Interferon Posted May 31 Posted May 31 (edited) We have our own license management system based on IPB for our desktop software application. In order to prevent interception of the network traffic, which could be used for software piracy, we encrypt requests and responses between the desktop application and a PHP script on our server. The PHP script then uses the IPB web API to retrieve information about the user's license. The response to the user is encrypted, so they cannot intercept the response to spoof a fake valid license. The system works really well, except for one problem. If any automatic security actions kick in, the entire user base can be blocked from accessing their license info. If one user tries to log in too many times with a bad password, IPB bans the IP address where the requests are coming from, which happens to be its own server! This means all requests from the PHP script hosted on the same server are blocked. The solution is to manually un-ban the IP address. Since there is no whitelist of IP addresses NOT to ban, I have to do this manually any time it happens. The other error I have seen is a message "TOO_MANY_REQUESTS_WITH_BAD_KEY". I do not know how to resolve this problem. Our entire user base is currently blocked from using the software because of this error. How do you advise I deal with these issues? Edited May 31 by Interferon
Interferon Posted May 31 Author Posted May 31 The desktop application actually logs in directly to the web API, retrieves and stores an authentication token, and then passes that token to the PHP script for all subsequent calls.
Jim M Posted May 31 Posted May 31 27 minutes ago, Interferon said: This means all requests from the PHP script hosted on the same server are blocked. The solution is to manually un-ban the IP address. Since there is no whitelist of IP addresses NOT to ban, I have to do this manually any time it happens. As you are utilizing the API in an abnormal manner here, you may encounter some "bumps in the road" as you have here. There is currently no whitelist. You can try restricting your API Key to your server's IP address if you haven't, however, likely this may be a new feature you need to suggest in our Feedback forum to allow for. Generally, it isn't a good idea in an API system like this. 27 minutes ago, Interferon said: The other error I have seen is a message "TOO_MANY_REQUESTS_WITH_BAD_KEY". I do not know how to resolve this problem. Our entire user base is currently blocked from using the software because of this error. Is the server sending no, bad, or corrupted key at any point or is the request not completing? This would be the only case to encounter this issue.
Interferon Posted May 31 Author Posted May 31 (edited) The server is passing on whatever authentication token the client application sends. 3 minutes ago, Jim M said: Generally, it isn't a good idea in an API system like this. How can a desktop application use the IPB API to securely verify license info without being vulnerable to spoofed responses? Edited May 31 by Interferon
Jim M Posted May 31 Posted May 31 The system is designed in an OAUTH API style so the client would be making the direct request to the system.
Interferon Posted May 31 Author Posted May 31 (edited) 1 minute ago, Jim M said: The system is designed in an OAUTH API style so the client would be making the direct request to the system. Is this a way of saying "this is not a supported capability"? One way to solve this would be to have an encryption key, or series of keys, that both the client and server have access to, to encrypt the responses. Edited May 31 by Interferon
Jim M Posted May 31 Posted May 31 1 minute ago, Interferon said: Is this a way of saying "this is not a supported capability"? As mentioned, you are using the system is a way it isn't currently designed to so you would need to make Feedback suggestions to change anything which you see doesn't fit how you are using it. This will be evaluated by our team and see if it fits the needs and design of the feature.
Interferon Posted May 31 Author Posted May 31 I have blocked the user who is causing the problem. Is there any way to fix the "TOO_MANY_REQUESTS_WITH_BAD_KEY" error? How long does it take to go away?
teraßyte Posted May 31 Posted May 31 It clears up after 5 minutes: /* If we have tried to access the API with a bad key more than once in the last 5 minutes, throw an error to prevent brute-forcing */ if ( \IPS\Db::i()->select( 'COUNT(*)', 'core_api_logs', array( 'ip_address=? AND is_bad_key=1 AND date>?', \IPS\Request::i()->ipAddress(), \IPS\DateTime::create()->sub( new \DateInterval( 'PT5M' ) )->getTimestamp() ) )->first() > 1 ) { throw new \IPS\Api\Exception( 'TOO_MANY_REQUESTS_WITH_BAD_KEY', '1S290/D', 429 ); } It's also possible to make a modification to whitelist IP addresses. It needs a couple of hooks on some functions, but it's doable. I did it for a client before as part of a bigger request. Interferon 1
Randy Calvert Posted May 31 Posted May 31 How often is the desktop client checking the license. If it’s checking more than once in 5 minutes, you might consider having it only do it hourly or daily.
Interferon Posted May 31 Author Posted May 31 1 hour ago, Randy Calvert said: How often is the desktop client checking the license. If it’s checking more than once in 5 minutes, you might consider having it only do it hourly or daily. Only when the user checks for updates which is not very frequent, but there are thousands of users doing the same thing. 2 hours ago, teraßyte said: It's also possible to make a modification to whitelist IP addresses. It needs a couple of hooks on some functions, but it's doable. I did it for a client before as part of a bigger request. Where can I find the code file where the IP addresses get banned? I just need to enter our server's own IP address. I don't mind hard-coding it.
Randy Calvert Posted May 31 Posted May 31 3 minutes ago, Interferon said: Only when the user checks for updates which is not very frequent, but there are thousands of users doing the same thing. Are those users all behind the same IP address? Based on the code pasted above, this looks to be happening when a single IP triggers more than one error within a 5 min period. So if a user just manually mashes a validate button over and over this could be a problem. Maybe building in a check to restrict how many times it can be manually checked? If you have a ton of users all share a proxy IP, that obviously would not work.
Interferon Posted May 31 Author Posted May 31 2 minutes ago, Randy Calvert said: Are those users all behind the same IP address? Based on the code pasted above, this looks to be happening when a single IP triggers more than one error within a 5 min period. So if a user just manually mashes a validate button over and over this could be a problem. Maybe building in a check to restrict how many times it can be manually checked? If you have a ton of users all share a proxy IP, that obviously would not work. Please re-read the original post if you are interested in this subject.
Solution teraßyte Posted May 31 Solution Posted May 31 15 minutes ago, Interferon said: Where can I find the code file where the IP addresses get banned? I just need to enter our server's own IP address. I don't mind hard-coding it. The function that checks if the IP is banned or has made too many bad requests is the function _checkIpAddressIsAllowed() in system/Dispatcher/Api.php on lines 198-230. SeNioR- and Interferon 1 1
Interferon Posted May 31 Author Posted May 31 Thank you. The primary issue is solved. It is still possible to trigger the bad key error, but I have only seen this happen once and I prefer to leave the check in until I add protection from brute forcing into my script.
Recommended Posts