通过
搜索
搜索anyx / login-gate-bundle
检查网站上的暴力破解攻击
4.0.2
2024-01-05 19:02 UTC
Requires
- ext-json: *
- symfony/config: ^3.3|^4.0|^5.1|^6.0|^7.0
- symfony/dependency-injection: ^3.3|^4.0|^5.1|^6.0|^7.0
- symfony/security-bundle: ^3.3|^4.0|^5.1|^6.0|^7.0
Requires (Dev)
- php: >=8.2
- ext-ctype: *
- ext-iconv: *
- doctrine/doctrine-bundle: ^2.11
- doctrine/doctrine-fixtures-bundle: ^3.4
- doctrine/doctrine-migrations-bundle: ^3.3
- doctrine/mongodb-odm-bundle: 5.0.x-dev
- doctrine/orm: ^2.17
- escapestudios/symfony2-coding-standard: 3.x-dev
- friendsofphp/php-cs-fixer: ^3.5
- mtdowling/jmespath.php: ^2.7
- phpmd/phpmd: @stable
- phpunit/phpunit: ^9.5
- symfony/browser-kit: ^7.0
- symfony/dotenv: ^7.0
- symfony/flex: ^2
- symfony/framework-bundle: ^7.0
- symfony/monolog-bundle: ^3.0
- symfony/phpunit-bridge: ^6.1
- symfony/runtime: ^7.0
- symfony/security-bundle: ^7.0
- symfony/twig-bundle: ^7.0
- symfony/yaml: ^7.0
- twig/extra-bundle: ^2.12|^3.0
- twig/twig: ^2.12|^3.0
- zenstruck/browser: ^1.6
README
此组件用于检测Symfony应用程序的暴力破解攻击。它将暂时禁用攻击者的登录。此组件还提供特殊事件,以便在检测到暴力破解攻击时执行自定义处理器。
兼容性
自1.0版本起,该组件与Symfony 5兼容。
安装
通过Composer添加此组件
composer require anyx/login-gate-bundle
配置
在config/packages/login_gate.yml中添加
# config/packages/login_gate.yaml login_gate: storages: ['orm'] # Attempts storages. Available storages: ['orm', 'session', 'mongodb'] options: max_count_attempts: 3 timeout: 600 #Ban period watch_period: 3600 #Only for databases storage. Period of actuality attempts
⚠️ 用户名解析器(可选)。
由于Symfony没有为每个可能的认证场景提供一个从LoginFailureEvent检索传递的用户名的方法,因此默认情况下,此组件试图从请求的表单数据中的_username参数中检索用户名。
这意味着,如果您使用不同的认证场景(例如json_login),具有相同IP地址的用户将无法区分。为了防止这种情况,您可能需要创建自己的用户名解析器并在username_resolver选项中注册它
<?php namespace App\Service; use Anyx\LoginGateBundle\Service\UsernameResolverInterface; use Symfony\Component\HttpFoundation\Request; /** * Username resolver for json login */ class UsernameResolver implements UsernameResolverInterface { public function resolve(Request $request) { $requestData = json_decode($request->getContent(), true); return is_array($requestData) && array_key_exists('username', $requestData) ? $requestData['username'] : null; } }
# config/packages/login_gate.yaml login_gate: storages: ['orm'] # Attempts storages. Available storages: ['orm', 'session', 'mongodb'] options: max_count_attempts: 3 timeout: 600 #Ban period watch_period: 3600 #Only for databases storage. Period of actuality attempts username_resolver: App\Service\UsernameResolver
注册事件处理器(可选)。
services: acme.brute_force_listener: class: Acme\BestBundle\Listener\BruteForceAttemptListener tags: - { name: kernel.event_listener, event: security.brute_force_attempt, method: onBruteForceAttempt }
使用
对于经典的登录表单认证,我们可以在显示表单之前检查登录尝试次数
namespace App\Controller; use Anyx\LoginGateBundle\Service\BruteForceChecker; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Security\Http\Authentication\AuthenticationUtils; class SecurityController extends AbstractController { /** * @Route("/login", name="login") */ public function formLogin(AuthenticationUtils $authenticationUtils, BruteForceChecker $bruteForceChecker, Request $request): Response { if (!$bruteForceChecker->canLogin($request)) { return new Response('Too many login attempts'); } $error = $authenticationUtils->getLastAuthenticationError(); $lastUsername = $authenticationUtils->getLastUsername(); return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]); } }
还有清除请求的登录尝试(默认情况下在成功认证后发生)的能力
$this->bruteForceChecker->getStorage()->clearCountAttempts($request, $username);
有关更多示例,请参阅测试。