mirror of
https://github.com/processone/ejabberd.git
synced 2024-06-12 21:52:07 +02:00
Automatically remove IPs from ban, add the documentation
This commit is contained in:
parent
9be9949dab
commit
a1ce33ebf8
|
@ -72,6 +72,7 @@
|
||||||
\newcommand{\modconfigure}{\module{mod\_configure}}
|
\newcommand{\modconfigure}{\module{mod\_configure}}
|
||||||
\newcommand{\moddisco}{\module{mod\_disco}}
|
\newcommand{\moddisco}{\module{mod\_disco}}
|
||||||
\newcommand{\modecho}{\module{mod\_echo}}
|
\newcommand{\modecho}{\module{mod\_echo}}
|
||||||
|
\newcommand{\modfailban}{\module{mod\_fail2ban}}
|
||||||
\newcommand{\modhttpbind}{\module{mod\_http\_bind}}
|
\newcommand{\modhttpbind}{\module{mod\_http\_bind}}
|
||||||
\newcommand{\modhttpfileserver}{\module{mod\_http\_fileserver}}
|
\newcommand{\modhttpfileserver}{\module{mod\_http\_fileserver}}
|
||||||
\newcommand{\modirc}{\module{mod\_irc}}
|
\newcommand{\modirc}{\module{mod\_irc}}
|
||||||
|
@ -2783,6 +2784,7 @@ The following table lists all modules included in \ejabberd{}.
|
||||||
\hline \modconfigure{} & Server configuration using Ad-Hoc & \modadhoc{} \\
|
\hline \modconfigure{} & Server configuration using Ad-Hoc & \modadhoc{} \\
|
||||||
\hline \ahrefloc{moddisco}{\moddisco{}} & Service Discovery (\xepref{0030}) & \\
|
\hline \ahrefloc{moddisco}{\moddisco{}} & Service Discovery (\xepref{0030}) & \\
|
||||||
\hline \ahrefloc{modecho}{\modecho{}} & Echoes XMPP stanzas & \\
|
\hline \ahrefloc{modecho}{\modecho{}} & Echoes XMPP stanzas & \\
|
||||||
|
\hline \ahrefloc{modfail2ban}{\modfailban{}} & Bans IPs that show the malicious signs & \\
|
||||||
\hline \ahrefloc{modhttpbind}{\modhttpbind{}} & XMPP over Bosh service (HTTP Binding) & \\
|
\hline \ahrefloc{modhttpbind}{\modhttpbind{}} & XMPP over Bosh service (HTTP Binding) & \\
|
||||||
\hline \ahrefloc{modhttpfileserver}{\modhttpfileserver{}} & Small HTTP file server & \\
|
\hline \ahrefloc{modhttpfileserver}{\modhttpfileserver{}} & Small HTTP file server & \\
|
||||||
\hline \ahrefloc{modirc}{\modirc{}} & IRC transport & \\
|
\hline \ahrefloc{modirc}{\modirc{}} & IRC transport & \\
|
||||||
|
@ -3117,6 +3119,30 @@ modules:
|
||||||
...
|
...
|
||||||
\end{verbatim}
|
\end{verbatim}
|
||||||
|
|
||||||
|
\makesubsection{modfail2ban}{\modfailban{}}
|
||||||
|
\ind{modules!\modfailban{}}\ind{modfail2ban}
|
||||||
|
|
||||||
|
The module bans IPs that show the malicious signs. Currently only C2S authentication
|
||||||
|
failures are detected.
|
||||||
|
|
||||||
|
Available options:
|
||||||
|
\begin{description}
|
||||||
|
\titem{c2s\_auth\_ban\_lifetime: Seconds} The lifetime of the IP ban caused by too
|
||||||
|
many C2S authentication failures. The default is 3600, i.e. one hour.
|
||||||
|
\titem{c2s\_max\_auth\_failures: Integer} The number of C2S authentication failures to
|
||||||
|
trigger the IP ban. The default is 20.
