Bootswatch, Summernote, and Captcheck mods for Mods for HESK (mods-for-hesk.com). In use at support.netsyms.com.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

banned_ips.php 19KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436
  1. <?php
  2. /**
  3. *
  4. * This file is part of HESK - PHP Help Desk Software.
  5. *
  6. * (c) Copyright Klemen Stirn. All rights reserved.
  7. * https://www.hesk.com
  8. *
  9. * For the full copyright and license agreement information visit
  10. * https://www.hesk.com/eula.php
  11. *
  12. */
  13. define('IN_SCRIPT', 1);
  14. define('HESK_PATH', '../');
  15. define('PAGE_TITLE', 'ADMIN_BANNED_IPS');
  16. define('MFH_PAGE_LAYOUT', 'TOP_ONLY');
  17. /* Get all the required files and functions */
  18. require(HESK_PATH . 'hesk_settings.inc.php');
  19. require(HESK_PATH . 'inc/common.inc.php');
  20. require(HESK_PATH . 'inc/admin_functions.inc.php');
  21. require(HESK_PATH . 'inc/mail_functions.inc.php');
  22. hesk_load_database_functions();
  23. hesk_session_start();
  24. hesk_dbConnect();
  25. hesk_isLoggedIn();
  26. /* Check permissions for this feature */
  27. hesk_checkPermission('can_ban_ips');
  28. $can_unban = hesk_checkPermission('can_unban_ips', 0);
  29. // Define required constants
  30. define('LOAD_TABS', 1);
  31. // What should we do?
  32. if ($action = hesk_REQUEST('a')) {
  33. if (defined('HESK_DEMO')) {
  34. hesk_process_messages($hesklang['ddemo'], 'banned_ips.php', 'NOTICE');
  35. } elseif ($action == 'ban') {
  36. ban_ip();
  37. } elseif ($action == 'unban' && $can_unban) {
  38. unban_ip();
  39. } elseif ($action == 'unbantemp' && $can_unban) {
  40. unban_temp_ip();
  41. }
  42. }
  43. /* Print header */
  44. require_once(HESK_PATH . 'inc/headerAdmin.inc.php');
  45. /* Print main manage users page */
  46. require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
  47. ?>
  48. <div class="content-wrapper">
  49. <section class="content">
  50. <div class="box">
  51. <div class="box-body">
  52. <div class="nav-tabs-custom">
  53. <ul class="nav nav-tabs" role="tablist">
  54. <?php
  55. // Show a link to banned_emails.php if user has permission to do so
  56. if (hesk_checkPermission('can_ban_emails', 0)) {
  57. echo '
  58. <li role="presentation">
  59. <a title="' . $hesklang['banemail'] . '" href="banned_emails.php">' . $hesklang['banemail'] . '</a>
  60. </li>';
  61. }
  62. ?>
  63. <li role="presentation" class="active">
  64. <a href="#"><?php echo $hesklang['banip']; ?> <i class="fa fa-question-circle settingsquestionmark"
  65. onclick="javascript:alert('<?php echo hesk_makeJsString($hesklang['banip_intro']); ?>')"></i></a>
  66. </li>
  67. <?php
  68. // Show a link to status_message.php if user has permission to do so
  69. if (hesk_checkPermission('can_service_msg', 0)) {
  70. echo '
  71. <li role="presentation">
  72. <a title="' . $hesklang['sm_title'] . '" href="service_messages.php">' . $hesklang['sm_title'] . '</a>
  73. </li>';
  74. }
  75. // Show a link to email tpl management if user has permission to do so
  76. if (hesk_checkPermission('can_man_email_tpl', 0)) {
  77. echo '
  78. <li role="presentation">
  79. <a title="' . $hesklang['email_templates'] . '" href="manage_email_templates.php">' . $hesklang['email_templates'] . '</a>
  80. </li>
  81. ';
  82. }
  83. if (hesk_checkPermission('can_man_ticket_statuses', 0)) {
  84. echo '
  85. <li role="presentation">
  86. <a title="' . $hesklang['statuses'] . '" href="manage_statuses.php">' . $hesklang['statuses'] . '</a>
  87. </li>
  88. ';
  89. }
  90. if (hesk_checkPermission('can_man_settings', 0)) {
  91. echo '
  92. <li role="presentation">
  93. <a title="' . $hesklang['tab_4'] . '" href="custom_fields.php">' . $hesklang['tab_4'] . '</a>
  94. </li>';
  95. }
  96. ?>
  97. </ul>
  98. <div class="tab-content summaryList tabPadding">
  99. <script language="javascript" type="text/javascript"><!--
  100. function confirm_delete() {
