duffyduck/dyndns-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security-Hardening (Pentest-Findings F-02 bis F-07)

Browse Source 
- CSRF-Schutz: session-gebundenes Token in allen POST-Formularen, serverseitig
  per before_request geprueft; /nic/update ausgenommen (Basic-Auth-API)
- Brute-Force-Schutz: DB-gestuetzter Login-Lockout pro Client-IP
  (5 Fehlversuche -> 15 min), echte IP via ProxyFix/X-Forwarded-For
- SSRF: validate_plesk_url() erzwingt http(s) und blockt Link-Local/Metadata,
  Multicast und reservierte Ziele
- Session-Cookies: HttpOnly, SameSite=Lax, Secure (per Env abschaltbar)
- Security-Header: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Generische Plesk-Fehlermeldungen (keine internen URLs im UI)
- CSS/JS nach static/ ausgelagert -> strikte CSP ohne 'unsafe-inline'
- login_attempts-Tabelle + README-Security-Abschnitt

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
2026-06-06 14:45:27 +02:00
parent 9c631992af
commit c3070469c1
10 changed files with 233 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/main.py
+147 -3
View File
@@ -1,11 +1,17 @@
import hmac
import ipaddress
import os
import re
import secrets
import socket
import sqlite3
from datetime import datetime
from datetime import datetime, timedelta
from functools import wraps
from urllib.parse import urlparse
from flask import (Flask, Response, flash, redirect, render_template,
from flask import (Flask, Response, abort, flash, redirect, render_template,
request, session, url_for)
from werkzeug.middleware.proxy_fix import ProxyFix
from werkzeug.security import check_password_hash, generate_password_hash
from database import get_db, get_setting, init_db, set_setting
@@ -14,6 +20,67 @@ from plesk import test_connection, update_dns_record
app = Flask(__name__)
app.secret_key = os.environ.get('SECRET_KEY', os.urandom(32).hex())
# Hinter dem nginx-Reverse-Proxy: X-Forwarded-* auswerten, damit
# request.remote_addr die echte Client-IP liefert (für Login-Lockout & myip).
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1)
# Session-Cookie härten. SESSION_COOKIE_SECURE für lokale http-Tests via
# Env abschaltbar (Default an, da Produktivbetrieb hinter HTTPS läuft).
app.config.update(
SESSION_COOKIE_HTTPONLY=True,
SESSION_COOKIE_SAMESITE='Lax',
SESSION_COOKIE_SECURE=os.environ.get('SESSION_COOKIE_SECURE', '1') == '1',
)
# Endpunkte ohne CSRF-Token-Prüfung (reine API/Basic-Auth, keine Cookies).
CSRF_EXEMPT = {'dyndns_update'}
# Login-Brute-Force-Schutz
LOGIN_MAX_FAILS = 5
LOGIN_LOCK_MINUTES = 15
# Security-Header. CSS/JS sind ausgelagert (static/), daher kein 'unsafe-inline'.
# Erlaubt sind nur die eigene Origin und das Bootstrap-CDN.
CSP = (
"default-src 'self'; "
"img-src 'self' data:; "
"style-src 'self' https://cdn.jsdelivr.net; "
"script-src 'self' https://cdn.jsdelivr.net; "
"font-src 'self' https://cdn.jsdelivr.net; "
"form-action 'self'; frame-ancestors 'none'; base-uri 'self'"
)
@app.after_request
def _security_headers(resp):
resp.headers['X-Frame-Options'] = 'DENY'
resp.headers['X-Content-Type-Options'] = 'nosniff'
resp.headers['Referrer-Policy'] = 'no-referrer'
resp.headers.setdefault('Content-Security-Policy', CSP)
return resp
# ---------------------------------------------------------------------------
# CSRF-Schutz (schlanker Session-Token, ohne externe Abhängigkeit)
# ---------------------------------------------------------------------------
@app.before_request
def _csrf_protect():
if request.endpoint in CSRF_EXEMPT:
return
if '_csrf_token' not in session:
session['_csrf_token'] = secrets.token_urlsafe(32)
if request.method in ('POST', 'PUT', 'PATCH', 'DELETE'):
token = session.get('_csrf_token', '')
sent = request.form.get('csrf_token', '')
if not token or not sent or not hmac.compare_digest(token, sent):
abort(400, 'CSRF-Token ungültig oder fehlt.')
