2014-08-15 11:40:04 +02:00
|
|
|
%%%-------------------------------------------------------------------
|
2017-01-03 15:58:52 +01:00
|
|
|
%%% File : mod_fail2ban.erl
|
|
|
|
%%% Author : Evgeny Khramtsov <ekhramtsov@process-one.net>
|
|
|
|
%%% Purpose :
|
2014-08-15 11:40:04 +02:00
|
|
|
%%% Created : 15 Aug 2014 by Evgeny Khramtsov <ekhramtsov@process-one.net>
|
2015-01-21 14:52:37 +01:00
|
|
|
%%%
|
2015-10-07 00:06:58 +02:00
|
|
|
%%%
|
2018-01-05 21:18:58 +01:00
|
|
|
%%% ejabberd, Copyright (C) 2014-2018 ProcessOne
|
2015-01-21 14:52:37 +01:00
|
|
|
%%%
|
|
|
|
%%% This program is free software; you can redistribute it and/or
|
|
|
|
%%% modify it under the terms of the GNU General Public License as
|
|
|
|
%%% published by the Free Software Foundation; either version 2 of the
|
|
|
|
%%% License, or (at your option) any later version.
|
|
|
|
%%%
|
|
|
|
%%% This program is distributed in the hope that it will be useful,
|
|
|
|
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
%%% General Public License for more details.
|
|
|
|
%%%
|
|
|
|
%%% You should have received a copy of the GNU General Public License along
|
|
|
|
%%% with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2017-11-10 17:51:22 +01:00
|
|
|
%%%
|
2014-08-15 11:40:04 +02:00
|
|
|
%%%-------------------------------------------------------------------
|
2017-11-10 17:51:22 +01:00
|
|
|
|
2014-08-15 11:40:04 +02:00
|
|
|
-module(mod_fail2ban).
|
|
|
|
|
|
|
|
-behaviour(gen_mod).
|
2014-08-17 15:38:38 +02:00
|
|
|
-behaviour(gen_server).
|
2014-08-15 11:40:04 +02:00
|
|
|
|
|
|
|
%% API
|
2017-02-22 17:46:47 +01:00
|
|
|
-export([start/2, stop/1, reload/3, c2s_auth_result/3,
|
2017-01-09 15:02:17 +01:00
|
|
|
c2s_stream_started/2]).
|
2014-08-15 11:40:04 +02:00
|
|
|
|
2015-06-01 14:38:27 +02:00
|
|
|
-export([init/1, handle_call/3, handle_cast/2,
|
|
|
|
handle_info/2, terminate/2, code_change/3,
|
2018-01-23 08:54:52 +01:00
|
|
|
mod_opt_type/1, mod_options/1, depends/2]).
|
2014-08-15 11:40:04 +02:00
|
|
|
|
2014-08-17 15:38:38 +02:00
|
|
|
-include_lib("stdlib/include/ms_transform.hrl").
|
|
|
|
-include("logger.hrl").
|
2017-01-09 15:02:17 +01:00
|
|
|
-include("xmpp.hrl").
|
2014-08-17 15:38:38 +02:00
|
|
|
|
|
|
|
-define(CLEAN_INTERVAL, timer:minutes(10)).
|
|
|
|
|
|
|
|
-record(state, {host = <<"">> :: binary()}).
|
2014-08-15 11:40:04 +02:00
|
|
|
|
|
|
|
%%%===================================================================
|
2014-08-17 15:38:38 +02:00
|
|
|
%%% API
|
2014-08-15 11:40:04 +02:00
|
|
|
%%%===================================================================
|
2017-01-09 15:02:17 +01:00
|
|
|
-spec c2s_auth_result(ejabberd_c2s:state(), boolean(), binary())
|
|
|
|
-> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
|
|
|
|
c2s_auth_result(#{ip := {Addr, _}, lserver := LServer} = State, false, _User) ->
|
2015-04-18 11:08:05 +02:00
|
|
|
case is_whitelisted(LServer, Addr) of
|
|
|
|
true ->
|
2017-01-09 15:02:17 +01:00
|
|
|
State;
|
2015-04-18 11:08:05 +02:00
|
|
|
false ->
|
|
|
|
BanLifetime = gen_mod:get_module_opt(
|
2018-01-23 08:54:52 +01:00
|
|
|
LServer, ?MODULE, c2s_auth_ban_lifetime),
|
2015-04-18 11:08:05 +02:00
|
|
|
MaxFailures = gen_mod:get_module_opt(
|
2018-01-23 08:54:52 +01:00
|
|
|
LServer, ?MODULE, c2s_max_auth_failures),
|
2015-12-07 16:08:57 +01:00
|
|
|
UnbanTS = p1_time_compat:system_time(seconds) + BanLifetime,
|
2017-01-09 15:02:17 +01:00
|
|
|
Attempts = case ets:lookup(failed_auth, Addr) of
|
2015-04-18 11:08:05 +02:00
|
|
|
[{Addr, N, _, _}] ->
|
2017-01-09 15:02:17 +01:00
|
|
|
ets:insert(failed_auth,
|
|
|
|
{Addr, N+1, UnbanTS, MaxFailures}),
|
|
|
|
N+1;
|
2015-04-18 11:08:05 +02:00
|
|
|
[] ->
|
2017-01-09 15:02:17 +01:00
|
|
|
ets:insert(failed_auth,
|
|
|
|
{Addr, 1, UnbanTS, MaxFailures}),
|
|
|
|
1
|
2016-08-09 09:56:32 +02:00
|
|
|
end,
|
2017-01-09 15:02:17 +01:00
|
|
|
if Attempts >= MaxFailures ->
|
|
|
|
log_and_disconnect(State, Attempts, UnbanTS);
|
|
|
|
true ->
|
|
|
|
State
|
|
|
|
end
|
2014-08-17 15:38:38 +02:00
|
|
|
end;
|
2017-01-09 15:02:17 +01:00
|
|
|
c2s_auth_result(#{ip := {Addr, _}} = State, true, _User) ->
|
|
|
|
ets:delete(failed_auth, Addr),
|
|
|
|
State.