  101. if (confirm('<?php echo hesk_makeJsString($hesklang['delban_confirm']); ?>')) {
  102. return true;
  103. }
  104. else {
  105. return false;
  106. }
  107. }
  108. //-->
  109. </script>
  110. <div class="row">
  111. <div class="col-md-8">
  112. <?php
  113. /* This will handle error, success and notice messages */
  114. hesk_handle_messages();
  115. ?>
  116. <form action="banned_ips.php" method="post" name="form1" role="form" class="form-horizontal" data-toggle="validator">
  117. <div class="form-group">
  118. <label for="ip" class="col-sm-3 control-label"><?php echo $hesklang['bananip']; ?></label>
  119. <div class="col-sm-9">
  120. <input type="text" name="ip" size="30" maxlength="255" class="form-control" data-error="<?php echo htmlspecialchars($hesklang['enterbanip']); ?>"
  121. placeholder="<?php echo htmlspecialchars($hesklang['iprange']); ?>" required>
  122. <input type="hidden" name="token" value="<?php hesk_token_echo(); ?>"/>
  123. <input type="hidden" name="a" value="ban"/>
  124. <div class="help-block with-errors"></div>
  125. </div>
  126. </div>
  127. <div class="form-group">
  128. <div class="col-sm-9 col-sm-offset-3">
  129. <input type="submit" value="<?php echo $hesklang['savebanip']; ?>" class="btn btn-default">
  130. </div>
  131. </div>
  132. </form>
  133. </div>
  134. <div class="col-md-4">
  135. <h6 class="bold"><?php echo $hesklang['banex']; ?></h6>
  136. <div class="footerWithBorder blankSpace"></div>
  137. <b>123.0.0.0</b><br/>
  138. <b>123.0.0.1 - 123.0.0.53</b><br/>
  139. <b>123.0.0.0/24</b><br/>
  140. <b>123.0.*.*</b>
  141. </div>
  142. </div>
  143. <div class="row">
  144. <div class="col-sm-12">
  145. <?php
  146. // Get login failures
  147. $res = hesk_dbQuery("SELECT `ip`, TIMESTAMPDIFF(MINUTE, NOW(), DATE_ADD(`last_attempt`, INTERVAL " . intval($hesk_settings['attempt_banmin']) . " MINUTE) ) AS `minutes` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "logins` WHERE `number` >= " . intval($hesk_settings['attempt_limit']) . " AND `last_attempt` > (NOW() - INTERVAL " . intval($hesk_settings['attempt_banmin']) . " MINUTE)");
  148. $num = hesk_dbNumRows($res);
  149. echo '<h4>' . $hesklang['iptemp'] . '</h4>';
  150. if ($num > 0) {
  151. ?>
  152. <table class="table table-hover">
  153. <thead>
  154. <tr>
  155. <th><?php echo $hesklang['ip']; ?></th>
  156. <th><?php echo $hesklang['m2e']; ?></th>
  157. <?php
  158. if ($can_unban) {
  159. ?>
  160. <th><?php echo $hesklang['opt']; ?></th>
  161. <?php
  162. }
  163. ?>
  164. </tr>
  165. </thead>
  166. <tbody>
  167. <?php
  168. while ($ban = hesk_dbFetchAssoc($res)) {
  169. echo '
  170. <tr>
  171. <td>' . $ban['ip'] . '</td>
  172. <td>' . $ban['minutes'] . '</td>
  173. ';
  174. if ($can_unban) {
  175. echo '
  176. <td>
  177. <a href="banned_ips.php?a=ban&amp;ip=' . urlencode($ban['ip']) . '&amp;token=' . hesk_token_echo(0) . '">
  178. <i class="fa fa-ban red font-size-16p" data-toggle="tooltip" data-placement="top" data-original-title="' . $hesklang['ippermban'] . '"></i></a>
  179. <a href="banned_ips.php?a=unbantemp&amp;ip=' . urlencode($ban['ip']) . '&amp;token=' . hesk_token_echo(0) . '" onclick="return confirm_delete();">
  180. <i class="fa fa-times red font-size-16p" data-toggle="tooltip" data-placement="top" data-original-title="' . $hesklang['delban'] . '"></i></a>
  181. </td>
  182. ';
  183. }
  184. echo '</tr>';
  185. } // End while
  186. ?>
  187. </tbody>
  188. </table>
  189. <?php
  190. } else {
  191. echo '<p>' . $hesklang['no_banips'] . '</p>';
  192. }
  193. // Get banned ips from database
  194. $res = hesk_dbQuery('SELECT * FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'banned_ips` ORDER BY `ip_from` ASC');
  195. $num = hesk_dbNumRows($res);
  196. echo '<br><h4>' . $hesklang['ipperm'] . '</h4>';
  197. if ($num < 1) {
  198. echo '<p>' . $hesklang['no_banips'] . '</p>';
  199. } else {
  200. // List of staff
  201. if (!isset($admins)) {
  202. $admins = array();
