2.1.3releasedAnti Brute Force
Secure your Symphony backend against brute force and dictionary attacks
Clone URLhttps://github.com/Solutions-Nitriques/anti_brute_force.git
Add as a submodulegit submodule add https://github.com/Solutions-Nitriques/anti_brute_force.git extensions/anti_brute_force --recursive
Compatibility
2.x.x | 2.1.x | 2.2.x | 2.3.x | 2.4.x | 2.5.x | 2.6.x | 2.7.0 | 2.7.1 | 2.7.2 | 2.7.3 | 2.7.4 | 2.7.5 | 2.7.6 | 2.7.7 | 2.7.8 | 2.7.9 | 2.7.10 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
No | No | 1.1 | 1.3.5 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 | 2.1.3 |
Readme
Anti Brute Force
Secure your Symphony backend against brute force and dictionary attacks
Prevents people and softwares to brute force your authors/developers accounts.
SPECS
- After x failed attempt, the IP address will be banned for y min;
x and y are settings in the preferences page - Features colored list: Black list, Gray list, White list.
- Features a unban via email capabilities; Must be enabled in the preferences page
- Backend content page for managing blocked IPs and colored lists
- A Facade/Singleton class -ABF- for developers to leverage antibruteforce capabilities (ex.: email reports or use with the member extension)
NOTES ABOUT PROXIES
If you are using Symphony on a server that sits behind a proxy, it will always
track 127.0.0.1 (or your proxy's IP) as remote address, simply because PHP doesn't see anything else
in $_SERVER['REMOTE_ADDR']
. In order to fix this, please set the 'remote-addr-key'
setting to the field set by your proxy in order to let ABF access the real user IP.
You can also set this value in Symphony's settings backend page.
Most proxies will set the 'HTTPXFORWARDED_FOR' field with the respective user's IP but some other provider (such as CloudFlare) will create a custom field. Your best bet would be to do some actual penetration testing to be sure ABF works properly.
REQUIREMENTS
- Symphony CMS version 2.4 and up (as of the day of the last release of this extension)
INSTALLATION
git clone
/ download and unpack the tarball file- (re)Name the folder antibruteforce
- Put into the extension directory
- Enable/install just like any other extension (@see http://getsymphony.com/learn/tasks/view/install-an-extension/)
- (optional) Go to the Preferences page to customize settings
- Maximum failed count before user gets banned
- Banned duration - number of minutes IP is banned
- Gray list threshold - maximum number of gray list entries before black list
- Gray list duration - in days - before expire
- Unban via email - Enables/disable this feature
- Restrict access from authors - Hide/Show ABF content page to Authors
- Remote IP address field name - The
getenv()
field to look for the client's IP.
- (optional) See all the banned IPs via Anti Brute Force -> Banned IPs
- (optional) Manage colored lists entries via Anti Brute Force -> Black/Gray/White list
UPDATING
Updating from >= 1.3 is safe. Click here for older releases.
LICENSE
Made in Montréal with love by Deux Huit Huit
Version history
Symphony 2.4 to 2.x.x
- Purge opcache upon install, since Symphony 2.4+ does not do it
Symphony 2.4 to 2.x.x
- Fix SQL injection in lists
Symphony 2.4 to 2.x.x
- Sanitize user provided value in form
Symphony 2.4 to 2.x.x
- Sanitize Widget's values
Symphony 2.4 to 2.x.x
- Revert to 2.0.4 and do not try to fix other extensions
Symphony 2.4 to 2.x.x
- Fix problem when the email gateway settings is not prefixed with 'email_'
Symphony 2.4 to 2.x.x
- Fix #40: Properly validate IP addresses (v4 and v6)
Symphony 2.4 to 2.x.x
- Fix #38: Removed inline scripts
Symphony 2.4 to 2.x.x
- Fix #36: Database error with IPv6 addresses
Symphony 2.4 to 2.x.x
- Updated compatibility infos
Symphony 2.4 to 2.6.x
- Rename mistyped function (changes the public API)
Symphony 2.4 to 2.6.x
- Fix method signature.
- Mark as Symphony 2.6.x compatible.
Symphony 2.4 to 2.5
- Fixing Author() difference between 2.4 and 2.5
Symphony 2.4 to 2.5
- Fixing issue #30 (thanks again @michael-e). The API as a new method
ABF::instance()->authorLoginFailure()
Symphony 2.4 to 2.5
- Fixing issues #27 and #29 (thanks @michael-e)
- Revisited #19: The extension now plays better with http proxies
- Raw request IP value is loggued
- Manual entries now uses the Author name as source
Symphony 2.4 to 2.5
- Fixing issues #21, #22, #23, #24, #25 and #26 (thanks @michael-e)
- Minor UI updates
Requires Symphony 2.4
- Fixing issue #20 and #19 completely.
- Update the settings UI for 2.4
Requires Symphony 2.4
- Added a note about proxies (thanks @michael-e)
Requires Symphony 2.4
- Selectable table for Symphony 2.4 (thanks @nathanhornby)
Symphony 2.3 to 2.3.6
- Added default collate values on tables.
Requires Symphony 2.4
- Fixes for Symphony 2.4
Requires Symphony 2.3
- Fixed a bunch of typos.
- Added a setting for the name of the $_SERVER tag that contains the IP address. This is usefull when running being a proxy, so you can get the real user IP.
- Fixing issue #17 - IP were not added to colored lists properly via the UI (thanks @michael-e).
Requires Symphony 2.3
- Added a default sender email address, so email can be send even if nothing is set in the preferences.
- Remove a left over var_dump
Requires Symphony 2.3
- Officially added Italian translation (thanks @DaveRev)
- Fixed a bug when no email settings are set in config.php
Requires Symphony 2.3
- Officially added Russian translation (thanks @bzerangue)
- Grouped navigation
- Added a parameter for hidding Anti Brute Force menu to authors
- Added alert when there are banned IPs
Requires Symphony 2.3
- Major Security Update: Make sure the extension warns the user if misconfigured: Do not fail silently.
- UI Update for Symphony 2.3.
- Do not display the unband page if current IP is not banned.
- Minor security update - make sure we have an email address set and validate before send.
- Make the current IP the default value in the input field only for whitelist.
Symphony 2.3 to 2.3.0
- DEPRECATED - Use 1.3: If you still need support for Symphony 2.2.x, use version 1.1
- Compatibility update for Symphony 2.3
Symphony 2.2 to 2.2.5
- Colored list feature added
- Fix issues #5, and #7
Symphony 2.2 to 2.2.5
- New data base scheme
- New setting group, which was a copy/paste error -- breaks downward compatibility --
- Fix others errors (not bugs, errors): issue #3, #4, #6
Symphony 2.2 to 2.2.5
- Fix Issues #1 (typo) and #2 (no more ASDC)
Symphony 2.2 to 2.2.5
- First release: Block login, Admin content page, ABF Facade/Singleton