|
||||||
|
\end{description}
|
||||||
|
|
||||||
|
Example:
|
||||||
|
\begin{verbatim}
|
||||||
|
modules:
|
||||||
|
...
|
||||||
|
mod_fail2ban:
|
||||||
|
c2s_auth_block_lifetime: 7200
|
||||||
|
c2s_max_auth_failures: 50
|
||||||
|
...
|
||||||
|
\end{verbatim}
|
||||||
|
|
||||||
\makesubsection{modhttpbind}{\modhttpbind{}}
|
\makesubsection{modhttpbind}{\modhttpbind{}}
|
||||||
\ind{modules!\modhttpbind{}}\ind{modhttpbind}
|
\ind{modules!\modhttpbind{}}\ind{modhttpbind}
|
||||||
|
|
||||||
|
|
|
@ -316,14 +316,6 @@ init([{SockMod, Socket}, Opts]) ->
|
||||||
end,
|
end,
|
||||||
ResendOnTimeout = proplists:get_bool(resend_on_timeout, Opts),
|
ResendOnTimeout = proplists:get_bool(resend_on_timeout, Opts),
|
||||||
IP = peerip(SockMod, Socket),
|
IP = peerip(SockMod, Socket),
|
||||||
%% Check if IP is blacklisted:
|
|
||||||
case is_ip_blacklisted(IP) of
|
|
||||||
true ->
|
|
||||||
?INFO_MSG("Connection attempt from blacklisted "
|
|
||||||
"IP: ~s (~w)",
|
|
||||||
[jlib:ip_to_list(IP), IP]),
|
|
||||||
{stop, normal};
|
|
||||||
false ->
|
|
||||||
Socket1 = if TLSEnabled andalso
|
Socket1 = if TLSEnabled andalso
|
||||||
SockMod /= ejabberd_frontend_socket ->
|
SockMod /= ejabberd_frontend_socket ->
|
||||||
SockMod:starttls(Socket, TLSOpts);
|
SockMod:starttls(Socket, TLSOpts);
|
||||||
|
@ -341,8 +333,7 @@ init([{SockMod, Socket}, Opts]) ->
|
||||||
mgmt_max_queue = MaxAckQueue,
|
mgmt_max_queue = MaxAckQueue,
|
||||||
mgmt_timeout = ResumeTimeout,
|
mgmt_timeout = ResumeTimeout,
|
||||||
mgmt_resend = ResendOnTimeout},
|
mgmt_resend = ResendOnTimeout},
|
||||||
{ok, wait_for_stream, StateData, ?C2S_OPEN_TIMEOUT}
|
{ok, wait_for_stream, StateData, ?C2S_OPEN_TIMEOUT}.
|
||||||
end.
|
|
||||||
|
|
||||||
%% Return list of all available resources of contacts,
|
%% Return list of all available resources of contacts,
|
||||||
get_subscribed(FsmRef) ->
|
get_subscribed(FsmRef) ->
|
||||||
|
@ -366,10 +357,8 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
|
||||||
jlib:nameprep(xml:get_attr_s(<<"to">>, Attrs));
|
jlib:nameprep(xml:get_attr_s(<<"to">>, Attrs));
|
||||||
S -> S
|
S -> S
|
||||||
end,
|
end,
|
||||||
case lists:member(Server, ?MYHOSTS) of
|
|
||||||
true ->
|
|
||||||
Lang = case xml:get_attr_s(<<"xml:lang">>, Attrs) of
|
Lang = case xml:get_attr_s(<<"xml:lang">>, Attrs) of
|
||||||
Lang1 when size(Lang1) =< 35 ->
|
Lang1 when byte_size(Lang1) =< 35 ->
|
||||||
%% As stated in BCP47, 4.4.1:
|
%% As stated in BCP47, 4.4.1:
|
||||||
%% Protocols or specifications that
|
%% Protocols or specifications that
|
||||||
%% specify limited buffer sizes for
|
%% specify limited buffer sizes for
|
||||||
|
@ -381,6 +370,9 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
