end,
ResendOnTimeout = proplists:get_bool(resend_on_timeout, Opts),
IP = peerip(SockMod, Socket),
- %% Check if IP is blacklisted:
- case is_ip_blacklisted(IP) of
- true ->
- ?INFO_MSG("Connection attempt from blacklisted "
- "IP: ~s (~w)",
- [jlib:ip_to_list(IP), IP]),
- {stop, normal};
- false ->
- Socket1 = if TLSEnabled andalso
- SockMod /= ejabberd_frontend_socket ->
- SockMod:starttls(Socket, TLSOpts);
- true -> Socket
- end,
- SocketMonitor = SockMod:monitor(Socket1),
- StateData = #state{socket = Socket1, sockmod = SockMod,
- socket_monitor = SocketMonitor,
- xml_socket = XMLSocket, zlib = Zlib, tls = TLS,
- tls_required = StartTLSRequired,
- tls_enabled = TLSEnabled, tls_options = TLSOpts,
- sid = {now(), self()}, streamid = new_id(),
- access = Access, shaper = Shaper, ip = IP,
- mgmt_state = StreamMgmtState,
- mgmt_max_queue = MaxAckQueue,
- mgmt_timeout = ResumeTimeout,
- mgmt_resend = ResendOnTimeout},
- {ok, wait_for_stream, StateData, ?C2S_OPEN_TIMEOUT}
- end.
+ Socket1 = if TLSEnabled andalso
+ SockMod /= ejabberd_frontend_socket ->
+ SockMod:starttls(Socket, TLSOpts);
+ true -> Socket
+ end,
+ SocketMonitor = SockMod:monitor(Socket1),
+ StateData = #state{socket = Socket1, sockmod = SockMod,
+ socket_monitor = SocketMonitor,
+ xml_socket = XMLSocket, zlib = Zlib, tls = TLS,
+ tls_required = StartTLSRequired,
+ tls_enabled = TLSEnabled, tls_options = TLSOpts,
+ sid = {now(), self()}, streamid = new_id(),
+ access = Access, shaper = Shaper, ip = IP,
+ mgmt_state = StreamMgmtState,
+ mgmt_max_queue = MaxAckQueue,
+ mgmt_timeout = ResumeTimeout,
+ mgmt_resend = ResendOnTimeout},
+ {ok, wait_for_stream, StateData, ?C2S_OPEN_TIMEOUT}.
%% Return list of all available resources of contacts,
get_subscribed(FsmRef) ->
jlib:nameprep(xml:get_attr_s(<<"to">>, Attrs));
S -> S
end,
+ Lang = case xml:get_attr_s(<<"xml:lang">>, Attrs) of
+ Lang1 when byte_size(Lang1) =< 35 ->
+ %% As stated in BCP47, 4.4.1:
+ %% Protocols or specifications that
+ %% specify limited buffer sizes for
+ %% language tags MUST allow for
+ %% language tags of at least 35 characters.
+ Lang1;
+ _ ->
+ %% Do not store long language tag to
+ %% avoid possible DoS/flood attacks
+ <<"">>
+ end,
+ IsBlacklistedIP = is_ip_blacklisted(StateData#state.ip, Lang),
case lists:member(Server, ?MYHOSTS) of
- true ->
- Lang = case xml:get_attr_s(<<"xml:lang">>, Attrs) of
- Lang1 when size(Lang1) =< 35 ->
- %% As stated in BCP47, 4.4.1:
- %% Protocols or specifications that
- %% specify limited buffer sizes for
- %% language tags MUST allow for
- %% language tags of at least 35 characters.
- Lang1;
- _ ->
- %% Do not store long language tag to
- %% avoid possible DoS/flood attacks
- <<"">>
- end,
+ true when IsBlacklistedIP == false ->
change_shaper(StateData, jlib:make_jid(<<"">>, Server, <<"">>)),
case xml:get_attr_s(<<"version">>, Attrs) of
<<"1.0">> ->
lang = Lang})
end
end;
+ true ->
+ IP = StateData#state.ip,
+ {true, LogReason, ReasonT} = IsBlacklistedIP,
+ ?INFO_MSG("Connection attempt from blacklisted IP ~s: ~s",
+ [jlib:ip_to_list(IP), LogReason]),
+ send_header(StateData, Server, <<"">>, DefaultLang),
+ send_element(StateData, ?POLICY_VIOLATION_ERR(Lang, ReasonT)),
+ send_trailer(StateData),
+ {stop, normal, StateData};
_ ->
send_header(StateData, ?MYNAME, <<"">>, DefaultLang),
send_element(StateData, ?HOST_UNKNOWN_ERR),
{reply, Reply, StateName, StateData, ?C2S_OPEN_TIMEOUT}.
%% Used by c2s blacklist plugins
-is_ip_blacklisted(undefined) -> false;
-is_ip_blacklisted({IP, _Port}) ->
- ejabberd_hooks:run_fold(check_bl_c2s, false, [IP]).
+is_ip_blacklisted(undefined, _Lang) -> false;
+is_ip_blacklisted({IP, _Port}, Lang) ->
+ ejabberd_hooks:run_fold(check_bl_c2s, false, [IP, Lang]).
%% Check from attributes
%% returns invalid-from|NewElement
-module(mod_fail2ban).
-behaviour(gen_mod).
+-behaviour(gen_server).
%% API
--export([start/2, stop/1, c2s_auth_result/4, check_bl_c2s/2]).
+-export([start_link/2, start/2, stop/1, c2s_auth_result/4, check_bl_c2s/3]).
