Automatic brute force attack prevention module for use within Zend Framework 2. Stores all failed login attempts site-wide in a database and compares the number of recent failed attempts against a set threshold. Responds with time delay between login requests.
Implementation by Team CODIFIC • We code terrific.
Inspired by the work of Evan Francis, https://github.com/ejfrancis/brute-force-block. Inspired by the Angular JS implementation, https://www.npmjs.com/package/express-brute
MIT License http://opensource.org/licenses/MIT.
All failed attempts are stored in a database table. The brute force protection works based on an IP. A predefined threshold configuration dictates the delay after a certain number of failed attempts. After a certain period (e.g., 10min) the failed attempts expire. Targetted denial of service attacks are still possible to a certain extent if the attacker has the same IP address as a legitimate user.
Add the plugin to your composer.json by using the following line:
"codific/zf2-brute-force-protection": "dev-master"
and run
php composer.phar update
- Import the user_failed_login.sql file to your database
- If you are using a local.php configuration file stored in data/local.php then the plugin works as it is.
- Otherwise please set the $databaseConfig array.
$databaseConfig = array(
'host' => 'localhost',
'port' = > 3306,
'dbname' => 'database_name',
'username' => 'username',
'password' => 'password');
In the LoginController (or whatever controller is responsible for the login business logic):
Before actually running the provided authentication credentials use the following code (or alike) to check whether there are too many requests:
$delay = \Codific\BruteForce::getLoginDelay();
if($delay > 0)
{
$this->cache->error = "Too Many Requests. Please wait $delay seconds before next try.";
return $this->redirect()->toUrl("/admin/login/index");
}
You can also return HTTP code 429 that is probably a more systematic solution:
if(\Codific\BruteForce::getLoginDelay() > 0)
{
return $this->getResponse()->setStatusCode(429);
}
If the login with the provided authentication credentials fails, then add the failed attempt via the following code:
\Codific\BruteForce::addFailedLogin($username);
That's it.