2.1.3releasedAnti Brute Force

Secure your Symphony backend against brute force and dictionary attacks

Clone URLhttps://github.com/Solutions-Nitriques/anti_brute_force.git

Add as a submodulegit submodule add https://github.com/Solutions-Nitriques/anti_brute_force.git extensions/anti_brute_force --recursive

Compatibility

2.x.x2.1.x2.2.x2.3.x2.4.x2.5.x2.6.x2.7.02.7.12.7.22.7.32.7.42.7.52.7.62.7.72.7.82.7.92.7.10
NoNo1.11.3.52.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.32.1.3

Readme

Anti Brute Force

Secure your Symphony backend against brute force and dictionary attacks

Prevents people and softwares to brute force your authors/developers accounts.

SPECS

  • After x failed attempt, the IP address will be banned for y min;
    x and y are settings in the preferences page
  • Features colored list: Black list, Gray list, White list.
  • Features a unban via email capabilities; Must be enabled in the preferences page
  • Backend content page for managing blocked IPs and colored lists
  • A Facade/Singleton class -ABF- for developers to leverage antibruteforce capabilities (ex.: email reports or use with the member extension)

NOTES ABOUT PROXIES

If you are using Symphony on a server that sits behind a proxy, it will always track 127.0.0.1 (or your proxy's IP) as remote address, simply because PHP doesn't see anything else in $_SERVER['REMOTE_ADDR']. In order to fix this, please set the 'remote-addr-key' setting to the field set by your proxy in order to let ABF access the real user IP. You can also set this value in Symphony's settings backend page.

Most proxies will set the 'HTTPXFORWARDED_FOR' field with the respective user's IP but some other provider (such as CloudFlare) will create a custom field. Your best bet would be to do some actual penetration testing to be sure ABF works properly.

REQUIREMENTS

  • Symphony CMS version 2.4 and up (as of the day of the last release of this extension)

INSTALLATION

  • git clone / download and unpack the tarball file
  • (re)Name the folder antibruteforce
  • Put into the extension directory
  • Enable/install just like any other extension (@see http://getsymphony.com/learn/tasks/view/install-an-extension/)
  • (optional) Go to the Preferences page to customize settings
    • Maximum failed count before user gets banned
    • Banned duration - number of minutes IP is banned
    • Gray list threshold - maximum number of gray list entries before black list
    • Gray list duration - in days - before expire
    • Unban via email - Enables/disable this feature
    • Restrict access from authors - Hide/Show ABF content page to Authors
    • Remote IP address field name - The getenv() field to look for the client's IP.
  • (optional) See all the banned IPs via Anti Brute Force -> Banned IPs
  • (optional) Manage colored lists entries via Anti Brute Force -> Black/Gray/White list

UPDATING

Updating from >= 1.3 is safe. Click here for older releases.

LICENSE

MIT

Made in Montréal with love by Deux Huit Huit

Version history

Symphony 2.4 to 2.x.x

  • Purge opcache upon install, since Symphony 2.4+ does not do it

Symphony 2.4 to 2.x.x

  • Fix SQL injection in lists

Symphony 2.4 to 2.x.x

  • Sanitize user provided value in form

Symphony 2.4 to 2.x.x

  • Sanitize Widget's values

Symphony 2.4 to 2.x.x

  • Revert to 2.0.4 and do not try to fix other extensions

Symphony 2.4 to 2.x.x

  • Fix problem when the email gateway settings is not prefixed with 'email_'

Symphony 2.4 to 2.x.x

  • Fix #40: Properly validate IP addresses (v4 and v6)

Symphony 2.4 to 2.x.x

  • Fix #38: Removed inline scripts

Symphony 2.4 to 2.x.x

  • Fix #36: Database error with IPv6 addresses

Symphony 2.4 to 2.x.x

  • Updated compatibility infos

Symphony 2.4 to 2.6.x

  • Rename mistyped function (changes the public API)

Symphony 2.4 to 2.6.x

  • Fix method signature.
  • Mark as Symphony 2.6.x compatible.

Symphony 2.4 to 2.5

  • Fixing Author() difference between 2.4 and 2.5

Symphony 2.4 to 2.5

  • Fixing issue #30 (thanks again @michael-e). The API as a new method ABF::instance()->authorLoginFailure()

Symphony 2.4 to 2.5

  • Fixing issues #27 and #29 (thanks @michael-e)
  • Revisited #19: The extension now plays better with http proxies
  • Raw request IP value is loggued
  • Manual entries now uses the Author name as source

Symphony 2.4 to 2.5

  • Fixing issues #21, #22, #23, #24, #25 and #26 (thanks @michael-e)
  • Minor UI updates

Requires Symphony 2.4

  • Fixing issue #20 and #19 completely.
  • Update the settings UI for 2.4

Requires Symphony 2.4

  • Added a note about proxies (thanks @michael-e)

Requires Symphony 2.4

  • Selectable table for Symphony 2.4 (thanks @nathanhornby)

Symphony 2.3 to 2.3.6

  • Added default collate values on tables.

Requires Symphony 2.4

  • Fixes for Symphony 2.4

Requires Symphony 2.3

  • Fixed a bunch of typos.
  • Added a setting for the name of the $_SERVER tag that contains the IP address. This is usefull when running being a proxy, so you can get the real user IP.
  • Fixing issue #17 - IP were not added to colored lists properly via the UI (thanks @michael-e).

Requires Symphony 2.3

  • Added a default sender email address, so email can be send even if nothing is set in the preferences.
  • Remove a left over var_dump

Requires Symphony 2.3

  • Officially added Italian translation (thanks @DaveRev)
  • Fixed a bug when no email settings are set in config.php

Requires Symphony 2.3

  • Officially added Russian translation (thanks @bzerangue)
  • Grouped navigation
  • Added a parameter for hidding Anti Brute Force menu to authors
  • Added alert when there are banned IPs

Requires Symphony 2.3

  • Major Security Update: Make sure the extension warns the user if misconfigured: Do not fail silently.
  • UI Update for Symphony 2.3.
  • Do not display the unband page if current IP is not banned.
  • Minor security update - make sure we have an email address set and validate before send.
  • Make the current IP the default value in the input field only for whitelist.

Symphony 2.3 to 2.3.0

  • DEPRECATED - Use 1.3: If you still need support for Symphony 2.2.x, use version 1.1
  • Compatibility update for Symphony 2.3

Symphony 2.2 to 2.2.5

  • Colored list feature added
  • Fix issues #5, and #7

Symphony 2.2 to 2.2.5

  • New data base scheme
  • New setting group, which was a copy/paste error -- breaks downward compatibility --
  • Fix others errors (not bugs, errors): issue #3, #4, #6

Symphony 2.2 to 2.2.5

  • Fix Issues #1 (typo) and #2 (no more ASDC)

Symphony 2.2 to 2.2.5

  • First release: Block login, Admin content page, ABF Facade/Singleton