From 1f91eb0b1139e7a134e3c8300a9d74f07cdda911 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20R=C3=A9mond?= Date: Wed, 14 May 2008 17:49:23 +0000 Subject: [PATCH] * Adding experimental branch. SVN Revision: 1324 --- ChangeLog | 8 +++ src/ejabberd_c2s.erl | 55 +++++++++++-------- src/ejabberd_socket.erl | 28 ++++++---- src/jlib.erl | 9 +++- src/mod_ip_blacklist.erl | 113 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 180 insertions(+), 33 deletions(-) create mode 100644 src/mod_ip_blacklist.erl diff --git a/ChangeLog b/ChangeLog index 5a123e441..27796169a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2008-05-05 Mickael Remond + + * src/ejabberd_c2s.erl: Added C2S blacklist support (EJAB-625). + * src/mod_ip_blacklist.erl: Likewise. + * src/jlib.erl: Added IP format tuple to string function. + * src/ejabberd_socket.erl: Properly handled c2s start failure (happen + for blacklisted IP). + 2008-02-21 Badlop * doc/release_notes_2.0.0.txt: Small fixes and update date diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl index 7239829e5..f2b7f7e70 100644 --- a/src/ejabberd_c2s.erl +++ b/src/ejabberd_c2s.erl @@ -174,26 +174,35 @@ init([{SockMod, Socket}, Opts]) -> (_) -> false end, Opts), IP = peerip(SockMod, Socket), - Socket1 = - if - TLSEnabled -> - SockMod:starttls(Socket, TLSOpts); - true -> - Socket - end, - SocketMonitor = SockMod:monitor(Socket1), - {ok, wait_for_stream, #state{socket = Socket1, - sockmod = SockMod, - socket_monitor = SocketMonitor, - zlib = Zlib, - tls = TLS, - tls_required = StartTLSRequired, - tls_enabled = TLSEnabled, - tls_options = TLSOpts, - streamid = new_id(), - access = Access, - shaper = Shaper, - ip = IP}, ?C2S_OPEN_TIMEOUT}. + %% Check if IP is blacklisted: + case is_ip_blacklisted(IP) of + true -> + ?INFO_MSG("Connection attempt from blacklisted IP: ~s", + [jlib:ip_to_list(IP)]), + {stop, normal}; + false -> + Socket1 = + if + TLSEnabled -> + SockMod:starttls(Socket, TLSOpts); + true -> + Socket + end, + SocketMonitor = SockMod:monitor(Socket1), + {ok, wait_for_stream, #state{socket = Socket1, + sockmod = SockMod, + socket_monitor = SocketMonitor, + zlib = Zlib, + tls = TLS, + tls_required = StartTLSRequired, + tls_enabled = TLSEnabled, + tls_options = TLSOpts, + streamid = new_id(), + access = Access, + shaper = Shaper, + ip = IP}, + ?C2S_OPEN_TIMEOUT} + end. %% Return list of all available resources of contacts, %% in form [{JID, Caps}]. @@ -842,8 +851,6 @@ wait_for_session(closed, StateData) -> {stop, normal, StateData}. - - session_established({xmlstreamelement, El}, StateData) -> {xmlelement, Name, Attrs, _Els} = El, User = StateData#state.user, @@ -1944,3 +1951,7 @@ fsm_reply(Reply, session_established, StateData) -> {reply, Reply, session_established, StateData, ?C2S_HIBERNATE_TIMEOUT}; fsm_reply(Reply, StateName, StateData) -> {reply, Reply, StateName, StateData, ?C2S_OPEN_TIMEOUT}. + +%% Used by c2s blacklist plugins +is_ip_blacklisted({IP,_Port}) -> + ejabberd_hooks:run_fold(check_bl_c2s, false, [IP]). diff --git a/src/ejabberd_socket.erl b/src/ejabberd_socket.erl index f94a0a0e1..389b3a106 100644 --- a/src/ejabberd_socket.erl +++ b/src/ejabberd_socket.erl @@ -65,19 +65,27 @@ start(Module, SockMod, Socket, Opts) -> SocketData = #socket_state{sockmod = SockMod, socket = Socket, receiver = Receiver}, - {ok, Pid} = Module:start({?MODULE, SocketData}, Opts), - case SockMod:controlling_process(Socket, Receiver) of - ok -> - ok; + case Module:start({?MODULE, SocketData}, Opts) of + {ok, Pid} -> + case SockMod:controlling_process(Socket, Receiver) of + ok -> + ok; + {error, _Reason} -> + SockMod:close(Socket) + end, + ejabberd_receiver:become_controller(Receiver, Pid); {error, _Reason} -> SockMod:close(Socket) - end, - ejabberd_receiver:become_controller(Receiver, Pid); + end; raw -> - {ok, Pid} = Module:start({SockMod, Socket}, Opts), - case SockMod:controlling_process(Socket, Pid) of - ok -> - ok; + case Module:start({SockMod, Socket}, Opts) of + {ok, Pid} -> + case SockMod:controlling_process(Socket, Pid) of + ok -> + ok; + {error, _Reason} -> + SockMod:close(Socket) + end; {error, _Reason} -> SockMod:close(Socket) end diff --git a/src/jlib.erl b/src/jlib.erl index 1ee2e4ffa..4fd897599 100644 --- a/src/jlib.erl +++ b/src/jlib.erl @@ -59,7 +59,8 @@ now_to_local_string/1, datetime_string_to_timestamp/1, decode_base64/1, - encode_base64/1]). + encode_base64/1, + ip_to_list/1]). -include("jlib.hrl"). @@ -676,3 +677,9 @@ e(X) when X>51, X<62 -> X-4; e(62) -> $+; e(63) -> $/; e(X) -> exit({bad_encode_base64_token, X}). + +%% Convert Erlang inet IP to list +ip_to_list({IP, _Port}) -> + ip_to_list(IP); +ip_to_list({A,B,C,D}) -> + lists:flatten(io_lib:format("~w.