Index: openacs-4/packages/acs-admin/acs-admin.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-admin/acs-admin.info,v
diff -u -N -r1.51 -r1.52
--- openacs-4/packages/acs-admin/acs-admin.info	7 Aug 2017 23:47:45 -0000	1.51
+++ openacs-4/packages/acs-admin/acs-admin.info	1 Mar 2018 13:35:13 -0000	1.52
@@ -9,7 +9,7 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.10.0d1" url="http://openacs.org/repository/download/apm/acs-admin-5.10.0d1.apm">
+    <version name="5.10.0d2" url="http://openacs.org/repository/download/apm/acs-admin-5.10.0d2.apm">
         <owner url="mailto:dhogaza@pacifier.com">Don Baccus</owner>
         <summary>An interface for Site-wide administration of an OpenACS Installation.</summary>
         <release-date>2017-08-06</release-date>
@@ -20,11 +20,12 @@
         <license>GPL</license>
         <maturity>3</maturity>
 
-        <provides url="acs-admin" version="5.10.0d1"/>
+        <provides url="acs-admin" version="5.10.0d2"/>
         <requires url="acs-kernel" version="5.9.1"/>
 	<requires url="acs-tcl" version="5.9.1"/>
 	<requires url="acs-templating" version="5.9.1"/>
         <requires url="acs-mail-lite" version="5.9.1"/>
+	<requires url="acs-authentication" version="5.10.0d2"/>
 	
         <callbacks>
         </callbacks>
Index: openacs-4/packages/acs-admin/www/auth/index.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-admin/www/auth/index.adp,v
diff -u -N -r1.6 -r1.7
--- openacs-4/packages/acs-admin/www/auth/index.adp	3 Jul 2015 10:25:38 -0000	1.6
+++ openacs-4/packages/acs-admin/www/auth/index.adp	1 Mar 2018 13:35:13 -0000	1.7
@@ -10,9 +10,11 @@
   <ul>
     <li><a href="authority" class="button">Create new authority</a></li>
     <li><a href="@parameter_url@" class="button">Edit parameters</a></li>
+    <li><a href="login-attempts" class="button">Login-Attempts</a></li>
   </ul>
 </div>
 
 <p style="margin-top: 4px; margin-bottom: 2px; color: #666666; font-family: tahoma,verdana,arial,helvetica,sans-serif; font-size: 75%;">
   [*] The drop down menu of authorities on the login page will be sorted accordingly.
 </p>
+
Index: openacs-4/packages/acs-authentication/acs-authentication.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/acs-authentication.info,v
diff -u -N -r1.41 -r1.42
--- openacs-4/packages/acs-authentication/acs-authentication.info	7 Aug 2017 23:47:46 -0000	1.41
+++ openacs-4/packages/acs-authentication/acs-authentication.info	1 Mar 2018 13:35:13 -0000	1.42
@@ -7,7 +7,7 @@
     <initial-install-p>t</initial-install-p>
     <singleton-p>t</singleton-p>
     
-    <version name="5.10.0d1" url="http://openacs.org/repository/download/apm/acs-authentication-5.10.0d1.apm">
+    <version name="5.10.0d2" url="http://openacs.org/repository/download/apm/acs-authentication-5.10.0d2.apm">
         <owner url="mailto:lars@collaboraid.biz">Lars Pind</owner>
         <summary>Authentication, account management, and related functionality.</summary>
         <release-date>2017-08-06</release-date>
@@ -16,7 +16,7 @@
         <license url="http://www.gnu.org/copyleft/gpl.html">GPL version 2</license>
         <description format="text/html">Implements authentication-related security functions for OpenACS, including password, account and session management, bulk account creation etc.  Provides a contract based interface for different authentication methods such as PAM or LDAP based authentication.</description>
 
