Integration von OTP / 2FA

[markherrmann]

Hallo liebe Leser*in,
seit einiger Zeit beschäftigt mich die Frage nach verbesserter Sicherheit in WB.

Ich habe mehrere laufende Versionen von 2.12.x und sehe anhand meiner Logfiles, dass ettliche Aufrufe darauf abzielten Schwachstellen zu finden. Ich mache die über umfangreiche Logs, und definierter htaccess Datei auf dem (Hosting) Server. Ich leite alle 404 Pages an eine Seite, die prüft was versucht wurde aufzurufen.

Was da alles so zu Tage kommt, ist schon erstaunlich. Was ich damit nicht abfangen kann sind direktaufrufe von WB Seiten (wie login.php), das ist nicht ganz optimal. Ich hab mir überlegt als zusätzliches Feature OTP/2FA zu implementieren. Eine DEMO-Seite habe ich hier mal ans Laufen gebracht, aber noch nicht integriert (weil umfangreiche Änderungen notwendig werden).

Meine bisherige Überlegung:

• Weitere Tabelle in der DB mit den SEC Keys pro User
• Anstatt POST auf allen Seiten eigene Loginpage
• Wenn problematisch, vorherige Abfrage ob OTP valide, danach erst POST request an login.php

Jetzt möchte ich wenig an WB verändern, vielleicht hat sich schon mal jemand mit diesem Thema auseinander gesetzt?
Für Anregungen und Tips bin ich sehr dankbar. 

Meine OTP-Demo läuft unter: https://www.bau-arge.de/pages/g2fa-test.php

[crnogorac081]

I checked your demo but both my isp providers are marked as abuse which is ridiculous.

Can you explain more in detail what is your problem ? You have (entire) public available website, or some pages are required for login, or form is not working ? Do you have some weird form input in backend ?

I believe core development team is doing something on 2FA.

Also you should upgrade to 2.13.2 which is latest official release.

If you coded something you can post the code to take a look.

[markherrmann]

Thank you for try to test. The abuse screen (in red color) comes, then the request comes from blocked ip or country. In the past some ip from cloud center like company HETZNER did try to bruteforce, spam or did vulnerability scans. All this are automatic blocked. Maybe your ip is blocked.

And yes i had to update, i think in newer versions is otp also not suported.

All the other visitors are welcome to think with me about implementation otp.

Thanks and have a good night.

[crnogorac081]

Ok tested app how to login ? Is there more code for this ?

[markherrmann]

i did not implement at this moment, i want to discuss with other interested users how they think about that.
in the badest way i will modify the login.php of wb, but thats not the best idea for future updates…

naturaly i do not publish the secret key on my page, that was a test for functionaly…
later every user get own key, and so own otp

[markherrmann]

Did you use KALI with proxychain? A lot of requests, every with onother ip 
Please dont pentest me…

[crnogorac081]

No lol. Where is the test code how to implement this on own website, I want to try

[markherrmann]

Hello buddy, at the moment there is nothing to test. I was more concerned with discussions about integration. I will do the later integration via a new registration form. I send each new user the secret key to activate the password in their OTP app.

Right now I'm just showing a demo. There is a 6-digit code that is also in the user's app. This code is the same for everyone because I show the initialization key publicly.

In no case do I integrate this into the login, that would be something like a master key.

I just wanted to talk about whether someone else has already integrated something like this. I'm hesitating between changing the original CMS and adding my own solution.

But thanks anyway for your posts.

[markherrmann]

and every user get a own key, the registration form i changed for example in https://argeforum.de/pages/registration.php

there is the OTP also not implemented at this time, so i don't send the key while registration.