  203. $res2 = hesk_dbQuery("SELECT `id`,`name` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users`");
  204. while ($row = hesk_dbFetchAssoc($res2)) {
  205. $admins[$row['id']] = $row['name'];
  206. }
  207. }
  208. ?>
  209. <table class="table table-hover">
  210. <thead>
  211. <tr>
  212. <th><?php echo $hesklang['ip']; ?></th>
  213. <th><?php echo $hesklang['iprange']; ?></th>
  214. <th><?php echo $hesklang['banby']; ?></th>
  215. <th><?php echo $hesklang['date']; ?></th>
  216. <?php
  217. if ($can_unban) {
  218. ?>
  219. <th><?php echo $hesklang['opt']; ?></th>
  220. <?php
  221. }
  222. ?>
  223. </tr>
  224. </thead>
  225. <tbody>
  226. <?php
  227. while ($ban = hesk_dbFetchAssoc($res)) {
  228. $color = '';
  229. if (isset($_SESSION['ban_ip']['id']) && $ban['id'] == $_SESSION['ban_ip']['id']) {
  230. $color = 'success';
  231. unset($_SESSION['ban_ip']['id']);
  232. }
  233. echo '
  234. <tr>
  235. <td class="' . $color . '">' . $ban['ip_display'] . '</td>
  236. <td class="' . $color . '">' . (($ban['ip_to'] == $ban['ip_from']) ? long2ip($ban['ip_to']) : long2ip($ban['ip_from']) . ' - ' . long2ip($ban['ip_to'])) . '</td>
  237. <td class="' . $color . '">' . (isset($admins[$ban['banned_by']]) ? $admins[$ban['banned_by']] : $hesklang['e_udel']) . '</td>
  238. <td class="' . $color . '">' . $ban['dt'] . '</td>
  239. ';
  240. if ($can_unban) {
  241. echo '
  242. <td class="' . $color . ' text-left">
  243. <a name="Unban '.$ban['ip_display'].'" href="banned_ips.php?a=unban&amp;id=' . $ban['id'] . '&amp;token=' . hesk_token_echo(0) . '" onclick="return confirm_delete();">
  244. <i class="fa fa-times red font-size-16p" data-toggle="tooltip" data-placement="top" data-original-title="' . $hesklang['delban'] . '"></i></a>
  245. </td>
  246. ';
  247. }
  248. echo '</tr>';
  249. } // End while
  250. ?>
  251. </tbody>
  252. </table>
  253. <?php
  254. }
  255. ?>
  256. </div>
  257. </div>
  258. </div>
  259. </div>
  260. </div>
  261. </div>
  262. </section>
  263. </div>
  264. <?php
  265. require_once(HESK_PATH . 'inc/footer.inc.php');
  266. exit();
  267. /*** START FUNCTIONS ***/
  268. function ban_ip()
  269. {
  270. global $hesk_settings, $hesklang;
  271. // A security check
  272. hesk_token_check();
  273. // Get the ip
  274. $ip = preg_replace('/[^0-9\.\-\/\*]/', '', hesk_REQUEST('ip'));
  275. $ip_display = str_replace('-', ' - ', $ip);
  276. // Nothing entered?
  277. if (!strlen($ip)) {
  278. hesk_process_messages($hesklang['enterbanip'], 'banned_ips.php');
  279. }
  280. // Convert asterisk to ranges
  281. if (strpos($ip, '*') !== false) {
  282. $ip = str_replace('*', '0', $ip) . '-' . str_replace('*', '255', $ip);
  283. }
  284. $ip_regex = '(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])';
  285. // Is this a single IP address?
  286. if (preg_match('/^' . $ip_regex . '$/', $ip)) {
  287. $ip_from = ip2long($ip);
  288. $ip_to = $ip_from;
  289. } // Is this an IP range?
  290. elseif (preg_match('/^' . $ip_regex . '\-' . $ip_regex . '$/', $ip)) {
  291. list($ip_from, $ip_to) = explode('-', $ip);
  292. $ip_from = ip2long($ip_from);
  293. $ip_to = ip2long($ip_to);
  294. } // Is this an IP with CIDR?
  295. elseif (preg_match('/^' . $ip_regex . '\/([0-9]{1,2})$/', $ip, $matches) && $matches[4] >= 0 && $matches[4] <= 32) {
  296. list($ip_from, $ip_to) = hesk_cidr_to_range($ip);
  297. } // Not a valid input
  298. else {
  299. hesk_process_messages($hesklang['validbanip'], 'banned_ips.php');
  300. }
  301. // Make sure we have valid ranges
  302. if ($ip_from < 0) {
  303. $ip_from += 4294967296;
  304. } elseif ($ip_from > 4294967296) {
  305. $ip_from = 4294967296;
  306. }
  307. if ($ip_to < 0) {
  308. $ip_to += 4294967296;
  309. } elseif ($ip_to > 4294967296) {
  310. $ip_to = 4294967296;
  311. }
  312. // Make sure $ip_to is not lower that $ip_from
  313. if ($ip_to < $ip_from) {
  314. $tmp = $ip_to;
  315. $ip_to = $ip_from;
  316. $ip_from = $tmp;
  317. }
  318. // Is this IP address already banned?