|
|
|
|
|
|
|
|
-spec c2s_stream_started(ejabberd_c2s:state(), stream_start())
|
|
|
|
-> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
|
|
|
|
c2s_stream_started(#{ip := {Addr, _}} = State, _) ->
|
2014-08-15 14:13:04 +02:00
|
|
|
case ets:lookup(failed_auth, Addr) of
|
2014-08-17 15:38:38 +02:00
|
|
|
[{Addr, N, TS, MaxFailures}] when N >= MaxFailures ->
|
2015-12-07 16:08:57 +01:00
|
|
|
case TS > p1_time_compat:system_time(seconds) of
|
2014-08-17 15:38:38 +02:00
|
|
|
true ->
|
2017-01-09 15:02:17 +01:00
|
|
|
log_and_disconnect(State, N, TS);
|
2014-08-17 15:38:38 +02:00
|
|
|
false ->
|
|
|
|
ets:delete(failed_auth, Addr),
|
2017-01-09 15:02:17 +01:00
|
|
|
State
|
2014-08-17 15:38:38 +02:00
|
|
|
end;
|
2014-08-15 11:40:04 +02:00
|
|
|
_ ->
|
2017-01-09 15:02:17 +01:00
|
|
|
State
|
2014-08-15 11:40:04 +02:00
|
|
|
end.
|
2014-08-17 15:38:38 +02:00
|
|
|
|
|
|
|
%%====================================================================
|
|
|
|
%% gen_mod callbacks
|
|
|
|
%%====================================================================
|
|
|
|
start(Host, Opts) ->
|
2017-11-13 12:34:59 +01:00
|
|
|
catch ets:new(failed_auth, [named_table, public,
|
|
|
|
{heir, erlang:group_leader(), none}]),
|
2017-02-14 10:39:26 +01:00
|
|
|
gen_mod:start_child(?MODULE, Host, Opts).
|
2014-08-17 15:38:38 +02:00
|
|
|
|
|
|
|
stop(Host) ->
|
2017-02-14 10:39:26 +01:00
|
|
|
gen_mod:stop_child(?MODULE, Host).
|
2014-08-17 15:38:38 +02:00
|
|
|
|
2017-02-22 17:46:47 +01:00
|
|
|
reload(_Host, _NewOpts, _OldOpts) ->
|
|
|
|
ok.
|
|
|
|
|
2016-07-06 13:58:48 +02:00
|
|
|
depends(_Host, _Opts) ->
|
|
|
|
[].
|
|
|
|
|
2014-08-17 15:38:38 +02:00
|
|
|
%%%===================================================================
|
|
|
|
%%% gen_server callbacks
|
|
|
|
%%%===================================================================
|
|
|
|
init([Host, _Opts]) ->
|
2017-02-14 08:25:08 +01:00
|
|
|
process_flag(trap_exit, true),
|
2014-08-17 15:38:38 +02:00
|
|
|
ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
|
2017-01-09 15:02:17 +01:00
|
|
|
ejabberd_hooks:add(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
|
2014-08-17 15:38:38 +02:00
|
|
|
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
|
|
|
|
{ok, #state{host = Host}}.
|
|
|
|
|
|
|
|
handle_call(_Request, _From, State) ->
|
|
|
|
Reply = ok,
|
|
|
|
{reply, Reply, State}.
|
|
|
|
|
|
|
|
handle_cast(_Msg, State) ->
|
|
|
|
?ERROR_MSG("got unexpected cast = ~p", [_Msg]),
|
|
|
|
{noreply, State}.
