Added option to lock accounts with failed logins

WiWaG · Feb 13, 2008 · 25e9936 · 25e9936
1 parent 017ab2f
commit 25e9936
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 0 deletions.
diff --git a/miniserv.pl b/miniserv.pl
@@ -822,6 +822,19 @@ package miniserv;
 							}
 						}
 
+					# Lock out the user's password, if enabled
+					if ($config{'blocklock'} &&
+					    $userfail{$1} >=
+					      $config{'blockuser_failures'}) {
+						my $lk = &lock_user_password($1);
+						$blocked = 2;
+						if ($use_syslog) {
+							local $logtext = $lk == 1 ? "Security alert: User $1 locked after $config{'blockuser_failures'} failed logins" : $lk < 0 ? "Security alert: User could not be locked" : "Security alert: User is already locked";
+							syslog("crit", "%s",
+								$logtext);
+							}
+						}
+
 					# Send back a delay
 					$dl = $userdlay{$1} -
 				           int(($time_now - $userlast{$1})/50);
@@ -4490,3 +4503,33 @@ sub write_pid_file
 close(PIDFILE);
 }
 
+# lock_user_password(user)
+# Updates a user's password file entry to lock it, both in memory and on disk.
+# Returns 1 if done, -1 if no such user, 0 if already locked
+sub lock_user_password
+{
+local ($user) = @_;
+if ($users{$user}) {
+	if ($users{$user} !~ /^\!/) {
+		# Lock the password
+		$users{$user} = "!".$users{$user};
+		open(USERS, $config{'userfile'});
+		local @ufile = <USERS>;
+		close(USERS);
+		foreach my $u (@ufile) {
+			local @uinfo = split(/:/, $u);
+			if ($uinfo[0] eq $user) {
+				$uinfo[1] = $users{$user};
+				}
+			$u = join(":", @uinfo);
+			}
+		open(USERS, ">$config{'userfile'}");
+		print USERS @ufile;
+		close(USERS);
+		return 1;
+		}
+	return 0;
+	}
+return -1;
+}
+
diff --git a/webmin/CHANGELOG b/webmin/CHANGELOG
@@ -73,3 +73,4 @@ Inheritance of the system path into Webmin's search path can be set on the Opera
 The nice level (CPU priority) of all cron and other background jobs run by Webmin can now be set on the Advanced Options page.
 ---- Changes since 1.400 ----
 Use the gzip -d command to extract Webmin modules, if gunzip is missing (such as on Windows).
+Users with too many failed logins can be locked until the administrator unlocks them.
diff --git a/webmin/change_session.cgi b/webmin/change_session.cgi
@@ -35,6 +35,7 @@ if ($in{'blockuser_on'}) {
 else {
 	$miniserv{'blockuser_time'} = $miniserv{'blockuser_failures'} = undef;
 	}
+$miniserv{'blocklock'} = $in{'blocklock'};
 
 $miniserv{'syslog'} = $in{'syslog'};
 if ($in{'session'} && $ENV{'HTTP_COOKIE'} !~ /sessiontest=1/i) {

diff --git a/webmin/edit_session.cgi b/webmin/edit_session.cgi
@@ -35,6 +35,11 @@ print &text('session_blockuser',
     &ui_textbox("blockuser_failures", $miniserv{'blockuser_failures'}, 4),
     &ui_textbox("blockuser_time", $miniserv{'blockuser_time'}, 4)),"<br>\n";
 
+# Lock bad users
+print "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\n",
+      &ui_checkbox("blocklock", 1, $text{'session_blocklock'},
+		   $miniserv{'blocklock'}),"<br>\n";
+
 # Log to syslog
 eval "use Sys::Syslog qw(:DEFAULT setlogsock)";
 if (!$@) {

diff --git a/webmin/lang/en b/webmin/lang/en
@@ -544,6 +544,7 @@ session_pmode2=Prompt users with expired passwords to enter a new one
 session_md5off=Use standard Unix <tt>crypt</tt> encryption for Webmin passwords
 session_md5on=Use MD5 encryption for Webmin passwords (allows long passwords)
 session_emd5=MD5 encryption cannot be used, as Perl does not have built-in <tt>crypt</tt> MD5 support on your system
+session_blocklock=Also lock users with failed logins
 
 assignment_title=Reassign Modules
 assignment_header=Module category assignments