|
||||||
%% avoid possible DoS/flood attacks
|
%% avoid possible DoS/flood attacks
|
||||||
<<"">>
|
<<"">>
|
||||||
end,
|
end,
|
||||||
|
IsBlacklistedIP = is_ip_blacklisted(StateData#state.ip, Lang),
|
||||||
|
case lists:member(Server, ?MYHOSTS) of
|
||||||
|
true when IsBlacklistedIP == false ->
|
||||||
change_shaper(StateData, jlib:make_jid(<<"">>, Server, <<"">>)),
|
change_shaper(StateData, jlib:make_jid(<<"">>, Server, <<"">>)),
|
||||||
case xml:get_attr_s(<<"version">>, Attrs) of
|
case xml:get_attr_s(<<"version">>, Attrs) of
|
||||||
<<"1.0">> ->
|
<<"1.0">> ->
|
||||||
|
@ -524,6 +516,15 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
|
||||||
lang = Lang})
|
lang = Lang})
|
||||||
end
|
end
|
||||||
end;
|
end;
|
||||||
|
true ->
|
||||||
|
IP = StateData#state.ip,
|
||||||
|
{true, LogReason, ReasonT} = IsBlacklistedIP,
|
||||||
|
?INFO_MSG("Connection attempt from blacklisted IP ~s: ~s",
|
||||||
|
[jlib:ip_to_list(IP), LogReason]),
|
||||||
|
send_header(StateData, Server, <<"">>, DefaultLang),
|
||||||
|
send_element(StateData, ?POLICY_VIOLATION_ERR(Lang, ReasonT)),
|
||||||
|
send_trailer(StateData),
|
||||||
|
{stop, normal, StateData};
|
||||||
_ ->
|
_ ->
|
||||||
send_header(StateData, ?MYNAME, <<"">>, DefaultLang),
|
send_header(StateData, ?MYNAME, <<"">>, DefaultLang),
|
||||||
send_element(StateData, ?HOST_UNKNOWN_ERR),
|
send_element(StateData, ?HOST_UNKNOWN_ERR),
|
||||||
|
@ -2492,9 +2493,9 @@ fsm_reply(Reply, StateName, StateData) ->
|
||||||
{reply, Reply, StateName, StateData, ?C2S_OPEN_TIMEOUT}.
|
{reply, Reply, StateName, StateData, ?C2S_OPEN_TIMEOUT}.
|
||||||
|
|
||||||
%% Used by c2s blacklist plugins
|
%% Used by c2s blacklist plugins
|
||||||
is_ip_blacklisted(undefined) -> false;
|
is_ip_blacklisted(undefined, _Lang) -> false;
|
||||||
is_ip_blacklisted({IP, _Port}) ->
|
is_ip_blacklisted({IP, _Port}, Lang) ->
|
||||||
ejabberd_hooks:run_fold(check_bl_c2s, false, [IP]).
|
ejabberd_hooks:run_fold(check_bl_c2s, false, [IP, Lang]).
|
||||||
|
|
||||||
%% Check from attributes
|
%% Check from attributes
|
||||||
%% returns invalid-from|NewElement
|
%% returns invalid-from|NewElement
|
||||||
|
|
|
@ -9,40 +9,153 @@
|
||||||
-module(mod_fail2ban).
|
-module(mod_fail2ban).
|
||||||
|
|
||||||
-behaviour(gen_mod).
|
-behaviour(gen_mod).
|
||||||
|
-behaviour(gen_server).
|
||||||
|
|
||||||
%% API
|
%% API
|
||||||
-export([start/2, stop/1, c2s_auth_result/4, check_bl_c2s/2]).
|
-export([start_link/2, start/2, stop/1, c2s_auth_result/4, check_bl_c2s/3]).
|
||||||
|
|
||||||
|
%% gen_server callbacks
|
||||||
|
-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
|
||||||
|
terminate/2, code_change/3]).
