate_password)
d=$(date +%s)
# Changing RKEY value
update_user_value "$user" '$RKEY' "$hash"
#check if RKEYEXP exists
if [ -z "$(grep RKEYEXP $USER_DATA/user.conf)" ]; then
sed -i "s/^RKEY/RKEYEXP='$d'\nRKEY/g" $USER_DATA/user.conf
else
update_user_value "$user" '$RKEYEXP' "$d"
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_history "changed rkey"
log_event "$OK" "$ARGUMENTS"
exit

31
bin/v-log-failed-login Normal file
View file

@ -0,0 +1,31 @@
#!/bin/bash
# info: log failed login attempt
# options: USER [IP]
#
# The function log failed login attempt
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument definition
user=$1
ip=${2-127.0.0.1}
time_n_date=$(date +'%T %F')
time=$(echo "$time_n_date" |cut -f 1 -d \ )
date=$(echo "$time_n_date" |cut -f 2 -d \ )
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit 0

68
web/reset/index.php
View file

@ -2,6 +2,7 @@
session_start();
define('NO_AUTH_REQUIRED',true);
$TAB = 'RESET PASSWORD';
$v_ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SESSION['user'])) {
header("Location: /list/user");
@ -11,13 +12,35 @@ if (isset($_SESSION['user'])) {
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
// Check token
if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
die("Wrong token or missing token");
}
$v_user = escapeshellarg($_POST['user']);
$user = $_POST['user'];
$email = $_POST['email'];
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
exec ($cmd." ".$v_user." json", $output, $return_var);
if ( $return_var == 0 ) {
$data = json_decode(implode('', $output), true);
$rkey = $data[$user]['RKEY'];
unset($output);
exec("/usr/bin/sudo /usr/local/vesta/bin/v-get-user-value ".$v_user." RKEYEXP", $output, $return_var);
$rkeyexp = trim(implode('', $output));
if (strlen($rkeyexp)>9) $rkeyexp=intval($rkeyexp);
unset($output);
if ($rkeyexp === null || $rkeyexp < time() - 900) {
if ($email == $data[$user]['CONTACT']) {
exec("/usr/bin/sudo /usr/local/vesta/bin/v-change-user-rkey ".$v_user, $output, $return_var);
unset($output);
$CMD="/usr/bin/sudo /usr/local/vesta/bin/v-get-user-value ".$v_user." RKEY";
exec($CMD, $output, $return_var);
$rkey = trim(implode('', $output));
//unset($output);
//echo $rkey; exit;
//echo $CMD."\n<br />";
//var_dump($rkey); exit;
$fname = $data[$user]['FNAME'];
$lname = $data[$user]['LNAME'];
$contact = $data[$user]['CONTACT'];
@ -31,15 +54,30 @@ if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
$mailtext = __('GREETINGS');
}
$mailtext .= __('PASSWORD_RESET_REQUEST',$hostname.":".$_SERVER['SERVER_PORT'],$user,$rkey,$hostname.":".$_SERVER['SERVER_PORT'],$user,$rkey);
if (!empty($rkey)) send_email($to, $subject, $mailtext, $from);
unset($output);
}
if (!empty($rkey)) {
send_email($to, $subject, $mailtext, $from);
header("Location: /reset/?action=code&user=".$_POST['user']);
exit;
}
} else {
$ERROR = "<a class=\"error\">".__('User and email not matched')."</a>";
exec("/usr/bin/sudo /usr/local/vesta/bin/v-log-failed-login " . $v_user . " " . $v_ip, $output, $return_var);
}
} else {
$ERROR = "<a class=\"error\">".__('Please wait 15 minutes before sending a new request')."</a>";
}
} else {
$ERROR = "<a class=\"error\">".__('User and email not matched')."</a>";
}
unset($output);
}
if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['password'])) ) {
// Check token
if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
die("Wrong token or missing token");
}
if ( $_POST['password'] == $_POST['password_confirm'] ) {
$v_user = escapeshellarg($_POST['user']);
$user = $_POST['user'];
@ -47,8 +85,15 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
exec ($cmd." ".$v_user." json", $output, $return_var);
if ( $return_var == 0 ) {
$data = json_decode(implode('', $output), true);
unset($output);
$rkey = $data[$user]['RKEY'];
if (hash_equals($rkey, $_POST['code'])) {
unset($output);
exec("/usr/bin/sudo /usr/local/vesta/bin/v-get-user-value ".$v_user." RKEYEXP", $output, $return_var);
$rkeyexp = trim(implode('', $output));
if (strlen($rkeyexp)>9) $rkeyexp=intval($rkeyexp);
unset($output);
if ($rkeyexp > time() - 900) {
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
@ -57,6 +102,7 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
exec ($cmd." ".$v_user." ".$v_password, $output, $return_var);
unlink($v_password);
if ( $return_var > 0 ) {
sleep(5);
$ERROR = "<a class=\"error\">".__('An internal error occurred')."</a>";
} else {
$_SESSION['user'] = $_POST['user'];
@ -64,9 +110,17 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
exit;
}
} else {
$ERROR = "<a class=\"error\">".__('Invalid username or code')."</a>";
sleep(5);
$ERROR = "<a class=\"error\">".__('Code has been expired')."</a>";
exec("/usr/bin/sudo /usr/local/vesta/bin/v-log-failed-login " . $v_user . " " . $v_ip, $output, $return_var);
}
} else {
sleep(5);
$ERROR = "<a class=\"error\">".__('Invalid username or code')."</a>";
exec("/usr/bin/sudo /usr/local/vesta/bin/v-log-failed-login " . $v_user . " " . $v_ip, $output, $return_var);
}
} else {
sleep(5);
$ERROR = "<a class=\"error\">".__('Invalid username or code')."</a>";
}
} else {

