xmpp.chapril.org-ejabberd/src/mod_fail2ban.erl

%%%-------------------------------------------------------------------
%%% File    : mod_fail2ban.erl
%%% Author  : Evgeny Khramtsov <ekhramtsov@process-one.net>
%%% Purpose :
%%% Created : 15 Aug 2014 by Evgeny Khramtsov <ekhramtsov@process-one.net>
%%%
%%%
%%% ejabberd, Copyright (C) 2014-2020   ProcessOne
%%%
%%% This program is free software; you can redistribute it and/or
%%% modify it under the terms of the GNU General Public License as
%%% published by the Free Software Foundation; either version 2 of the
%%% License, or (at your option) any later version.
%%%
%%% This program is distributed in the hope that it will be useful,
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
%%% General Public License for more details.
%%%
%%% You should have received a copy of the GNU General Public License along
%%% with this program; if not, write to the Free Software Foundation, Inc.,
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
%%%
%%%-------------------------------------------------------------------

-module(mod_fail2ban).

-behaviour(gen_mod).
-behaviour(gen_server).

%% API
-export([start/2, stop/1, reload/3, c2s_auth_result/3,
	 c2s_stream_started/2]).

-export([init/1, handle_call/3, handle_cast/2,
	 handle_info/2, terminate/2, code_change/3,
	 mod_opt_type/1, mod_options/1, depends/2, mod_doc/0]).

%% ejabberd command.
-export([get_commands_spec/0, unban/1]).

-include_lib("stdlib/include/ms_transform.hrl").
-include("ejabberd_commands.hrl").
-include("logger.hrl").
-include_lib("xmpp/include/xmpp.hrl").
-include("translate.hrl").

-define(CLEAN_INTERVAL, timer:minutes(10)).

-record(state, {host = <<"">> :: binary()}).

%%%===================================================================
%%% API
%%%===================================================================
-spec c2s_auth_result(ejabberd_c2s:state(), true | {false, binary()}, binary())
      -> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
c2s_auth_result(#{sasl_mech := Mech} = State, {false, _}, _User)
  when Mech == <<"EXTERNAL">> ->
    State;
c2s_auth_result(#{ip := {Addr, _}, lserver := LServer} = State, {false, _}, _User) ->
    case is_whitelisted(LServer, Addr) of
	true ->
	    State;
	false ->
	    BanLifetime = mod_fail2ban_opt:c2s_auth_ban_lifetime(LServer),
	    MaxFailures = mod_fail2ban_opt:c2s_max_auth_failures(LServer),
	    UnbanTS = current_time() + BanLifetime,
	    Attempts = case ets:lookup(failed_auth, Addr) of
		[{Addr, N, _, _}] ->
			       ets:insert(failed_auth,
					  {Addr, N+1, UnbanTS, MaxFailures}),
			       N+1;
		[] ->
			       ets:insert(failed_auth,
					  {Addr, 1, UnbanTS, MaxFailures}),
			       1
	    end,
	    if Attempts >= MaxFailures ->
		    log_and_disconnect(State, Attempts, UnbanTS);
	       true ->
		    State
	    end
    end;
c2s_auth_result(#{ip := {Addr, _}} = State, true, _User) ->
    ets:delete(failed_auth, Addr),
    State.

-spec c2s_stream_started(ejabberd_c2s:state(), stream_start())
      -> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
c2s_stream_started(#{ip := {Addr, _}} = State, _) ->
    case ets:lookup(failed_auth, Addr) of
	[{Addr, N, TS, MaxFailures}] when N >= MaxFailures ->
	    case TS > current_time() of
		true ->
		    log_and_disconnect(State, N, TS);
		false ->
		    ets:delete(failed_auth, Addr),
		    State
	    end;
	_ ->
	    State
    end.

%%====================================================================
%% gen_mod callbacks
%%====================================================================
start(Host, Opts) ->
    catch ets:new(failed_auth, [named_table, public,
				{heir, erlang:group_leader(), none}]),
    ejabberd_commands:register_commands(get_commands_spec()),
    gen_mod:start_child(?MODULE, Host, Opts).

stop(Host) ->
    case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
        false ->
            ejabberd_commands:unregister_commands(get_commands_spec());
        true ->
            ok
    end,
    gen_mod:stop_child(?MODULE, Host).

reload(_Host, _NewOpts, _OldOpts) ->
    ok.

depends(_Host, _Opts) ->
    [].

%%%===================================================================
%%% gen_server callbacks
%%%===================================================================
init([Host|_]) ->
    process_flag(trap_exit, true),
    ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
    ejabberd_hooks:add(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
    erlang:send_after(?CLEAN_INTERVAL, self(), clean),
    {ok, #state{host = Host}}.

handle_call(Request, From, State) ->
    ?WARNING_MSG("Unexpected call from ~p: ~p", [From, Request]),
    {noreply, State}.

handle_cast(_Msg, State) ->
    ?WARNING_MSG("Unexpected cast = ~p", [_Msg]),
    {noreply, State}.

handle_info(clean, State) ->
    ?DEBUG("Cleaning ~p ETS table", [failed_auth]),
    Now = current_time(),
    ets:select_delete(
      failed_auth,
      ets:fun2ms(fun({_, _, UnbanTS, _}) -> UnbanTS =< Now end)),
    erlang:send_after(?CLEAN_INTERVAL, self(), clean),
    {noreply, State};
handle_info(_Info, State) ->
    ?WARNING_MSG("Unexpected info = ~p", [_Info]),
    {noreply, State}.

terminate(_Reason, #state{host = Host}) ->
    ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
    ejabberd_hooks:delete(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
    case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
	true ->
	    ok;
	false ->
	    ets:delete(failed_auth)
    end.

code_change(_OldVsn, State, _Extra) ->
    {ok, State}.

