Apache-LoggedAuthDBI
6 results

 view release on metacpan or  search on metacpan

LoggedAuthDBI.pm  view on Meta::CPAN 

	my $dbh;
	for ($j = 0; $j <= $#data_sources; $j++) {
		last if ($dbh = DBI->connect($data_sources[$j], $usernames[$j], $passwords[$j]));
	}
	unless ($dbh) {
		$r->log_reason("db connect error with data_source >$Attr->{data_source}<: $DBI::errstr", $r->uri);
		return MP2 ? Apache2::Const::SERVER_ERROR() : Apache::Constants::SERVER_ERROR();
	}

	# connect to right database
	#my $dbh = DBI->connect("DBI:mysql:$DB_CFG{$client.'dbname'}:$DB_CFG{$client.'dbhost'}", $DB_CFG{$client.'dblogin'}, $DB_CFG{$client.'dbpass'});



	#THE RULES
	#
	# configure the tolerance levels using the following 8 variables
	#

	#autoreject if an IPaddress made X failed attempts in Y seconds
	my $seconds_declined = 120;
	my $times_declined = 5;

	#prevent brute force attacks, has an IPaddress made X attempts in Y seconds
	my $seconds_brute_ip = 300;
	my $times_brute_ip = 800;
	
	#prevent brute force attacks, has the same username been rejected X times in Y sec?
	my $seconds_brute_username = 60;
	my $times_brute_username = 3;

	#Prevent password sharing, has the same username accessed from X different IPs in Y sec
	my $minutes_pw_shared = 180;
	my $times_pw_shared = 30;


	#SQL Queries to detect brute forcing and or pass sharing
		# &get_count will return the number of entries that correspond to the query in $select. the result will be
		# compared with the $times_...  variable to detect a violation of our rules

	#autoreject if an IPaddress made X failed attempts in Y seconds
	my $select = "SELECT id FROM ".$Attr->{table}." WHERE ".$Attr->{ip_field}."='$incomingIP' AND ".$Attr->{status_field}."<>'0' AND ".$Attr->{time_field}." > (DATE_SUB(NOW(), INTERVAL '$seconds_declined' SECOND))";
	my $declined = &get_count($select, $dbh);

	#prevent brute force attacks, has an IPaddress made X attempts in Y seconds
	$select = "SELECT id FROM ".$Attr->{table}." WHERE ".$Attr->{ip_field}."='$incomingIP' AND ".$Attr->{time_field}." > (DATE_SUB(NOW(), INTERVAL '$seconds_brute_ip' SECOND))";
	my $brute_ip = &get_count($select, $dbh);

	#prevent brute force attacks, has the same username been rejected X times in Y sec?
	$select = "SELECT id FROM ".$Attr->{table}." WHERE ".$Attr->{un_field}."='$username' AND ".$Attr->{status_field}."<>'0' AND ".$Attr->{time_field}." > (DATE_SUB(NOW(), INTERVAL '$seconds_brute_username' SECOND))";
	my $brute_username = &get_count($select, $dbh);

	#Prevent password sharing, has the same username accessed from X different IPs in Y sec
	$select = "SELECT distinct(".$Attr->{ip_field}.") ".$Attr->{table}." WHERE ".$Attr->{un_field}."='$username' AND ".$Attr->{time_field}. "> (DATE_SUB(NOW(), INTERVAL '$minutes_pw_shared' MINUTE))";
	my $password_shared = &get_count($select, $dbh);



	#Take Action: in case of a detected violation beyond tolerance level send the user to an error page
	if ($declined >= $times_declined) {
		$r->filename($errdocpath . 'blocked.html');
		$return_value = 'OK';
	} elsif ($brute_ip >= $times_brute_ip || $brute_username >= $times_brute_username) {
		$r->filename($errdocpath . 'brute_force.html');
		$return_value = 'OK';
	} elsif ($password_shared >= $times_pw_shared) {
		$r->filename($errdocpath . 'pass_sharing.html');
		$auth = 'PASS_SHARED';
		$return_value = 'OK';

	#no brute force/pwsharing pass off to the main DBI authorization thingy...
	} else { 
		$auth = Apache::AuthDBI::authen($r);
		$return_value = $auth;
	}

	#If this is the initial request log the attempt in the database. the ifcheck is necessary to screen out
	#multiple entries caused by subrequests when everything goes through okay
	if ($r->is_initial_req) {
		my $sth = $dbh->prepare("INSERT INTO ".$Attr->{table}." VALUES ('', '$username', '$incomingIP', '$auth', NULL)");
		$sth->execute;
	}
  
	# disconnect from the database
	$dbh->disconnect;

	# Return the $auth
	return $return_value;
}


sub get_count {
	my ($sql, $dbh) = @_;
	my $sth = $dbh->prepare($sql);
	my $rv = $sth->execute;
	$rv = 0 if (!($rv > 0));
	return $rv;
}


1;

__END__

=head1 NAME

 Apache::LoggedAuthDBI


=head1 SYNOPSIS

 # Configuration in httpd.conf or startup.pl:

 PerlModule Apache::LoggedAuthDBI

 # Authentication and Authorization in .htaccess:

 AuthName DBI
 AuthType Basic

 PerlAuthenHandler Apache::AuthDBI::authen

LoggedAuthDBI.pm  view on Meta::CPAN 

  `username` varchar(64) default NULL,
  `IPaddress` varchar(15) default NULL,
  `status` varchar(15) default NULL,
  `timestamped` timestamp(14) NOT NULL,
  PRIMARY KEY  (`id`)
 ) TYPE=MyISAM
 </mysql>


=head1 LIST OF TOKENS

 Only the tokens specific to this module are discussed here. For reference
 on the remaining tokens consult the documentation on Apache::AuthDBI.

=over 4

=item *
 Log_ADBI_table

 Name of the table where login records will be kept.
 Has to at least contain fields holding IPaddress, username, status and timestamp.

=item *
 Log_ADBI_ip_field

 Field name of the Log_ADBI_table containing the IPaddress of the login attempt.

=item *
 Log_ADBI_un_field

 Field name of the Log_ADBI_table containing the username of the login attempt.

=item *
 Log_ADBI_status_field

 Field name of the Log_ADBI_table containing the status of the login attempt that was made.

=item *
 Log_ADBI_time_field

 Field name of the Log_ADBI_table containing the timestamp of the login attempt. 

=back


=head1 CONFIGURATION

 The module should be loaded upon startup of the Apache daemon.
 Add the following line to your httpd.conf:

 PerlModule Apache::LoggedAuthDBI
 
 Also, copy the following HTML files to the document root of Apache. These are needed
 as this module will redirect to these resources in case of detected perpetration. Using
 your own is perfectly okay as long as you either keep the naming or edit the filenames
 in the module.

=over 4

=item *
 blocked.html

=item *
 brute_force.html

=item *
 pass_sharing.html

=back

=head1 PREREQUISITES

 Apache::AuthDBI is required. This implies that minimum requirements for that
 module must be met.


=head1 AUTHORS

=over 4

=item *
 Apache::LoggedAuthDBI by Sung-Hun Kim

=item *
 Apache::AuthDBI by Edmund Mergl; now maintained and supported by the
 modperl mailinglist, subscribe by sending mail to
 modperl-subscribe@perl.apache.org.

=back

=head1 SEE ALSO

L<AuthDBI>

=head1 COPYRIGHT

 Copyright (c) 2005 Sung-Hun Kim. All rights reserved. 
 This program is free software;  you can redistribute it 
 and/or modify it under the same terms as Perl itself.

=cut



( run in 3.091 seconds using v1.01-cache-2.11-cpan-98e64b0badf )