25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-12-22 17:28:25 +01:00
xmpp.chapril.org-ejabberd/src/mod_fail2ban.erl

250 lines
8.3 KiB
Erlang
Raw Normal View History

2014-08-15 11:40:04 +02:00
%%%-------------------------------------------------------------------
2017-01-03 15:58:52 +01:00
%%% File : mod_fail2ban.erl
%%% Author : Evgeny Khramtsov <ekhramtsov@process-one.net>
%%% Purpose :
2014-08-15 11:40:04 +02:00
%%% Created : 15 Aug 2014 by Evgeny Khramtsov <ekhramtsov@process-one.net>
%%%
2015-10-07 00:06:58 +02:00
%%%
2019-01-08 22:53:27 +01:00
%%% ejabberd, Copyright (C) 2014-2019 ProcessOne
%%%
%%% This program is free software; you can redistribute it and/or
%%% modify it under the terms of the GNU General Public License as
%%% published by the Free Software Foundation; either version 2 of the
%%% License, or (at your option) any later version.
%%%
%%% This program is distributed in the hope that it will be useful,
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
%%% General Public License for more details.
%%%
%%% You should have received a copy of the GNU General Public License along
%%% with this program; if not, write to the Free Software Foundation, Inc.,
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
2017-11-10 17:51:22 +01:00
%%%
2014-08-15 11:40:04 +02:00
%%%-------------------------------------------------------------------
2017-11-10 17:51:22 +01:00
2014-08-15 11:40:04 +02:00
-module(mod_fail2ban).
-behaviour(gen_mod).
-behaviour(gen_server).
2014-08-15 11:40:04 +02:00
%% API
-export([start/2, stop/1, reload/3, c2s_auth_result/3,
c2s_stream_started/2]).
2014-08-15 11:40:04 +02:00
2015-06-01 14:38:27 +02:00
-export([init/1, handle_call/3, handle_cast/2,
handle_info/2, terminate/2, code_change/3,
mod_opt_type/1, mod_options/1, depends/2]).
2014-08-15 11:40:04 +02:00
2018-11-30 13:33:39 +01:00
%% ejabberd command.
-export([get_commands_spec/0, unban/1]).
-include_lib("stdlib/include/ms_transform.hrl").
2018-11-30 13:33:39 +01:00
-include("ejabberd_commands.hrl").
-include("logger.hrl").
-include("xmpp.hrl").
-include("translate.hrl").
-define(CLEAN_INTERVAL, timer:minutes(10)).
-record(state, {host = <<"">> :: binary()}).
2014-08-15 11:40:04 +02:00
%%%===================================================================
%%% API
2014-08-15 11:40:04 +02:00
%%%===================================================================
-spec c2s_auth_result(ejabberd_c2s:state(), true | {false, binary()}, binary())
-> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
c2s_auth_result(#{sasl_mech := Mech} = State, {false, _}, _User)
when Mech == <<"EXTERNAL">> ->
State;
c2s_auth_result(#{ip := {Addr, _}, lserver := LServer} = State, {false, _}, _User) ->
case is_whitelisted(LServer, Addr) of
true ->
State;
false ->
2019-06-14 11:33:26 +02:00
BanLifetime = mod_fail2ban_opt:c2s_auth_ban_lifetime(LServer),
MaxFailures = mod_fail2ban_opt:c2s_max_auth_failures(LServer),
UnbanTS = erlang:system_time(second) + BanLifetime,
Attempts = case ets:lookup(failed_auth, Addr) of
[{Addr, N, _, _}] ->
ets:insert(failed_auth,
{Addr, N+1, UnbanTS, MaxFailures}),
N+1;
[] ->
ets:insert(failed_auth,
{Addr, 1, UnbanTS, MaxFailures}),
1
2016-08-09 09:56:32 +02:00
end,
if Attempts >= MaxFailures ->
log_and_disconnect(State, Attempts, UnbanTS);
true ->
State
end
end;
c2s_auth_result(#{ip := {Addr, _}} = State, true, _User) ->
ets:delete(failed_auth, Addr),
State.
-spec c2s_stream_started(ejabberd_c2s:state(), stream_start())
-> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
c2s_stream_started(#{ip := {Addr, _}} = State, _) ->
case ets:lookup(failed_auth, Addr) of
[{Addr, N, TS, MaxFailures}] when N >= MaxFailures ->
case TS > erlang:system_time(second) of
true ->
log_and_disconnect(State, N, TS);
false ->
ets:delete(failed_auth, Addr),
State
end;
2014-08-15 11:40:04 +02:00
_ ->
State
2014-08-15 11:40:04 +02:00
end.
%%====================================================================
%% gen_mod callbacks
%%====================================================================
start(Host, Opts) ->
catch ets:new(failed_auth, [named_table, public,
{heir, erlang:group_leader(), none}]),
2018-11-30 13:33:39 +01:00
ejabberd_commands:register_commands(get_commands_spec()),
2017-02-14 10:39:26 +01:00
gen_mod:start_child(?MODULE, Host, Opts).
stop(Host) ->
2018-11-30 13:33:39 +01:00
case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
false ->
ejabberd_commands:unregister_commands(get_commands_spec());
true ->
ok
end,
2017-02-14 10:39:26 +01:00
gen_mod:stop_child(?MODULE, Host).
reload(_Host, _NewOpts, _OldOpts) ->
ok.
depends(_Host, _Opts) ->
[].
