C++ Is this safe?

endziu2222 · Apr 14, 2024

My server is not online yet to the public but for some reason I get logs from strange IP's.

I decided to change my code to the code bellow related to RSA. Can somebody tell if this is safe? as now if somebody try to login from dodgy client he will be banned for 7 days I mean IP. Code:

Lua:

    if (!Protocol::RSA_decrypt(msg)) {
        if (auto connectionObject = getConnection()) {
            uint32_t ip = connectionObject->getIP();

            BanInfo banInfo;
            if (IOBan::isIpBanned(ip, banInfo) && banInfo.expiresAt > time(nullptr)) {
                disconnect();
                return;
            }

            std::string ipStr = convertIPToString(ip);
            g_logger().warn("Failed login attempt from IP: " + ipStr);

            if (IOBan::addIpBan(ip, "Unauthorized access attempt", 7)) {
                g_logger().warn("IP Banned for 7 days due to failed RSA decryption: " + ipStr);
            }
        }

        disconnect();
        return;
    }

Joriku · Apr 14, 2024

endziu2222 said:
My server is not online yet to the public but for some reason I get logs from strange IP's.

I decided to change my code to the code bellow related to RSA. Can somebody tell if this is safe? as now if somebody try to login from dodgy client he will be banned for 7 days I mean IP. Code:

Lua:

if (!Protocol::RSA_decrypt(msg)) { if (auto connectionObject = getConnection()) { uint32_t ip = connectionObject->getIP(); BanInfo banInfo; if (IOBan::isIpBanned(ip, banInfo) && banInfo.expiresAt > time(nullptr)) { disconnect(); return; } std::string ipStr = convertIPToString(ip); g_logger().warn("Failed login attempt from IP: " + ipStr); if (IOBan::addIpBan(ip, "Unauthorized access attempt", 7)) { g_logger().warn("IP Banned for 7 days due to failed RSA decryption: " + ipStr); } } disconnect(); return; }

So I am no expert in this, but banning upon RSA key failure may trigger a false-positive for your legit client base.
Add a check of tries before applying a ban, this will avoid and/most false-positive bans if something goes wrong of a legit client.

Not tested, but hopefully this applies the idea for you. You can also use a database check which validates last and current attempts + ban segment.

Lua:

// This pseudo-code assumes the existence of a function that can store and retrieve ban details and attempt counts.
// This is a c++ built in function for time, similar to os.time.
#include <ctime>

bool Protocol::checkAndHandleLoginFailure(uint32_t ip) {
    BanInfo banInfo;
    // Check if IP is already banned and the ban is still valid
    if (IOBan::isIpBanned(ip, banInfo) && banInfo.expiresAt > time(nullptr)) {
        disconnect();
        return false;
    }

    int failedAttempts = IOBan::getFailedAttempts(ip);
    time_t lastAttemptTime = IOBan::getLastAttemptTime(ip);

    // Check for cooldown (30 minutes = 1800 seconds)
    if (time(nullptr) - lastAttemptTime < 1800) {
        failedAttempts++;
    } else {
        failedAttempts = 1; // Reset the count if 30 minutes have passed
    }

    IOBan::updateFailedAttempts(ip, failedAttempts, time(nullptr));

    if (failedAttempts >= 3) {
        // If 3 failed attempts are reached, ban the IP for 7 days (7 days = 604800 seconds)
        IOBan::addIpBan(ip, "Unauthorized access attempt", time(nullptr) + 604800);
        g_logger().warn("IP Banned for 7 days due to repeated failed RSA decryption: " + convertIPToString(ip));
        disconnect();
        return false;
    } else {
        // Send a message about remaining attempts
        sendMessage("Failed login attempt. You have " + std::to_string(3 - failedAttempts) + " more attempts before a ban is applied.");
    }

    disconnect();
    return true;
}

bool Protocol::RSA_decrypt(msg) {
    if (!Protocol::RSA_decrypt(msg)) {
        uint32_t ip = getConnection()->getIP();
        checkAndHandleLoginFailure(ip);
        return false;
    }
    return true;
}

C++ Is this safe?

endziu2222

Active Member

Joriku

Working in the mines, need something?

Similar threads