March 2017 – Welcome to Mehta Websolution's Blog

29/03/2017

Simple PHP anti-brute-force login

You may have a simple site protected by a simple PHP username/password login script. The site may be so simple that the actual username/password and all other configuration settings are stored in plain-text files on the backend server and you don’t even make use of a database.

How do you protect your site from someone that’s trying to break your login though? Someone that writes a script and tries thousands of different username/password pairs per second? Well for one it helps if the username is something other than just ‘admin’. But also, you want to prevent scripted login attempts by restricting the number of invalid attempts per hour. That is, after 3 incorrect login attempts, lock out the user account for 10 minutes. This means a hacker can try at most 18 password combinations per hour.

But if you lock by username, the hacker can use this to discover valid users, then try to crack the password. You can alternatively lock out after 3 invalid login attempts from a particular IP address. Hackers could only bypass this by either using a lot of proxies, or performing a distributed zombie attack, but that takes considerably more effort and determination. Your simple site is probably not worth the effort for that.

The following is a simple PHP static class with a utility function to help you do this:

<?php

class Services {

//call with no parameters to get a true/false response. If true, do not process login.
//call with parameter set to true to register a new failed attempt for current user and return a true/false response.
public static function bruteCheck($failed_attempt = false) {
$deny_login = false;

if(!file_exists(MM_BRUTE_FILE)) touch(MM_BRUTE_FILE);
$cache = unserialize(Services::fileToString(MM_BRUTE_FILE));
if(!$cache) $cache = array();

if($failed_attempt) {  //register the new failed attempt and timestamp
  if(!isset($cache[$_SERVER['REMOTE_ADDR']])) {
$cache[$_SERVER['REMOTE_ADDR']] = array();
  }
  $cache[$_SERVER['REMOTE_ADDR']][] = time();
  if(count($cache[$_SERVER['REMOTE_ADDR']]) > MM_BRUTE_ATTEMPTS) array_shift($cache[$_SERVER['REMOTE_ADDR']]);
}

//get the number of failed attempts in the last 15 minutes
if(!isset($cache[$_SERVER['REMOTE_ADDR']])) {
  $deny_login = false;
} else {
  $attempts = $cache[$_SERVER['REMOTE_ADDR']];
  if(count($attempts) < MM_BRUTE_ATTEMPTS) {
      $deny_login = false;
  } else {
if($attempts[0] + MM_BRUTE_WINDOW > time()) $deny_login = true;
else $deny_login = false;
  }
}

//cleanup the cache so it doesn't get too large over time
foreach($cache as $ip=>$attempts) {
  if($attempts) {
      if($attempts[count($attempts)-1] + MM_BRUTE_WINDOW < time()) {
    unset($cache[$ip]);
}
  }
}

Services::stringToFile(MM_BRUTE_FILE, serialize($cache));

return $deny_login;
}

public static function fileToString($filename) {
    return file_get_contents($filename);
}

public static function stringToFile($filename, $data) {
    $file = fopen ($filename, "w");
    fwrite($file, $data);
    fclose ($file);
    return true;
}
}
?>

To use it, just modify your login procedure as follows:

$deny_login = Services::bruteCheck();
if($deny_login) {
   $login_err = "Login locked. Try again in 15 minutes.";
} else {
   //check login credentials
   if($incorrect_login) {
       Services::bruteCheck(true);
       $login_err = "Invalid username or password!";
   } else {
       //user is logged in
   }
}

The bruteCheck function maintains an associative array that collects the number of failed login attempts per IP address. This is cached to the file-system as a serialized PHP object. Edit the constant params as needed to point to the location of this cache file, the number of allowed login attempts, and the lockout window. For example (I usually stick these in my main config.php which includes all application settings):

define('MM_BRUTE_FILE', 'c:/temp/brute.txt');
define('MM_BRUTE_WINDOW', 15*60);
define('MM_BRUTE_ATTEMPTS', 5);

04/03/201704/03/2017

How to install NginX on cPanel/WHM Server

NginX is one of the most popular choice open source Web server and a reverse proxy. For those who are not very familiar with Linux & have cPanel/WHM installed in your server or VPS here is the guide on how to install them.

The package comes with Nginx Admin plugins for cPanel. To install execute the following command through SSH client. You have to login as root.

cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar
tar xf nginxadmin.tar
cd publicnginx
./nginxinstaller install

If you are installing Nginx Admin for the first time and there is Python Error while installing you have to execute the following command.

./pythonfix
./nginxinstaller install

If you want to uninstall Nginx Admin, execute the following commands.

cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar
tar xf nginxadmin.tar
cd publicnginx
./nginxinstaller uninstall

02/03/2017

Convert PDF Documents with Able2Extract Professional 11

As the new trends in technology are constantly growing, we are becoming familiar with how productivity tools can actually help us. From making our work more streamlined up to saving us hours on repetitive tasks — it’s obvious that we are becoming more and more dependent on our digital sidekicks to get the job done. And that is a good thing since our work has become much easier and faster.

There are numerous ways how we can benefit from productivity tools. Let’s take document management, for example. It is one of the most time consuming and frustrating tasks in the modern office. When receiving a huge amount of documentation it is never easy to arrange everything or filter just important files. And in the majority of cases, the documents we receive are in PDF format, which leaves us with almost no choice when it comes to their editing. Simply put, PDF files cannot be edited by default.

If you wish to manually retype the entire document or just some specific parts of it, it would take a lot of time and nerves but eventually, you will complete the task. But at what price? That is why some companies have developed software solution for this problem.

One product that can convert uneditable PDF documents is Investintech’s Able2Extract Professional 11. The tool has an advanced technology that can convert even a scanned PDFs into fully editable file formats. With Optical Character Recognition engine, it scans the image PDF and reads the text locked in the image. When integrated into a PDF converter, it enables us to extract that image text into an editable digital format.

The tool is very easy and intuitive to use so following these three steps is all it takes to convert any text from scanned PDFs using Able2Extract OCR technology:

1) Open your file you’d like to convert

2) Select the entire document or some parts of it

3) Choose the desired format and click Save

Besides creation, you can edit your PDF content with the latest version of PDF Editor where all changes are instantly visible, right on the spot.

You can use this editing panel for:

Adding or removing text, shapes, and images
Merging multiple PDFs into one large file
Extract an individual or several pages
Resize and rotate pages
Move and scale content
Redacting any sensitive information

Among these features, there is a lot more what Able2Extract Professional PDF Converter has to offer. It is free to try for 7 days, so you can download it here. We are sure you will not be disappointed.