|
|
|
|
|
|
|
|
handle_info(clean, State) ->
|
|
|
|
?DEBUG("cleaning ~p ETS table", [failed_auth]),
|
2015-12-07 16:08:57 +01:00
|
|
|
Now = p1_time_compat:system_time(seconds),
|
2014-08-17 15:38:38 +02:00
|
|
|
ets:select_delete(
|
|
|
|
failed_auth,
|
|
|
|
ets:fun2ms(fun({_, _, UnbanTS, _}) -> UnbanTS =< Now end)),
|
|
|
|
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
|
|
|
|
{noreply, State};
|
|
|
|
handle_info(_Info, State) ->
|
|
|
|
?ERROR_MSG("got unexpected info = ~p", [_Info]),
|
|
|
|
{noreply, State}.
|
|
|
|
|
|
|
|
terminate(_Reason, #state{host = Host}) ->
|
|
|
|
ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
|
2017-01-09 15:02:17 +01:00
|
|
|
ejabberd_hooks:delete(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
|
2017-02-24 14:31:39 +01:00
|
|
|
case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
|
2014-08-17 15:38:38 +02:00
|
|
|
true ->
|
|
|
|
ok;
|
|
|
|
false ->
|
|
|
|
ets:delete(failed_auth)
|
|
|
|
end.
|
|
|
|
|
|
|
|
code_change(_OldVsn, State, _Extra) ->
|
|
|
|
{ok, State}.
|
|
|
|
|
|
|
|
%%%===================================================================
|
|
|
|
%%% Internal functions
|
|
|
|
%%%===================================================================
|
2017-02-18 07:36:27 +01:00
|
|
|
-spec log_and_disconnect(ejabberd_c2s:state(), pos_integer(), non_neg_integer())
|
2017-01-09 15:02:17 +01:00
|
|
|
-> {stop, ejabberd_c2s:state()}.
|
|
|
|
log_and_disconnect(#{ip := {Addr, _}, lang := Lang} = State, Attempts, UnbanTS) ->
|
2017-04-11 12:13:58 +02:00
|
|
|
IP = misc:ip_to_list(Addr),
|
2017-01-09 15:02:17 +01:00
|
|
|
UnbanDate = format_date(
|
|
|
|
calendar:now_to_universal_time(seconds_to_now(UnbanTS))),
|
|
|
|
Format = <<"Too many (~p) failed authentications "
|
|
|
|
"from this IP address (~s). The address "
|
|
|
|
"will be unblocked at ~s UTC">>,
|
|
|
|
Args = [Attempts, IP, UnbanDate],
|
2018-09-19 18:33:33 +02:00
|
|
|
?WARNING_MSG("Connection attempt from blacklisted IP ~s: ~s",
|
|
|
|
[IP, io_lib:fwrite(Format, Args)]),
|
2017-01-09 15:02:17 +01:00
|
|
|
Err = xmpp:serr_policy_violation({Format, Args}, Lang),
|
|
|
|
{stop, ejabberd_c2s:send(State, Err)}.
|
|
|
|
|
2015-04-18 11:08:05 +02:00
|
|
|
is_whitelisted(Host, Addr) ->
|
2018-01-23 08:54:52 +01:00
|
|
|
Access = gen_mod:get_module_opt(Host, ?MODULE, access),
|
2015-04-18 11:08:05 +02:00
|
|
|
acl:match_rule(Host, Access, Addr) == allow.
|
|
|
|
|
2016-01-05 12:29:13 +01:00
|
|
|
seconds_to_now(Secs) ->
|
|
|
|
{Secs div 1000000, Secs rem 1000000, 0}.
|
|
|
|
|
2014-08-17 15:38:38 +02:00
|
|
|
format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
|
|
|
|
io_lib:format("~2..0w:~2..0w:~2..0w ~2..0w.~2..0w.~4..0w",
|
|
|
|
[Hour, Minute, Second, Day, Month, Year]).
|
2015-06-01 14:38:27 +02:00
|
|
|
|
|
|
|
mod_opt_type(access) ->
|
2016-06-21 13:18:24 +02:00
|
|
|
fun acl:access_rules_validator/1;
|
2015-06-01 14:38:27 +02:00
|
|
|
mod_opt_type(c2s_auth_ban_lifetime) ->
|
|
|
|
fun (T) when is_integer(T), T > 0 -> T end;
|
|
|
|
mod_opt_type(c2s_max_auth_failures) ->
|
2018-01-23 08:54:52 +01:00
|
|
|
fun (I) when is_integer(I), I > 0 -> I end.
|
|
|
|
|
|
|
|
mod_options(_Host) ->
|
|
|
|
[{access, none},
|
|
|
|
{c2s_auth_ban_lifetime, 3600}, %% one hour
|
|
|
|
{c2s_max_auth_failures, 20}].
|