anyx/login-gate-bundle
Composer 安装命令:
composer require anyx/login-gate-bundle
包简介
Checking brute force attacks on site
关键字:
README 文档
README
⚠️ Bundle is deprecated since similar functionality was introduced in Symfony framework. See https://symfony.com/doc/current/security.html#limiting-login-attempts
This bundle detects brute-force attacks on Symfony applications. It then will disable login for attackers for a certain period of time. This bundle also provides special events to execute custom handlers when a brute-force attack is detected.
Compatibility
The bundle is since version 1.0 compatible with Symfony 5.
Installation
Add this bundle via Composer:
composer require anyx/login-gate-bundle
Configuration:
Add in config/packages/login_gate.yml:
# config/packages/login_gate.yaml login_gate: storages: ['orm'] # Attempts storages. Available storages: ['orm', 'session', 'mongodb'] options: max_count_attempts: 3 timeout: 600 #Ban period watch_period: 3600 #Only for databases storage. Period of actuality attempts
⚠️ Username resolver (optional).
Since Symfony does not provide a common way to retrieve passed username
from LoginFailureEvent for every possible authentication scenario,
by default this bundle is trying to retrieve username from _username parameter in request's form data.
It means, that if you are using different authentication scenario (json_login, for example),
users with same ip addresses will be indistinguishable. To prevent this,
you probably should create own username resolver and register it in username_resolver option:
<?php namespace App\Service; use Anyx\LoginGateBundle\Service\UsernameResolverInterface; use Symfony\Component\HttpFoundation\Request; /** * Username resolver for json login */ class UsernameResolver implements UsernameResolverInterface { public function resolve(Request $request) { $requestData = json_decode($request->getContent(), true); return is_array($requestData) && array_key_exists('username', $requestData) ? $requestData['username'] : null; } }
# config/packages/login_gate.yaml login_gate: storages: ['orm'] # Attempts storages. Available storages: ['orm', 'session', 'mongodb'] options: max_count_attempts: 3 timeout: 600 #Ban period watch_period: 3600 #Only for databases storage. Period of actuality attempts username_resolver: App\Service\UsernameResolver
Register event handler (optional).
services: acme.brute_force_listener: class: Acme\BestBundle\Listener\BruteForceAttemptListener tags: - { name: kernel.event_listener, event: security.brute_force_attempt, method: onBruteForceAttempt }
Usage
For classic login form authentication we can check count login attempts before showing form:
namespace App\Controller; use Anyx\LoginGateBundle\Service\BruteForceChecker; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Security\Http\Authentication\AuthenticationUtils; class SecurityController extends AbstractController { /** * @Route("/login", name="login") */ public function formLogin(AuthenticationUtils $authenticationUtils, BruteForceChecker $bruteForceChecker, Request $request): Response { if (!$bruteForceChecker->canLogin($request)) { return new Response('Too many login attempts'); } $error = $authenticationUtils->getLastAuthenticationError(); $lastUsername = $authenticationUtils->getLastUsername(); return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]); } }
Also there is ability to clear login attempts for request (it happens after successful authentication by default):
$this->bruteForceChecker->getStorage()->clearCountAttempts($request, $username);
For more examples take a look at the tests.
anyx/login-gate-bundle 适用场景与选型建议
anyx/login-gate-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 343.51k 次下载、GitHub Stars 达 59, 最近一次更新时间为 2013 年 04 月 19 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「brute-force」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 anyx/login-gate-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 anyx/login-gate-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 anyx/login-gate-bundle 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Checking brute force attacks on site
Simple brute-force prevention (account locking) for Flow
Contao CMS integrity check for some files
A PHP security linter to detect insecure functions like var_dump, print_r, and other dangerous functions in your codebase
统计信息
- 总下载量: 343.51k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 60
- 点击次数: 18
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2013-04-19