@app.context_processor
def _inject_csrf():
return {'csrf_token': lambda: session.get('_csrf_token', '')}
# ---------------------------------------------------------------------------
# Helpers
@@ -28,6 +95,67 @@ def login_required(f):
return wrapped
# --- Login-Brute-Force-Schutz (DB-gestützt, pro Client-IP) -----------------
def _login_locked_for(ip):
"""Sekunden bis zur Entsperrung, oder 0 wenn nicht gesperrt."""
db = get_db()
row = db.execute('SELECT locked_until FROM login_attempts WHERE ip = ?', (ip,)).fetchone()
db.close()
if row and row['locked_until']:
try:
until = datetime.strptime(row['locked_until'], '%Y-%m-%d %H:%M:%S')
except ValueError:
return 0
remaining = (until - datetime.now()).total_seconds()
return int(remaining) if remaining > 0 else 0
return 0
def _record_login_fail(ip):
db = get_db()
row = db.execute('SELECT fails FROM login_attempts WHERE ip = ?', (ip,)).fetchone()
fails = (row['fails'] if row else 0) + 1
locked_until = None
if fails >= LOGIN_MAX_FAILS:
locked_until = (datetime.now() + timedelta(minutes=LOGIN_LOCK_MINUTES)
).strftime('%Y-%m-%d %H:%M:%S')
db.execute(
'INSERT INTO login_attempts (ip, fails, locked_until) VALUES (?, ?, ?) '
'ON CONFLICT(ip) DO UPDATE SET fails = excluded.fails, locked_until = excluded.locked_until',
(ip, fails, locked_until),
)
db.commit()
db.close()
def _reset_login_fails(ip):
db = get_db()
db.execute('DELETE FROM login_attempts WHERE ip = ?', (ip,))
db.commit()
db.close()
# --- SSRF-Schutz für die admin-konfigurierte Plesk-URL ---------------------
def validate_plesk_url(url):
"""(ok, fehlermeldung). Lässt nur http(s) zu und blockt Link-Local- /
Cloud-Metadata- (169.254.0.0/16), Multicast- und reservierte Ziele.
Private/Loopback bleiben erlaubt — Plesk läuft oft intern/am selben Host."""
p = urlparse(url)
if p.scheme not in ('http', 'https') or not p.hostname:
return False, 'Nur gültige http(s)-URLs erlaubt.'
try:
infos = socket.getaddrinfo(p.hostname, p.port or (443 if p.scheme == 'https' else 80))
except (socket.gaierror, UnicodeError):
return False, 'Hostname nicht auflösbar.'
for info in infos:
ip = ipaddress.ip_address(info[4][0])
if ip.is_link_local or ip.is_multicast or ip.is_reserved or ip.is_unspecified:
return False, 'Ziel-Adresse nicht erlaubt (Link-Local/Reserved).'
return True, ''
# ---------------------------------------------------------------------------
# Auth
# ---------------------------------------------------------------------------
@@ -40,6 +168,12 @@ def index():
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
ip = request.remote_addr or 'unknown'
locked = _login_locked_for(ip)
if locked:
flash(f'Zu viele Fehlversuche. Bitte in {locked // 60 + 1} Minuten erneut versuchen.', 'danger')
return render_template('login.html')
username = request.form.get('username', '').strip()
password = request.form.get('password', '')
db = get_db()
@@ -48,9 +182,13 @@ def login():
).fetchone()
db.close()
if admin and check_password_hash(admin['password_hash'], password):
_reset_login_fails(ip)
session.clear()
session['admin_id'] = admin['id']
session['admin_username'] = admin['username']
return redirect(url_for('dashboard'))
_record_login_fail(ip)
flash('Benutzername oder Passwort falsch.', 'danger')
return render_template('login.html')
@@ -114,6 +252,11 @@ def settings_plesk():
plesk_base_domain = request.form.get('plesk_base_domain', '').strip()
plesk_verify_ssl = '1' if request.form.get('plesk_verify_ssl') else '0'
ok, err = validate_plesk_url(plesk_url)
if not ok:
flash(f'Plesk-URL abgelehnt: {err}', 'danger')
return redirect(url_for('settings'))
set_setting('plesk_url', plesk_url)
set_setting('plesk_api_key', plesk_api_key)
set_setting('plesk_base_domain', plesk_base_domain)
@@ -125,7 +268,8 @@ def settings_plesk():
ver = info.get('version', '?')
flash(f'Verbindung OK — Plesk {ver}', 'success')
except Exception as exc:
flash(f'Verbindungsfehler: {exc}', 'danger')
app.logger.warning('Plesk-Verbindungstest fehlgeschlagen: %s', exc)
flash('Verbindungsfehler — bitte URL, API-Schlüssel und Erreichbarkeit prüfen.', 'danger')
else:
flash('Plesk-Einstellungen gespeichert.', 'success')