[pmwiki-users] New release of userauth2 (2.0-stable8), adding bruteforce attack protection

[ThomasP]

Hello everybody,

I have uploaded a new release of the userauth module: version 2.0-stable8.

This version incorporates a mechanism against bruteforce attacks on the
login, as raised by Christophe in [1].

The protection is enabled by default, with the intention to get the "full"
security out of the box.

I have chosen the parameters such that it will allow at most 100 failed
logins on one client IP (or one username; checked in parallel) within 30
days. After encountering that limit every login on that IP or username is
blocked, until the failed login attempts have aged sufficiently.

Below is the full list of configuration vars.

Let me know if you encounter problems.

ThomasP

(Note for upgrading from stable7: only userauth2.php has been changed, and
a new file userauth2/userauth2-bruteforce.php has been added.)

----
SDV($UA2EnableBruteForceProtect,  true);
SDV($FailedLoginsLogDir, "cookbook/userauth2/failed_login_attempts");
SDV($FailedLoginsLimitUser,       100);
SDV($FailedLoginsTimeframeUser,   30*86400); // in secs; default: 30 days
SDV($FailedLoginsLimitIp,         100);
SDV($FailedLoginsTimeframeIp,     30*86400);

(The implementation follows more or less what I had drawn up in the
followup discussion to [1].)

----
[1] http://article.gmane.org/gmane.comp.web.wiki.pmwiki.user/45550