|
||||||
|
|
||||||
|
-include_lib("stdlib/include/ms_transform.hrl").
|
||||||
|
-include("ejabberd.hrl").
|
||||||
|
-include("logger.hrl").
|
||||||
|
|
||||||
|
-define(C2S_AUTH_BAN_LIFETIME, 3600). %% 1 hour
|
||||||
|
-define(C2S_MAX_AUTH_FAILURES, 20).
|
||||||
|
-define(CLEAN_INTERVAL, timer:minutes(10)).
|
||||||
|
|
||||||
|
-record(state, {host = <<"">> :: binary()}).
|
||||||
|
|
||||||
%%%===================================================================
|
%%%===================================================================
|
||||||
%%% API
|
%%% API
|
||||||
%%%===================================================================
|
%%%===================================================================
|
||||||
start(Host, _Opts) ->
|
start_link(Host, Opts) ->
|
||||||
|
Proc = gen_mod:get_module_proc(Host, ?MODULE),
|
||||||
|
gen_server:start_link({local, Proc}, ?MODULE, [Host, Opts], []).
|
||||||
|
|
||||||
|
c2s_auth_result(false, _User, LServer, {Addr, _Port}) ->
|
||||||
|
BanLifetime = gen_mod:get_module_opt(
|
||||||
|
LServer, ?MODULE, c2s_auth_ban_lifetime,
|
||||||
|
fun(T) when is_integer(T), T > 0 -> T end,
|
||||||
|
?C2S_AUTH_BAN_LIFETIME),
|
||||||
|
MaxFailures = gen_mod:get_module_opt(
|
||||||
|
LServer, ?MODULE, c2s_max_auth_failures,
|
||||||
|
fun(I) when is_integer(I), I > 0 -> I end,
|
||||||
|
?C2S_MAX_AUTH_FAILURES),
|
||||||
|
UnbanTS = unban_timestamp(BanLifetime),
|
||||||
|
case ets:lookup(failed_auth, Addr) of
|
||||||
|
[{Addr, N, _, _}] ->
|
||||||
|
ets:insert(failed_auth, {Addr, N+1, UnbanTS, MaxFailures});
|
||||||
|
[] ->
|
||||||
|
ets:insert(failed_auth, {Addr, 1, UnbanTS, MaxFailures})
|
||||||
|
end;
|
||||||
|
c2s_auth_result(true, _User, _Server, _AddrPort) ->
|
||||||
|
ok.
|
||||||
|
|
||||||
|
check_bl_c2s(_Acc, Addr, Lang) ->
|
||||||
|
case ets:lookup(failed_auth, Addr) of
|
||||||
|
[{Addr, N, TS, MaxFailures}] when N >= MaxFailures ->
|
||||||
|
case TS > now() of
|
||||||
|
true ->
|
||||||
|
IP = jlib:ip_to_list(Addr),
|
||||||
|
UnbanDate = format_date(
|
||||||
|
calendar:now_to_universal_time(TS)),
|
||||||
|
LogReason = io_lib:fwrite(
|
||||||
|
"Too many (~p) failed authentications "
|
||||||
|
"from this IP address (~s). The address "
|
||||||
|
"will be unblocked at ~s UTC",
|
||||||
|
[N, IP, UnbanDate]),
|
||||||
|
ReasonT = io_lib:fwrite(
|
||||||
|
translate:translate(
|
||||||
|
Lang,
|
||||||
|
<<"Too many (~p) failed authentications "
|
||||||
|
"from this IP address (~s). The address "
|
||||||
|
"will be unblocked at ~s UTC">>),
|
||||||
|
[N, IP, UnbanDate]),
|
||||||
|
{stop, {true, LogReason, ReasonT}};
|
||||||
|
false ->
|
||||||
|
ets:delete(failed_auth, Addr),
|
||||||
|
false
|
||||||
|
end;
|
||||||
|
_ ->
|
||||||
|
false
|
||||||
|
end.