  319. $res = hesk_dbQuery("SELECT `id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "banned_ips` WHERE {$ip_from} BETWEEN `ip_from` AND `ip_to` AND {$ip_to} BETWEEN `ip_from` AND `ip_to` LIMIT 1");
  320. if (hesk_dbNumRows($res) == 1) {
  321. $_SESSION['ban_ip']['id'] = hesk_dbResult($res);
  322. $hesklang['ipbanexists'] = ($ip_to == $ip_from) ? sprintf($hesklang['ipbanexists'], long2ip($ip_to)) : sprintf($hesklang['iprbanexists'], long2ip($ip_from) . ' - ' . long2ip($ip_to));
  323. hesk_process_messages($hesklang['ipbanexists'], 'banned_ips.php', 'NOTICE');
  324. }
  325. // Delete any duplicate banned IP or ranges that are within the new banned range
  326. hesk_dbQuery("DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "banned_ips` WHERE `ip_from` >= {$ip_from} AND `ip_to` <= {$ip_to}");
  327. // Delete temporary bans from logins table
  328. if ($ip_to == $ip_from) {
  329. hesk_dbQuery("DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "logins` WHERE `ip`='" . hesk_dbEscape($ip_display) . "'");
  330. }
  331. // Redirect either to banned ips or ticket page from now on
  332. $redirect_to = ($trackingID = hesk_cleanID()) ? 'admin_ticket.php?track=' . $trackingID . '&Refresh=' . mt_rand(10000, 99999) : 'banned_ips.php';
  333. // Insert the ip address into database
  334. hesk_dbQuery("INSERT INTO `" . hesk_dbEscape($hesk_settings['db_pfix']) . "banned_ips` (`ip_from`,`ip_to`,`ip_display`,`banned_by`) VALUES ({$ip_from}, {$ip_to},'" . hesk_dbEscape($ip_display) . "','" . intval($_SESSION['id']) . "')");
  335. // Remember ip that got banned
  336. $_SESSION['ban_ip']['id'] = hesk_dbInsertID();
  337. // Generate success message
  338. $hesklang['ip_banned'] = ($ip_to == $ip_from) ? sprintf($hesklang['ip_banned'], long2ip($ip_to)) : sprintf($hesklang['ip_rbanned'], long2ip($ip_from) . ' - ' . long2ip($ip_to));
  339. // Show success
  340. hesk_process_messages(sprintf($hesklang['ip_banned'], $ip), $redirect_to, 'SUCCESS');
  341. } // End ban_ip()
  342. function unban_temp_ip()
  343. {
  344. global $hesk_settings, $hesklang;
  345. // A security check
  346. hesk_token_check();
  347. // Get the ip
  348. $ip = preg_replace('/[^0-9\.\-\/\*]/', '', hesk_REQUEST('ip'));
  349. // Delete from bans
  350. hesk_dbQuery("DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "logins` WHERE `ip`='" . hesk_dbEscape($ip) . "'");
  351. // Show success
  352. hesk_process_messages($hesklang['ip_tempun'], 'banned_ips.php', 'SUCCESS');
  353. } // End unban_temp_ip()
  354. function unban_ip()
  355. {
  356. global $hesk_settings, $hesklang;
  357. // A security check
  358. hesk_token_check();
  359. // Delete from bans
  360. hesk_dbQuery("DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "banned_ips` WHERE `id`=" . intval(hesk_GET('id')));
  361. // Redirect either to banned ips or ticket page from now on
  362. $redirect_to = ($trackingID = hesk_cleanID()) ? 'admin_ticket.php?track=' . $trackingID . '&Refresh=' . mt_rand(10000, 99999) : 'banned_ips.php';
  363. // Show success
  364. hesk_process_messages($hesklang['ip_unbanned'], $redirect_to, 'SUCCESS');
  365. } // End unban_ip()
  366. function hesk_cidr_to_range($cidr)
  367. {
  368. $range = array();
  369. $cidr = explode('/', $cidr);
  370. $range[0] = (ip2long($cidr[0])) & ((-1 << (32 - (int)$cidr[1])));
  371. $range[1] = (ip2long($cidr[0])) + pow(2, (32 - (int)$cidr[1])) - 1;
  372. return $range;
  373. } // END hesk_cidr_to_range()
  374. ?>