~w.~w.~w",[A,B,C,D])). diff --git a/src/mod_ip_blacklist.erl b/src/mod_ip_blacklist.erl new file mode 100644 index 000000000..095c501a4 --- /dev/null +++ b/src/mod_ip_blacklist.erl @@ -0,0 +1,113 @@ +%%%---------------------------------------------------------------------- +%%% File : mod_ip_blacklist.erl +%%% Author : Mickael Remond +%%% Purpose : Download blacklists from ProcessOne +%%% Created : 5 May 2008 by Mickael Remond +%%% Usage : Add the following line in modules section of ejabberd.cfg: +%%% {mod_ip_blacklist, []} +%%% +%%% +%%% ejabberd, Copyright (C) 2002-2008 Process-one +%%% +%%% This program is free software; you can redistribute it and/or +%%% modify it under the terms of the GNU General Public License as +%%% published by the Free Software Foundation; either version 2 of the +%%% License, or (at your option) any later version. +%%% +%%% This program is distributed in the hope that it will be useful, +%%% but WITHOUT ANY WARRANTY; without even the implied warranty of +%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +%%% General Public License for more details. +%%% +%%% You should have received a copy of the GNU General Public License +%%% along with this program; if not, write to the Free Software +%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +%%% 02111-1307 USA +%%% +%%%---------------------------------------------------------------------- + +-module(mod_ip_blacklist). +-author('mremond@process-one.net'). + +-behaviour(gen_mod). + +%% API: +-export([start/2, + init/1, + stop/1]). +-export([update_bl_c2s/0]). +%% Hooks: +-export([is_ip_in_c2s_blacklist/2]). + +-include("ejabberd.hrl"). + +-define(PROCNAME, ?MODULE). +-define(BLC2S, "http://xaai.process-one.net/bl_c2s.txt"). +-define(UPDATE_INTERVAL, 6). %% in hours + +-record(state, {timer}). +-record(bl_c2s, {ip}). + +%% Start once for all vhost +start(Host, Opts) -> + case whereis(?PROCNAME) of + undefined -> + ?DEBUG("Starting mod_ip_blacklist ~p ~p~n", [Host, Opts]), + register(?PROCNAME, + spawn(?MODULE, init, [#state{}])); + _ -> + ok + end. + +%% TODO: +stop(_Host) -> + ok. + +init(State)-> + inets:start(), + ets:new(bl_c2s, [named_table, public, {keypos, #bl_c2s.ip}]), + update_bl_c2s(), + %% Register hooks for blacklist + ejabberd_hooks:add(check_bl_c2s, ?MODULE, is_ip_in_c2s_blacklist, 50), + %% Set timer: Download the blacklist file every 6 hours + timer:apply_interval(timer:hours(?UPDATE_INTERVAL), ?MODULE, update_bl_c2s, []), + loop(State). + +%% Remove timer when stop is received. +loop(_State) -> + receive + stop -> + ok + end. + +%% Download blacklist file from ProcessOne XAAI +%% and update the table internal table +%% TODO: Support comment lines starting by % +update_bl_c2s() -> + ?INFO_MSG("Updating C2S Blacklist", []), + {ok, {{_Version, 200, _Reason}, _Headers, Body}} = http:request(?BLC2S), + IPs = string:tokens(Body,"\n"), + ets:delete_all_objects(bl_c2s), + lists:foreach( + fun(IP) -> + ets:insert(bl_c2s, #bl_c2s{ip=list_to_binary(IP)}) + end, IPs). + +%% Hook is run with: +%% ejabberd_hooks:run_fold(check_bl_c2s, false, [IP]), +%% Return: false: IP not blacklisted +%% true: IP is blacklisted +%% IPV4 IP tuple: +is_ip_in_c2s_blacklist(_Val, IP) -> + BinaryIP = list_to_binary(jlib:ip_to_list(IP)), + case ets:lookup(bl_c2s, BinaryIP) of + [] -> %% Not in blacklist + false; + [_] -> %% Blacklisted! + {stop, true} + end. + + +%% TODO: +%% - For now, we do not kick user already logged on a given IP after +%% we update the blacklist.