-        <provides url="acs-authentication" version="5.10.0d1"/>
+        <provides url="acs-authentication" version="5.10.0d2"/>
         <requires url="acs-kernel" version="5.9.1"/>
         <requires url="acs-service-contract" version="5.9.1"/>
         <requires url="acs-mail-lite" version="5.9.1"/>
@@ -30,6 +30,8 @@
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="AcknowledgementFileName"  default="{acs_root_dir}/batch-sync-ack-{authority}-{ansi_date}.xml" description="Full file path to where we should drop the acknowledgement file for batch syncs. You can use these special values: {acs_root_di
 r} will get replaced with the root directory for this OpenACS installation, e.g. '/var/lib/aolserver/service0' (no trailing slash). {ansi_date} will get replaced with today's date in ANSI format, e.g. '2003-10-29'. {authority} will get replaced with the short_name of the authority, e.g. 'rz_pam'." section_name="Batch Synchronization"/>
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="KeepBatchLogDays"  default="0" description="The number of days to keep the log for a batch user synchronization job around. Say 0 if you want to keep the log forever." section_name="Batch Synchronization"/>
+            <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="MaxConsecutiveFailedLoginAttempts"  default="0" description="Enables the tracking of consecutive failed login attempts per subsite and to slowdown brute force attacks. After reaching this threshold every further login attempt from is automatically rejected for a period of MaxConsecutiveFailedLoginAttemptsLockoutTime seconds . 0 for infinte attempts. " section_name="security"/>
+            <parameter scope="instance" datatype="number"  min_n_values="1"  max_n_values="1"  name="MaxConsecutiveFailedLoginAttemptsLockoutTime"  default="21600" description="Timespan in seconds for which every login attempt is rejected after the limit set by MaxConsecutiveFailedLoginAttempts has been reached. This parameter is only in effect if MaxConsecutiveFailedLoginAttempts is greater than zero. " section_name="security"/>
             <parameter datatype="string"  min_n_values="1"  max_n_values="1"  name="RegisterAuthority"  default="local" description="The short name of the authority in which users are registered. Is best set in the Authentication admin UI."/>
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="SyncAddUsersToDotLrnP"  default="0" description="Should we add users to .LRN? This requires .LRN to be installed, and has serious performance implications." section_name="Batch Synchronization"/>
             <parameter datatype="number"  min_n_values="1"  max_n_values="1"  name="SyncDotLrnAccessLevel"  default="1" description=".LRN access level (if .LRN is installed). 1 = Full access user, 0 = Limited access user" section_name="Batch Synchronization"/>
Index: openacs-4/packages/acs-authentication/catalog/acs-authentication.de_DE.ISO-8859-1.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/catalog/acs-authentication.de_DE.ISO-8859-1.xml,v
diff -u -N -r1.7 -r1.8
--- openacs-4/packages/acs-authentication/catalog/acs-authentication.de_DE.ISO-8859-1.xml	7 Aug 2017 23:47:46 -0000	1.7
+++ openacs-4/packages/acs-authentication/catalog/acs-authentication.de_DE.ISO-8859-1.xml	1 Mar 2018 13:35:13 -0000	1.8
@@ -7,4 +7,5 @@
   <msg key="Has_account_on_system_name">Hat ein Benutzerkonto auf %system_name%</msg>
   <msg key="Invalid_username_or_password">Benutzeridentifikation oder Passwort ist falsch</msg>
   <msg key="lt_Not_getting_the_results_you_expected">Nicht die Resultate, die Sie erwartet haben? Suchen Sie nach: </msg>
+  <msg key="To_many_failed_login_attempts">Zugriff aufgrund zu vieler fehlgeschlagener Anmeldeversuche tempor�r gesperrt. Versuchen Sie es sp�ter erneut!</msg>
 </message_catalog>
Index: openacs-4/packages/acs-authentication/catalog/acs-authentication.en_US.ISO-8859-1.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/catalog/acs-authentication.en_US.ISO-8859-1.xml,v
diff -u -N -r1.10 -r1.11
--- openacs-4/packages/acs-authentication/catalog/acs-authentication.en_US.ISO-8859-1.xml	8 Sep 2008 20:14:58 -0000	1.10
+++ openacs-4/packages/acs-authentication/catalog/acs-authentication.en_US.ISO-8859-1.xml	1 Mar 2018 13:35:13 -0000	1.11
@@ -7,4 +7,5 @@
   <msg key="Has_account_on_system_name">Has an account on %system_name%</msg>
   <msg key="Invalid_username_or_password">Invalid username or password</msg>
   <msg key="lt_Not_getting_the_results_you_expected">Not getting the results you expected? Try searching:</msg>
+  <msg key="To_many_failed_login_attempts">Access rejected because of to many invalid login attempts. Try again later!</msg>
 </message_catalog>
Index: openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl,v
diff -u -N -r1.93 -r1.94
--- openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl	3 Jan 2018 13:28:49 -0000	1.93
+++ openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl	1 Mar 2018 13:35:13 -0000	1.94
@@ -10,8 +10,8 @@
 namespace eval auth::authentication {}
 namespace eval auth::registration {}
 namespace eval auth::user_info {}
+namespace eval auth::login_attempts {}
 
-
 #####
 #
 # auth namespace public procs
@@ -202,6 +202,22 @@
     </ul>
 
 } {
+
+    # Login Brute Force Prevention
+    set login_attempt_key "[ad_conn peeraddr]-[ad_conn subsite_id]"
+
+    if { [::auth::login_attempts::threshold_reached_p -login_attempt_key $login_attempt_key] } {
+        set auth_message [_ acs-authentication.To_many_failed_login_attempts]   
+
+       	return [list auth_status "failed_to_connect" \
+                    auth_message $auth_message \
+                    account_status "closed" \
+                    account_message "[_ acs-subsite.Auth_internal_error]"]
+    }
+
+    # record login attempt
+    ::auth::login_attempts::record -login_attempt_key $login_attempt_key
+
     if { $username eq "" } {
         if { $email eq "" } {
             set result(auth_status) "auth_error"
@@ -228,17 +244,15 @@
         }
     }
 