17
web/templates/reset_1.html
View file

@ -5,13 +5,14 @@
<table>
<tr>
<td style="padding: 0 10px 0 42px; height: 280px; width: 170px;">
<a href="/"><img border=0 src="/images/logo.png" width="124px" height="46px" alt="Vesta Control Panel" /></a>
<a href="/"><img border=0 src="/images/vesta_logo.png" alt="myVesta Control Panel" /></a>
</td>
<td style="padding: 10px 0 0 0;">
<form method="post" action="/reset/">
<table class="login-box">
<tr>
<td style="padding: 12px 0 0 2px;">
<input type="hidden" name="token" value="<?=$_SESSION['token'];?>"/>
<?php print __('RESET_NOTICE');?>
</td>
</tr>
@ -25,9 +26,19 @@
<input tabindex="1" type="text" size="20px" style="width:240px" name="user" class="vst-input">
</td>
</tr>
<tr>
<td style="padding: 12px 0 0 2px;">
<?php print __('Email');?>
</td>
</tr>
<tr>
<td>
<input tabindex="2" type="text" size="20px" style="width:240px" name="email" class="vst-input">
</td>
</tr>
<tr>
<td style="padding: 20px 0 12px 0;">
<input tabindex="2" type="submit" value="<?php print __('Submit');?>" class="button">
<input tabindex="3" type="submit" value="<?php print __('Submit');?>" class="button">
<input type="button" class="button cancel" value="<?php print __('Back');?>" onclick="location.href='/login/'">
</td>
</tr>
@ -39,7 +50,7 @@
<td colspan=2>
<div class="login-bottom">
<div style="height:20px"><?php if (isset($ERROR)) echo $ERROR ?></div>
<a class="vestacp" href="http://vestacp.com" >vestacp.com</a>
<a class="vestacp" href="https://www.myvestacp.com/">myvestacp.com</a>
</div>
</td>
</tr>

5
web/templates/reset_2.html
View file

@ -5,13 +5,14 @@
<table>
<tr>
<td style="padding: 0 10px 0 42px; height: 280px; width: 170px;">
<a href="/"><img border=0 src="/images/logo.png" width="124px" height="46px" alt="Vesta Control Panel" /></a>
<a href="/"><img border=0 src="/images/vesta_logo.png" alt="myVesta Control Panel" /></a>
</td>
<td style="padding: 30px 0 0 0;">
<form method="get" action="/reset/" >
<table class="login-box">
<tr>
<td style="padding: 12px 0 0 2px;">
<input type="hidden" name="token" value="<?=$_SESSION['token'];?>"/>
<?php print __('RESET_CODE_SENT');?>
</td>
</tr>
@ -39,7 +40,7 @@
<td colspan=2>
<div class="login-bottom">
<div style="height:20px"><?php if (isset($ERROR)) echo $ERROR ?></div>
<a class="vestacp" href="http://vestacp.com" >vestacp.com</a>
<a class="vestacp" href="https://www.myvestacp.com/">myvestacp.com</a>
</div>
</td>
</tr>

5
web/templates/reset_3.html
View file

@ -5,7 +5,7 @@
<table>
<tr>
<td style="padding: 0 10px 0 42px; height: 280px; width: 170px;">
<a href="/"><img border=0 src="/images/logo.png" width="124px" height="46px" alt="Vesta Control Panel" /></a>
<a href="/"><img border=0 src="/images/vesta_logo.png" alt="myVesta Control Panel" /></a>
</td>
<td style="padding: 10px 0 0 0;">
<form method="post">
@ -15,6 +15,7 @@
<input type="hidden" name="action" value="confirm" >
<input type="hidden" name="user" value="<?=htmlentities($_GET['user'], ENT_QUOTES|ENT_HTML5)?>" >
<input type="hidden" name="code" value="<?=htmlentities($_GET['code'], ENT_QUOTES|ENT_HTML5)?>" >
<input type="hidden" name="token" value="<?=$_SESSION['token'];?>"/>
<?php print __('New Password');?>
</td>
</tr>
@ -47,7 +48,7 @@
<td colspan=2>
<div class="login-bottom">
<div style="height:20px"><?php if (isset($ERROR)) echo $ERROR ?></div>
<a class="vestacp" href="http://vestacp.com" >vestacp.com</a>
<a class="vestacp" href="https://www.myvestacp.com/">myvestacp.com</a>
</div>
</td>
</tr>