Adds support for Fail2Ban by writing a log file, prevents creating of double accounts and domains

README.md

@@ -190,6 +190,17 @@ You can then login into the admin dashboard with that e-mail address and the cor
 	
 	define("MIN_PASS_LENGTH", 8);
 
+### Logfile
+
+You can enable logging. WebMUM will then write messages into the file log/log.txt when a login attempt fails.
+After several attempts you can block the attacker's IP-address with Fail2Ban. For Fail2Ban configuration please visit this page: http://www.fail2ban.org/wiki/index.php/HOWTOs
+
+To enable logging, comment in the line
+	
+	// define("WRITE_LOG", true);
+	
+... and make sure that PHP has permissions to write the log file to log/log.txt.
+
 ## Update / Upgrade WebMUM
 
 If you cloned WebMUM into your filesystem via `git clone https://github.com/ThomasLeister/webmum`:

config/config.inc.php

@@ -57,4 +57,13 @@ define("ADMIN_EMAIL", "admin@domain.tld");
 
 define("MIN_PASS_LENGTH", 8);
 
+/*
+ * Write log file to log/log.txt ? Failed login attempts will be written to the logfile.
+ * You can mointor the logfile with fail2ban and ban attackers' IP-addresses.
+ * Make sure that PHP has permission to create the log directory and log.txt (write permissions for php user)
+ * Default: Do not write logfile
+ */
+
+// define("WRITE_LOG", true);
+
 ?>

include/php/global.inc.php

@@ -90,4 +90,18 @@ function write_pass_hash_to_db($pass_hash, $uid){
 }
 
 
+/*
+ * Add message to logfile
+ */
+function writeLog($text){
+	if(defined('WRITE_LOG')){
+		$logfile = fopen("log/log.txt", "a") or die("Unable to create / open logfile \"log/log.txt\" in root directory!");
+		fwrite($logfile, $text."\n");
+		fclose($logfile);
+	}
+}
+
+
+
+
 ?>

include/php/pages/admin/createdomain.php

@@ -4,13 +4,20 @@ if(isset($_POST['domain'])){
 	$domain = $db->escape_string($_POST['domain']);
 	
 	if($domain !== ""){
-		$sql = "INSERT INTO `".DBT_DOMAINS."` (`".DBC_DOMAINS_DOMAIN."`) VALUES ('$domain');";
-			
-		if(!$result = $db->query($sql)){
-			die('There was an error running the query [' . $db->error . ']');
+		// Check if domain exists in database
+		$domain_exists = $db->query("SELECT `".DBC_DOMAINS_DOMAIN."` FROM `".DBT_DOMAINS."` WHERE `".DBC_DOMAINS_DOMAIN."` = '$domain';");
+		if($domain_exists->num_rows == 0){
+			$sql = "INSERT INTO `".DBT_DOMAINS."` (`".DBC_DOMAINS_DOMAIN."`) VALUES ('$domain');";
+				
+			if(!$result = $db->query($sql)){
+				die('There was an error running the query [' . $db->error . ']');
+			}
+			else{
+				header("Location: ".FRONTEND_BASE_PATH."admin/listdomains/?created=1");
+			}
 		}
 		else{
-			header("Location: ".FRONTEND_BASE_PATH."admin/listdomains/?created=1");
+			add_message("fail", "Domain already exists in database.");
 		}
 	}
 	else{

include/php/pages/admin/edituser.php

@@ -73,31 +73,38 @@
 			$pass_rep = $_POST['password_rep'];
 			
 			if($username !== "" && $domain !== "" && $quota !== "" && $mailbox_limit !== ""){
-				// All fields filled with content
-				// Check passwords
-				$pass_ok = check_new_pass($pass, $pass_rep);
-				if($pass_ok === true){
-					// Password is okay ... continue
-					$pass_hash = gen_pass_hash($pass);
-					
-					// Differ between version with mailbox_limit and version without
-					if(defined('DBC_USERS_MAILBOXLIMIT')){
-						$sql = "INSERT INTO `".DBT_USERS."` (`".DBC_USERS_USERNAME."`, `".DBC_USERS_DOMAIN."`, `".DBC_USERS_PASSWORD."`, `".DBC_USERS_MAILBOXLIMIT."`) VALUES ('$username', '$domain', '$pass_hash', '$mailbox_limit')";
-					}
-						else{
-							$sql = "INSERT INTO `".DBT_USERS."` (`".DBC_USERS_USERNAME."`, `".DBC_USERS_DOMAIN."`, `".DBC_USERS_PASSWORD."`) VALUES ('$username', '$domain', '$pass_hash')";
+				// Check if user already exists
+				$user_exists = $db->query("SELECT `".DBC_USERS_USERNAME."`, `".DBC_USERS_DOMAIN."` FROM `".DBT_USERS."` WHERE `".DBC_USERS_USERNAME."` = '$username' AND `".DBC_USERS_DOMAIN."` = '$domain';");
+				if($user_exists->num_rows == 0){	
+					// All fields filled with content
+					// Check passwords
+					$pass_ok = check_new_pass($pass, $pass_rep);
+					if($pass_ok === true){
+						// Password is okay ... continue
+						$pass_hash = gen_pass_hash($pass);
+						
+						// Differ between version with mailbox_limit and version without
+						if(defined('DBC_USERS_MAILBOXLIMIT')){
+							$sql = "INSERT INTO `".DBT_USERS."` (`".DBC_USERS_USERNAME."`, `".DBC_USERS_DOMAIN."`, `".DBC_USERS_PASSWORD."`, `".DBC_USERS_MAILBOXLIMIT."`) VALUES ('$username', '$domain', '$pass_hash', '$mailbox_limit')";
 						}
-					
-					if(!$result = $db->query($sql)){
-						die('There was an error running the query [' . $db->error . ']');
+							else{
+								$sql = "INSERT INTO `".DBT_USERS."` (`".DBC_USERS_USERNAME."`, `".DBC_USERS_DOMAIN."`, `".DBC_USERS_PASSWORD."`) VALUES ('$username', '$domain', '$pass_hash')";
+							}
+						
+						if(!$result = $db->query($sql)){
+							die('There was an error running the query [' . $db->error . ']');
+						}
+						
+						// Redirect user to user list
+						header("Location: ".FRONTEND_BASE_PATH."admin/listusers/?created=1");
+					}
+					else{
+						// Password not okay
+						add_message("fail", $PASS_ERR_MSG);
 					}
-					
-					// Redirect user to user list
-					header("Location: ".FRONTEND_BASE_PATH."admin/listusers/?created=1");
 				}
 				else{
-					// Password not okay
-					add_message("fail", $PASS_ERR_MSG);
+					add_message("fail", "User already exists in database.");
 				}
 			}
 		 	else{

include/php/pages/admin/listdomains.php

@@ -16,7 +16,7 @@
 <?php output_messages(); ?>
 
 <p>
-Manage the domains which you want to use
+Add or delete domains.
 </p>
 
 

include/php/pages/login.php

@@ -6,8 +6,11 @@ if(isset($_POST['email']) && isset($_POST['password'])){
 	if($login_success){
 		header("Location: ".FRONTEND_BASE_PATH."private/");
 	}
+	// If login is not successful
 	else{
-		add_message("fail", "Sorry, I couldn't log you in :(");
+		//Log error message
+		writeLog("WebMUM login failed for IP ".$_SERVER['REMOTE_ADDR']);
+		add_message("fail", "Sorry, couldn't log you in :(");
 	}
 }