+    # set default values for the result array
+    array set result {auth_status "n/a" account_status "n/a"}
+    
     ad_try {
         array set result [auth::authentication::Authenticate \
                               -username $username \
                               -authority_id $authority_id \
                               -password $password]
 
-        # We do this so that if there aren't even the auth_status and account_status that need be
-        # in the array, that gets caught below
-        if {$result(auth_status) eq "ok"} {
-            set dummy $result(account_status)
-        }
     } on error {errorMsg} {
         set result(auth_status) failed_to_connect
         set result(auth_message) $errorMsg
@@ -254,6 +268,9 @@
     # Verify result/auth_message return codes
     switch $result(auth_status) {
         ok {
+	    # reset/unset failed login attempts counter after a successfull authentication
+ 	    ::auth::login_attempts::reset -login_attempt_key $login_attempt_key
+
             # Continue below
         }
         no_account -
@@ -1898,7 +1915,102 @@
                 -operation GetUserInfo \
                 -call_args [list $username $parameters]]
 }
+#####
+#
+# auth::login_attempts
+#
+#####
 
+# Prevent/slowdown brute force attacks on login by counting the number of
+# failed consecutive failed login attempts based on the ip-address and subsite.
+#
+# After the maximum number of consecutive failed login attempts
+# has been excedeed, all further login attempts will be automatically rejected
+# for a specifed lock-out/cool-down time, even if the correct credentials have been
+# provided. Every successfull login before reaching the threshold resets the 
+# counter to 0 again. Beware, the counting is done via caching and is
+# therefore not persistent.
+#
+# Configure this feature via the following acs-authentication parameters:
+#
+# MaxConsecutiveFailedLoginAttempts: max number of consecutive failed login attempts;
+# Default: 0 (= infinite attempts)
+#
+# MaxConsecutiveFailedLoginAttemptsLockoutTime : Timespan in seconds
+# for which every new login attempt is rejected after the threshold has been reached.
+# Default: 21600 seconds (six hours)
+#
+
+ad_proc -private ::auth::login_attempts::threshold_reached_p {
+    {-login_attempt_key "[ad_conn peeraddr]-[ad_conn subsite_id]"}
+}  {
+    Check if the maximum number of consecutive failed
+    login attempts has been reached
+
+    @param login_attempt_key Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"
+
+    @return 1 if limit has been reached otherwise 0
+} {
+
+    set max_failed_login_attempts [parameter::get_from_package_key \
+                                       -parameter "MaxConsecutiveFailedLoginAttempts" \
+                                       -package_key "acs-authentication" \
+                                       -default 0]
+
+    if {$max_failed_login_attempts > 0 && [::auth::login_attempts::get -key $login_attempt_key] > $max_failed_login_attempts} {
+        return 1
+    } else {
+        return 0
+    }
+
+}
+
+ad_proc -private ::auth::login_attempts::record {
+    {-login_attempt_key "[ad_conn peeraddr]-[ad_conn subsite_id]"}
+}  {
+    Record a failed login attempt
+
+    @param login_attempt_key Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"
+
+} {
+
+    if { [parameter::get_from_package_key -parameter "MaxConsecutiveFailedLoginAttempts" -package_key "acs-authentication" -default 0] } {
+
+        set max_age [parameter::get_from_package_key \
+                        -parameter "MaxConsecutiveFailedLoginAttemptsLockoutTime" \
+                        -package_key "acs-authentication" \
+                        -default 21600]
+
+        ::auth::login_attempts::login_attempt_incr -key $login_attempt_key -max_age $max_age
+    }
+
+}
+
+ad_proc -public ::auth::login_attempts::reset {
+    {-login_attempt_key "[ad_conn peeraddr]-[ad_conn subsite_id]"}
+}  {
+    Flush the recorded failed login attempt for the provided login_attempt_key
+
+    @param login_attempt_key Identifier of this login attempt. Defaults to "[ad_conn peeraddr]-[ad_conn subsite]"
+
+} {
+
+    ::auth::login_attempts::login_attempt_flush -key $login_attempt_key
+
+}
+
+ad_proc -public ::auth::login_attempts::reset_all {}  {
+    Flush all recored failed login attempts
+} {
+    ::auth::login_attempts::flush_all
+}
+
+ad_proc -public ::auth::login_attempts::get_all {}  {
+    Get all failed login attempts
+} {
+    ::auth::login_attempts::all_entries
+}
+
 # Local variables:
 #    mode: tcl
 #    tcl-indent-level: 4