anyx/login-gate-bundle

Checking brute force attacks on site

Monday, July 2, 2018
by anyx
Repository
1 Watchers
19 Stars
10,566 Installations

PHP
0 Dependents
0 Suggesters
11 Forks
1 Open issues
10 Versions
39 % Grown

The README.md

LoginGateBundle

:warning: Bundle is deprecated since similar functionality was introduced in Symfony framework. See https://symfony.com/doc/current/security.html#limiting-login-attempts

, _(*1)

This bundle detects brute-force attacks on Symfony applications. It then will disable login for attackers for a certain period of time. This bundle also provides special events to execute custom handlers when a brute-force attack is detected., _(*2)

Compatibility

The bundle is since version 1.0 compatible with Symfony 5., _(*3)

Installation

Add this bundle via Composer:, _(*4)

composer require anyx/login-gate-bundle

Configuration:

Add in config/packages/login_gate.yml:, _(*5)

# config/packages/login_gate.yaml

login_gate:
    storages: ['orm'] # Attempts storages. Available storages: ['orm', 'session', 'mongodb']
    options:
        max_count_attempts: 3
        timeout: 600 #Ban period
        watch_period: 3600 #Only for databases storage. Period of actuality attempts
 ```

### :warning: Username resolver (optional).

Since Symfony does not provide a common way to retrieve passed username 
from `LoginFailureEvent` for every possible authentication scenario, 
by default this bundle is trying to retrieve username from `_username` parameter in request's form data.

It means, that if you are using different authentication scenario (`json_login`, for example), 
users with same ip addresses will be indistinguishable. To prevent this,
you probably should create own username resolver and register it in `username_resolver` option:

```php
<?php

namespace App\Service;

use Anyx\LoginGateBundle\Service\UsernameResolverInterface;
use Symfony\Component\HttpFoundation\Request;

/**
 * Username resolver for json login
 */
class UsernameResolver implements UsernameResolverInterface
{
    public function resolve(Request $request)
    {
        $requestData = json_decode($request->getContent(), true);

        return is_array($requestData) && array_key_exists('username', $requestData) ? $requestData['username'] : null;
    }
}

# config/packages/login_gate.yaml
login_gate:
    storages: ['orm'] # Attempts storages. Available storages: ['orm', 'session', 'mongodb']
    options:
        max_count_attempts: 3
        timeout: 600 #Ban period
        watch_period: 3600 #Only for databases storage. Period of actuality attempts
    username_resolver: App\Service\UsernameResolver
 ```



### Register event handler (optional).
```yml
services:
      acme.brute_force_listener:
          class: Acme\BestBundle\Listener\BruteForceAttemptListener
          tags:
              - { name: kernel.event_listener, event: security.brute_force_attempt, method: onBruteForceAttempt }

Usage

For classic login form authentication we can check count login attempts before showing form:, _(*6)

namespace App\Controller;

use Anyx\LoginGateBundle\Service\BruteForceChecker;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;

class SecurityController extends AbstractController
{
    /**
     * @Route("/login", name="login")
     */
    public function formLogin(AuthenticationUtils $authenticationUtils, BruteForceChecker $bruteForceChecker, Request $request): Response
    {
        if (!$bruteForceChecker->canLogin($request)) {
            return new Response('Too many login attempts');
        }

        $error = $authenticationUtils->getLastAuthenticationError();

        $lastUsername = $authenticationUtils->getLastUsername();

        return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]);
    }
}

Also there is ability to clear login attempts for request (it happens after successful authentication by default):, _(*7)

$this->bruteForceChecker->getStorage()->clearCountAttempts($request, $username);

For more examples take a look at the tests., _(*8)

The Versions

02/07 2018

dev-master

9999999-dev https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

The Development Requires

by Aleksandr Klimenkov

security brute-force

02/07 2018

0.7

0.7.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

The Development Requires

by Aleksandr Klimenkov

security brute-force

22/05 2018

0.6

0.6.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

The Development Requires

by Aleksandr Klimenkov

security brute-force

22/05 2018

dev-change-dependencies

dev-change-dependencies https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

The Development Requires

by Aleksandr Klimenkov

security brute-force

09/03 2018

0.5

0.5.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

symfony/symfony ~2.8|~3.0|~4.0

The Development Requires

by Aleksandr Klimenkov

security brute-force

09/03 2018

dev-travis-ci-memory

dev-travis-ci-memory https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

symfony/symfony ~2.8|~3.0|~4.0

The Development Requires

by Aleksandr Klimenkov

security brute-force

04/08 2017

0.4

0.4.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

symfony/symfony ~2.8|~3.0

The Development Requires

by Aleksandr Klimenkov

security brute-force

29/07 2016

0.3

0.3.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

symfony/symfony ~2.8|~3.0

The Development Requires

by Aleksandr Klimenkov

security brute-force

22/01 2014

0.2

0.2.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

symfony/framework-bundle 2.*

by Aleksandr Klimenkov

security brute-force

22/01 2014

0.1

0.1.0.0 https://github.com/anyx/LoginGateBundle

Checking brute force attacks on site

Sources Download

MIT

The Requires

symfony/framework-bundle 2.*

by Aleksandr Klimenkov

security brute-force

symfony-bundle login-gate-bundle

Checking brute force attacks on site

anyx/login-gate-bundle

The README.md

LoginGateBundle

:warning: Bundle is deprecated since similar functionality was introduced in Symfony framework. See https://symfony.com/doc/current/security.html#limiting-login-attempts

Compatibility

Installation

Configuration:

Usage

The Versions

dev-master

The Requires

The Development Requires

by Aleksandr Klimenkov

0.7

The Requires

The Development Requires

by Aleksandr Klimenkov

0.6

The Requires

The Development Requires

by Aleksandr Klimenkov

dev-change-dependencies

The Requires

The Development Requires

by Aleksandr Klimenkov

0.5

The Requires

The Development Requires

by Aleksandr Klimenkov

dev-travis-ci-memory

The Requires

The Development Requires

by Aleksandr Klimenkov

0.4

The Requires

The Development Requires

by Aleksandr Klimenkov

0.3

The Requires

The Development Requires

by Aleksandr Klimenkov

0.2

The Requires

by Aleksandr Klimenkov

0.1

The Requires

by Aleksandr Klimenkov