|
||||||
|
|
||||||
|
%%====================================================================
|
||||||
|
%% gen_mod callbacks
|
||||||
|
%%====================================================================
|
||||||
|
start(Host, Opts) ->
|
||||||
catch ets:new(failed_auth, [named_table, public]),
|
catch ets:new(failed_auth, [named_table, public]),
|
||||||
ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
|
Proc = gen_mod:get_module_proc(Host, ?MODULE),
|
||||||
ejabberd_hooks:add(check_bl_c2s, ?MODULE, check_bl_c2s, 100).
|
ChildSpec = {Proc, {?MODULE, start_link, [Host, Opts]},
|
||||||
|
transient, 1000, worker, [?MODULE]},
|
||||||
|
supervisor:start_child(ejabberd_sup, ChildSpec).
|
||||||
|
|
||||||
stop(Host) ->
|
stop(Host) ->
|
||||||
|
Proc = gen_mod:get_module_proc(Host, ?MODULE),
|
||||||
|
supervisor:terminate_child(ejabberd_sup, Proc),
|
||||||
|
supervisor:delete_child(ejabberd_sup, Proc).
|
||||||
|
|
||||||
|
%%%===================================================================
|
||||||
|
%%% gen_server callbacks
|
||||||
|
%%%===================================================================
|
||||||
|
init([Host, _Opts]) ->
|
||||||
|
ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
|
||||||
|
ejabberd_hooks:add(check_bl_c2s, ?MODULE, check_bl_c2s, 100),
|
||||||
|
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
|
||||||
|
{ok, #state{host = Host}}.
|
||||||
|
|
||||||
|
handle_call(_Request, _From, State) ->
|
||||||
|
Reply = ok,
|
||||||
|
{reply, Reply, State}.
|
||||||
|
|
||||||
|
handle_cast(_Msg, State) ->
|
||||||
|
?ERROR_MSG("got unexpected cast = ~p", [_Msg]),
|
||||||
|
{noreply, State}.
|
||||||
|
|
||||||
|
handle_info(clean, State) ->
|
||||||
|
?DEBUG("cleaning ~p ETS table", [failed_auth]),
|
||||||
|
Now = now(),
|
||||||
|
ets:select_delete(
|
||||||
|
failed_auth,
|
||||||
|
ets:fun2ms(fun({_, _, UnbanTS, _}) -> UnbanTS =< Now end)),
|
||||||
|
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
|
||||||
|
{noreply, State};
|
||||||
|
handle_info(_Info, State) ->
|
||||||
|
?ERROR_MSG("got unexpected info = ~p", [_Info]),
|
||||||
|
{noreply, State}.
|
||||||
|
|
||||||
|
terminate(_Reason, #state{host = Host}) ->
|
||||||
ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
|
ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
|
||||||
ejabberd_hooks:delete(check_bl_c2s, ?MODULE, check_bl_c2s, 100).
|
case is_loaded_at_other_hosts(Host) of
|
||||||
|
true ->
|
||||||
|
ok;
|
||||||
|
false ->
|
||||||
|
ejabberd_hooks:delete(check_bl_c2s, ?MODULE, check_bl_c2s, 100),
|
||||||
|
ets:delete(failed_auth)
|
||||||
|
end.
|
||||||
|
|
||||||
|
code_change(_OldVsn, State, _Extra) ->
|
||||||
|
{ok, State}.
|
||||||
|
|
||||||
%%%===================================================================
|
%%%===================================================================
|
||||||
%%% Internal functions
|
%%% Internal functions
|
||||||
%%%===================================================================
|
%%%===================================================================
|
||||||
c2s_auth_result(false, _User, _Server, {Addr, _Port}) ->
|
unban_timestamp(BanLifetime) ->
|
||||||
case ets:lookup(failed_auth, Addr) of
|
{MegaSecs, MSecs, USecs} = now(),
|
||||||
[] ->
|
UnbanSecs = MegaSecs * 1000000 + MSecs + BanLifetime,
|
||||||
ets:insert(failed_auth, {Addr, 1});
|
{UnbanSecs div 1000000, UnbanSecs rem 1000000, USecs}.