%%%===================================================================
%%% gen_server callbacks
%%%===================================================================
init([Host, _Opts]) ->
2017-02-14 08:25:08 +01:00
process_flag(trap_exit, true),
ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
ejabberd_hooks:add(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
{ok, #state{host = Host}}.
handle_call(_Request, _From, State) ->
Reply = ok,
{reply, Reply, State}.
handle_cast(_Msg, State) ->
2019-06-24 19:32:34 +02:00
?ERROR_MSG("Unexpected cast = ~p", [_Msg]),
{noreply, State}.
handle_info(clean, State) ->
2019-06-24 19:32:34 +02:00
?DEBUG("Cleaning ~p ETS table", [failed_auth]),
Now = erlang:system_time(second),
ets:select_delete(
failed_auth,
ets:fun2ms(fun({_, _, UnbanTS, _}) -> UnbanTS =< Now end)),
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
{noreply, State};
handle_info(_Info, State) ->
2019-06-24 19:32:34 +02:00
?ERROR_MSG("Unexpected info = ~p", [_Info]),
{noreply, State}.
terminate(_Reason, #state{host = Host}) ->
ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
ejabberd_hooks:delete(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
2017-02-24 14:31:39 +01:00
case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
true ->
ok;
false ->
ets:delete(failed_auth)
end.
code_change(_OldVsn, State, _Extra) ->
{ok, State}.
2018-11-30 13:33:39 +01:00
%%--------------------------------------------------------------------
%% ejabberd command callback.
%%--------------------------------------------------------------------
-spec get_commands_spec() -> [ejabberd_commands()].
get_commands_spec() ->
[#ejabberd_commands{name = unban_ip, tags = [accounts],
desc = "Remove banned IP addresses from the fail2ban table",
longdesc = "Accepts an IP address with a network mask. "
"Returns the number of unbanned addresses, or a negative integer if there were any error.",
module = ?MODULE, function = unban,
args = [{address, binary}],
args_example = [<<"::FFFF:127.0.0.1/128">>],
args_desc = ["IP address, optionally with network mask."],
result_example = 3,
result_desc = "Amount of unbanned entries, or negative in case of error.",
result = {unbanned, integer}}].
2019-06-14 11:33:26 +02:00
-spec unban(binary()) -> integer().
2018-11-30 13:33:39 +01:00
unban(S) ->
2019-06-14 11:33:26 +02:00
case misc:parse_ip_mask(S) of
{ok, {Net, Mask}} ->
2018-11-30 13:33:39 +01:00
unban(Net, Mask);
error ->
?WARNING_MSG("Invalid network address when trying to unban: ~p", [S]),
-1
end.
2019-06-14 11:33:26 +02:00
-spec unban(inet:ip_address(), 0..128) -> non_neg_integer().
2018-11-30 13:33:39 +01:00
unban(Net, Mask) ->
ets:foldl(
fun({Addr, _, _, _}, Acc) ->
2019-06-14 11:33:26 +02:00
case misc:match_ip_mask(Addr, Net, Mask) of
2018-11-30 13:33:39 +01:00
true ->
ets:delete(failed_auth, Addr),
Acc+1;
false -> Acc
end
2019-06-14 11:33:26 +02:00
end, 0, failed_auth).
2018-11-30 13:33:39 +01:00
%%%===================================================================
%%% Internal functions
%%%===================================================================
2017-02-18 07:36:27 +01:00
-spec log_and_disconnect(ejabberd_c2s:state(), pos_integer(), non_neg_integer())
-> {stop, ejabberd_c2s:state()}.
log_and_disconnect(#{ip := {Addr, _}, lang := Lang} = State, Attempts, UnbanTS) ->
IP = misc:ip_to_list(Addr),
UnbanDate = format_date(
calendar:now_to_universal_time(seconds_to_now(UnbanTS))),
Format = ?T("Too many (~p) failed authentications "
"from this IP address (~s). The address "
"will be unblocked at ~s UTC"),
Args = [Attempts, IP, UnbanDate],
?WARNING_MSG("Connection attempt from blacklisted IP ~s: ~s",
[IP, io_lib:fwrite(Format, Args)]),
Err = xmpp:serr_policy_violation({Format, Args}, Lang),
{stop, ejabberd_c2s:send(State, Err)}.
is_whitelisted(Host, Addr) ->
2019-06-14 11:33:26 +02:00
Access = mod_fail2ban_opt:access(Host),
acl:match_rule(Host, Access, Addr) == allow.
seconds_to_now(Secs) ->
{Secs div 1000000, Secs rem 1000000, 0}.
format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
io_lib:format("~2..0w:~2..0w:~2..0w ~2..0w.~2..0w.~4..0w",
[Hour, Minute, Second, Day, Month, Year]).
2015-06-01 14:38:27 +02:00
mod_opt_type(access) ->
2019-06-14 11:33:26 +02:00
econf:acl();
2015-06-01 14:38:27 +02:00
mod_opt_type(c2s_auth_ban_lifetime) ->
2019-06-14 11:33:26 +02:00
econf:pos_int();
2015-06-01 14:38:27 +02:00
mod_opt_type(c2s_max_auth_failures) ->
2019-06-14 11:33:26 +02:00
econf:pos_int().
mod_options(_Host) ->
[{access, none},
{c2s_auth_ban_lifetime, 3600}, %% one hour
{c2s_max_auth_failures, 20}].