%%--------------------------------------------------------------------
%% ejabberd command callback.
%%--------------------------------------------------------------------
-spec get_commands_spec() -> [ejabberd_commands()].
get_commands_spec() ->
    [#ejabberd_commands{name = unban_ip, tags = [accounts],
			desc = "Remove banned IP addresses from the fail2ban table",
			longdesc = "Accepts an IP address with a network mask. "
			    "Returns the number of unbanned addresses, or a negative integer if there were any error.",
			module = ?MODULE, function = unban,
			args = [{address, binary}],
			args_example = [<<"::FFFF:127.0.0.1/128">>],
			args_desc = ["IP address, optionally with network mask."],
			result_example = 3,
			result_desc = "Amount of unbanned entries, or negative in case of error.",
			result = {unbanned, integer}}].

-spec unban(binary()) -> integer().
unban(S) ->
    case misc:parse_ip_mask(S) of
	{ok, {Net, Mask}} ->
	    unban(Net, Mask);
	error ->
	    ?WARNING_MSG("Invalid network address when trying to unban: ~p", [S]),
	    -1
    end.

-spec unban(inet:ip_address(), 0..128) -> non_neg_integer().
unban(Net, Mask) ->
    ets:foldl(
	fun({Addr, _, _, _}, Acc)  ->
	    case misc:match_ip_mask(Addr, Net, Mask) of
		true ->
		    ets:delete(failed_auth, Addr),
		    Acc+1;
		false -> Acc
	    end
	end, 0, failed_auth).

%%%===================================================================
%%% Internal functions
%%%===================================================================
-spec log_and_disconnect(ejabberd_c2s:state(), pos_integer(), non_neg_integer())
      -> {stop, ejabberd_c2s:state()}.
log_and_disconnect(#{ip := {Addr, _}, lang := Lang} = State, Attempts, UnbanTS) ->
    IP = misc:ip_to_list(Addr),
    UnbanDate = format_date(
		  calendar:now_to_universal_time(msec_to_now(UnbanTS))),
    Format = ?T("Too many (~p) failed authentications "
		"from this IP address (~s). The address "
		"will be unblocked at ~s UTC"),
    Args = [Attempts, IP, UnbanDate],
    ?WARNING_MSG("Connection attempt from blacklisted IP ~ts: ~ts",
		 [IP, io_lib:fwrite(Format, Args)]),
    Err = xmpp:serr_policy_violation({Format, Args}, Lang),
    {stop, ejabberd_c2s:send(State, Err)}.

-spec is_whitelisted(binary(), inet:ip_address()) -> boolean().
is_whitelisted(Host, Addr) ->
    Access = mod_fail2ban_opt:access(Host),
    acl:match_rule(Host, Access, Addr) == allow.

-spec msec_to_now(pos_integer()) -> erlang:timestamp().
msec_to_now(MSecs) ->
    Secs = MSecs div 1000,
    {Secs div 1000000, Secs rem 1000000, 0}.

-spec format_date(calendar:datetime()) -> iolist().
format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
    io_lib:format("~2..0w:~2..0w:~2..0w ~2..0w.~2..0w.~4..0w",
		  [Hour, Minute, Second, Day, Month, Year]).

current_time() ->
    erlang:system_time(millisecond).

mod_opt_type(access) ->
    econf:acl();
mod_opt_type(c2s_auth_ban_lifetime) ->
    econf:timeout(second);
mod_opt_type(c2s_max_auth_failures) ->
    econf:pos_int().

mod_options(_Host) ->
    [{access, none},
     {c2s_auth_ban_lifetime, timer:hours(1)},
     {c2s_max_auth_failures, 20}].

mod_doc() ->
    #{desc =>
          [?T("The module bans IPs that show the malicious signs. "
              "Currently only C2S authentication failures are detected."), "",
           ?T("Unlike the standalone program, 'mod_fail2ban' clears the "
              "record of authentication failures after some time since the "
              "first failure or on a successful authentication. "
              "It also does not simply block network traffic, but "
              "provides the client with a descriptive error message."), "",
	   ?T("WARNING: You should not use this module behind a proxy or load "
	      "balancer. ejabberd will see the failures as coming from the "
	      "load balancer and, when the threshold of auth failures is "
	      "reached, will reject all connections coming from the load "
	      "balancer. You can lock all your user base out of ejabberd "
	      "when using this module behind a proxy.")],
      opts =>
          [{access,
            #{value => ?T("AccessName"),
              desc =>
                  ?T("Specify an access rule for whitelisting IP "
                     "addresses or networks. If the rule returns 'allow' "
                     "for a given IP address, that address will never be "
                     "banned. The 'AccessName' should be of type 'ip'. "
                     "The default value is 'none'.")}},
           {c2s_auth_ban_lifetime,
            #{value => "timeout()",
              desc =>
                  ?T("The lifetime of the IP ban caused by too many "
                     "C2S authentication failures. The default value is "
                     "'1' hour.")}},
           {c2s_max_auth_failures,
            #{value => ?T("Number"),
              desc =>
                  ?T("The number of C2S authentication failures to "
                     "trigger the IP ban. The default value is '20'.")}}]}.