|
||||||
_ ->
|
|
||||||
ets:update_counter(failed_auth, Addr, 1)
|
|
||||||
end,
|
|
||||||
timer:sleep(3);
|
|
||||||
c2s_auth_result(true, _User, _Server, _AddrPort) ->
|
|
||||||
ok.
|
|
||||||
|
|
||||||
check_bl_c2s(_Acc, Addr) ->
|
is_loaded_at_other_hosts(Host) ->
|
||||||
case ets:lookup(failed_auth, Addr) of
|
lists:any(
|
||||||
[{Addr, N}] when N >= 100 ->
|
fun(VHost) when VHost == Host ->
|
||||||
{stop, true};
|
false;
|
||||||
_ ->
|
(VHost) ->
|
||||||
false
|
gen_mod:is_loaded(VHost, ?MODULE)
|
||||||
end.
|
end, ?MYHOSTS).
|
||||||
|
|
||||||
|
format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
|
||||||
|
io_lib:format("~2..0w:~2..0w:~2..0w ~2..0w.~2..0w.~4..0w",
|
||||||
|
[Hour, Minute, Second, Day, Month, Year]).
|
||||||
|
|
|
@ -37,7 +37,7 @@
|
||||||
-export([update_bl_c2s/0]).
|
-export([update_bl_c2s/0]).
|
||||||
|
|
||||||
%% Hooks:
|
%% Hooks:
|
||||||
-export([is_ip_in_c2s_blacklist/2]).
|
-export([is_ip_in_c2s_blacklist/3]).
|
||||||
|
|
||||||
-include("ejabberd.hrl").
|
-include("ejabberd.hrl").
|
||||||
-include("logger.hrl").
|
-include("logger.hrl").
|
||||||
|
@ -107,14 +107,23 @@ update_bl_c2s() ->
|
||||||
%% Return: false: IP not blacklisted
|
%% Return: false: IP not blacklisted
|
||||||
%% true: IP is blacklisted
|
%% true: IP is blacklisted
|
||||||
%% IPV4 IP tuple:
|
%% IPV4 IP tuple:
|
||||||
is_ip_in_c2s_blacklist(_Val, IP) when is_tuple(IP) ->
|
is_ip_in_c2s_blacklist(_Val, IP, Lang) when is_tuple(IP) ->
|
||||||
BinaryIP = jlib:ip_to_list(IP),
|
BinaryIP = jlib:ip_to_list(IP),
|
||||||
case ets:lookup(bl_c2s, BinaryIP) of
|
case ets:lookup(bl_c2s, BinaryIP) of
|
||||||
[] -> %% Not in blacklist
|
[] -> %% Not in blacklist
|
||||||
false;
|
false;
|
||||||
[_] -> {stop, true}
|
[_] ->
|
||||||
|
LogReason = io_lib:fwrite(
|
||||||
|
"This IP address is blacklisted in ~s",
|
||||||
|
[?BLC2S]),
|
||||||
|
ReasonT = io_lib:fwrite(
|
||||||
|
translate:translate(
|
||||||
|
Lang,
|
||||||
|
<<"This IP address is blacklisted in ~s">>),
|
||||||
|
[?BLC2S]),
|
||||||
|
{stop, {true, LogReason, ReasonT}}
|
||||||
end;
|
end;
|
||||||
is_ip_in_c2s_blacklist(_Val, _IP) -> false.
|
is_ip_in_c2s_blacklist(_Val, _IP, _Lang) -> false.
|
||||||
|
|
||||||
%% TODO:
|
%% TODO:
|
||||||
%% - For now, we do not kick user already logged on a given IP after
|
%% - For now, we do not kick user already logged on a given IP after
|
||||||
|
|
Loading…
Reference in New Issue
Block a user