diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2020-05-25 15:04:18 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-25 15:04:18 +0300 |
| commit | e57bca31adc9a2591357825fa7042596fcb51f7d (patch) | |
| tree | e7880a8fa58482fcfb07c104a5bf85de96b9cb8a | |
| parent | cbde1d102c06f44d9b4f84cb3d72f9fbf0a3beb5 (diff) | |
| parent | bd997a105cc582180bb36dad3ca8ffce25fc9e34 (diff) | |
Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ip
Implement occ command to reset bruteforce attemps from a given IP address
| -rw-r--r-- | core/Command/Security/ResetBruteforceAttempts.php | 62 | ||||
| -rw-r--r-- | core/register_command.php | 1 | ||||
| -rw-r--r-- | lib/composer/composer/autoload_classmap.php | 1 | ||||
| -rw-r--r-- | lib/composer/composer/autoload_static.php | 1 | ||||
| -rw-r--r-- | lib/private/Security/Bruteforce/Throttler.php | 35 |
5 files changed, 94 insertions, 6 deletions
diff --git a/core/Command/Security/ResetBruteforceAttempts.php b/core/Command/Security/ResetBruteforceAttempts.php new file mode 100644 index 00000000000..dcb827f8ddb --- /dev/null +++ b/core/Command/Security/ResetBruteforceAttempts.php @@ -0,0 +1,62 @@ +<?php +/** + * @copyright Copyright (c) 2020, Johannes Riedel (johannes@johannes-riedel.de) + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + + +namespace OC\Core\Command\Security; + +use OC\Core\Command\Base; +use OC\Security\Bruteforce\Throttler; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class ResetBruteforceAttempts extends Base { + + /** @var Throttler */ + protected $throttler; + + public function __construct(Throttler $throttler) { + $this->throttler = $throttler; + parent::__construct(); + } + + protected function configure() { + $this + ->setName('security:bruteforce:reset') + ->setDescription('resets bruteforce attemps for given IP address') + ->addArgument( + 'ipaddress', + InputArgument::REQUIRED, + 'IP address for which the attempts are to be reset' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output) { + $ip = $input->getArgument('ipaddress'); + + if (!filter_var($ip, FILTER_VALIDATE_IP)) { + $output->writeln('<error>"' . $ip . '" is not a valid IP address</error>'); + return 1; + } + + $this->throttler->resetDelayForIP($ip); + } +} diff --git a/core/register_command.php b/core/register_command.php index e355d1429c1..d818423d1ab 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -175,6 +175,7 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\Security\ListCertificates(\OC::$server->getCertificateManager(null), \OC::$server->getL10N('core'))); $application->add(new OC\Core\Command\Security\ImportCertificate(\OC::$server->getCertificateManager(null))); $application->add(new OC\Core\Command\Security\RemoveCertificate(\OC::$server->getCertificateManager(null))); + $application->add(new OC\Core\Command\Security\ResetBruteforceAttempts(\OC::$server->getBruteForceThrottler())); } else { $application->add(new OC\Core\Command\Maintenance\Install(\OC::$server->getSystemConfig())); } diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index c7b966fd595..2c701643c17 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -789,6 +789,7 @@ return array( 'OC\\Core\\Command\\Security\\ImportCertificate' => $baseDir . '/core/Command/Security/ImportCertificate.php', 'OC\\Core\\Command\\Security\\ListCertificates' => $baseDir . '/core/Command/Security/ListCertificates.php', 'OC\\Core\\Command\\Security\\RemoveCertificate' => $baseDir . '/core/Command/Security/RemoveCertificate.php', + 'OC\\Core\\Command\\Security\\ResetBruteforceAttempts' => $baseDir . '/core/Command/Security/ResetBruteforceAttempts.php', 'OC\\Core\\Command\\Status' => $baseDir . '/core/Command/Status.php', 'OC\\Core\\Command\\TwoFactorAuth\\Base' => $baseDir . '/core/Command/TwoFactorAuth/Base.php', 'OC\\Core\\Command\\TwoFactorAuth\\Cleanup' => $baseDir . '/core/Command/TwoFactorAuth/Cleanup.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index 8212d3dafc3..3046aea4a95 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -818,6 +818,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c 'OC\\Core\\Command\\Security\\ImportCertificate' => __DIR__ . '/../../..' . '/core/Command/Security/ImportCertificate.php', 'OC\\Core\\Command\\Security\\ListCertificates' => __DIR__ . '/../../..' . '/core/Command/Security/ListCertificates.php', 'OC\\Core\\Command\\Security\\RemoveCertificate' => __DIR__ . '/../../..' . '/core/Command/Security/RemoveCertificate.php', + 'OC\\Core\\Command\\Security\\ResetBruteforceAttempts' => __DIR__ . '/../../..' . '/core/Command/Security/ResetBruteforceAttempts.php', 'OC\\Core\\Command\\Status' => __DIR__ . '/../../..' . '/core/Command/Status.php', 'OC\\Core\\Command\\TwoFactorAuth\\Base' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Base.php', 'OC\\Core\\Command\\TwoFactorAuth\\Cleanup' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Cleanup.php', diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php index 1bece6a05d5..63c6361b9ce 100644 --- a/lib/private/Security/Bruteforce/Throttler.php +++ b/lib/private/Security/Bruteforce/Throttler.php @@ -90,6 +90,17 @@ class Throttler { } /** + * Calculate the cut off timestamp + * + * @return int + */ + private function getCutoffTimestamp(): int { + return (new \DateTime()) + ->sub($this->getCutoff(43200)) + ->getTimestamp(); + } + + /** * Register a failed attempt to bruteforce a security control * * @param string $action @@ -212,9 +223,7 @@ class Throttler { return 0; } - $cutoffTime = (new \DateTime()) - ->sub($this->getCutoff(43200)) - ->getTimestamp(); + $cutoffTime = $this->getCutoffTimestamp(); $qb = $this->db->getQueryBuilder(); $qb->select('*') @@ -259,9 +268,7 @@ class Throttler { return; } - $cutoffTime = (new \DateTime()) - ->sub($this->getCutoff(43200)) - ->getTimestamp(); + $cutoffTime = $this->getCutoffTimestamp(); $qb = $this->db->getQueryBuilder(); $qb->delete('bruteforce_attempts') @@ -274,6 +281,22 @@ class Throttler { } /** + * Reset the throttling delay for an IP address + * + * @param string $ip + */ + public function resetDelayForIP($ip) { + $cutoffTime = $this->getCutoffTimestamp(); + + $qb = $this->db->getQueryBuilder(); + $qb->delete('bruteforce_attempts') + ->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime))) + ->andWhere($qb->expr()->eq('ip', $qb->createNamedParameter($ip))); + + $qb->execute(); + } + + /** * Will sleep for the defined amount of time * * @param string $ip |