-%%%===================================================================
-%%% API
-%%%===================================================================
-start(Host, _Opts) ->
- catch ets:new(failed_auth, [named_table, public]),
- ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
- ejabberd_hooks:add(check_bl_c2s, ?MODULE, check_bl_c2s, 100).
+%% gen_server callbacks
+-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
+ terminate/2, code_change/3]).
-stop(Host) ->
- ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
- ejabberd_hooks:delete(check_bl_c2s, ?MODULE, check_bl_c2s, 100).
+-include_lib("stdlib/include/ms_transform.hrl").
+-include("ejabberd.hrl").
+-include("logger.hrl").
+
+-define(C2S_AUTH_BAN_LIFETIME, 3600). %% 1 hour
+-define(C2S_MAX_AUTH_FAILURES, 20).
+-define(CLEAN_INTERVAL, timer:minutes(10)).
+
+-record(state, {host = <<"">> :: binary()}).
%%%===================================================================
-%%% Internal functions
+%%% API
%%%===================================================================
-c2s_auth_result(false, _User, _Server, {Addr, _Port}) ->
+start_link(Host, Opts) ->
+ Proc = gen_mod:get_module_proc(Host, ?MODULE),
+ gen_server:start_link({local, Proc}, ?MODULE, [Host, Opts], []).
+
+c2s_auth_result(false, _User, LServer, {Addr, _Port}) ->
+ BanLifetime = gen_mod:get_module_opt(
+ LServer, ?MODULE, c2s_auth_ban_lifetime,
+ fun(T) when is_integer(T), T > 0 -> T end,
+ ?C2S_AUTH_BAN_LIFETIME),
+ MaxFailures = gen_mod:get_module_opt(
+ LServer, ?MODULE, c2s_max_auth_failures,
+ fun(I) when is_integer(I), I > 0 -> I end,
+ ?C2S_MAX_AUTH_FAILURES),
+ UnbanTS = unban_timestamp(BanLifetime),
case ets:lookup(failed_auth, Addr) of
+ [{Addr, N, _, _}] ->
+ ets:insert(failed_auth, {Addr, N+1, UnbanTS, MaxFailures});
[] ->
- ets:insert(failed_auth, {Addr, 1});
- _ ->
- ets:update_counter(failed_auth, Addr, 1)
- end,
- timer:sleep(3);
+ ets:insert(failed_auth, {Addr, 1, UnbanTS, MaxFailures})
+ end;
c2s_auth_result(true, _User, _Server, _AddrPort) ->
ok.
-check_bl_c2s(_Acc, Addr) ->
+check_bl_c2s(_Acc, Addr, Lang) ->
case ets:lookup(failed_auth, Addr) of
- [{Addr, N}] when N >= 100 ->
- {stop, true};
+ [{Addr, N, TS, MaxFailures}] when N >= MaxFailures ->
+ case TS > now() of
+ true ->
+ IP = jlib:ip_to_list(Addr),
+ UnbanDate = format_date(
+ calendar:now_to_universal_time(TS)),
+ LogReason = io_lib:fwrite(
+ "Too many (~p) failed authentications "
+ "from this IP address (~s). The address "
+ "will be unblocked at ~s UTC",
+ [N, IP, UnbanDate]),
+ ReasonT = io_lib:fwrite(
+ translate:translate(
+ Lang,
+ <<"Too many (~p) failed authentications "
+ "from this IP address (~s). The address "
+ "will be unblocked at ~s UTC">>),
+ [N, IP, UnbanDate]),
+ {stop, {true, LogReason, ReasonT}};
+ false ->
+ ets:delete(failed_auth, Addr),
+ false
+ end;
_ ->
false
end.
+
+%%====================================================================
+%% gen_mod callbacks
+%%====================================================================
+start(Host, Opts) ->
+ catch ets:new(failed_auth, [named_table, public]),
+ Proc = gen_mod:get_module_proc(Host, ?MODULE),
+ ChildSpec = {Proc, {?MODULE, start_link, [Host, Opts]},
+ transient, 1000, worker, [?MODULE]},
+ supervisor:start_child(ejabberd_sup, ChildSpec).
+
+stop(Host) ->
+ Proc = gen_mod:get_module_proc(Host, ?MODULE),
+ supervisor:terminate_child(ejabberd_sup, Proc),
+ supervisor:delete_child(ejabberd_sup, Proc).
+
+%%%===================================================================
+%%% gen_server callbacks
+%%%===================================================================
+init([Host, _Opts]) ->
+ ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
+ ejabberd_hooks:add(check_bl_c2s, ?MODULE, check_bl_c2s, 100),
+ erlang:send_after(?CLEAN_INTERVAL, self(), clean),
+ {ok, #state{host = Host}}.
+
+handle_call(_Request, _From, State) ->
+ Reply = ok,
+ {reply, Reply, State}.
+
+handle_cast(_Msg, State) ->
+ ?ERROR_MSG("got unexpected cast = ~p", [_Msg]),
+ {noreply, State}.
+
+handle_info(clean, State) ->
+ ?DEBUG("cleaning ~p ETS table", [failed_auth]),
+ Now = now(),
+ ets:select_delete(
+ failed_auth,
+ ets:fun2ms(fun({_, _, UnbanTS, _}) -> UnbanTS =< Now end)),
+ erlang:send_after(?CLEAN_INTERVAL, self(), clean),
+ {noreply, State};
+handle_info(_Info, State) ->
+ ?ERROR_MSG("got unexpected info = ~p", [_Info]),
+ {noreply, State}.
+
+terminate(_Reason, #state{host = Host}) ->
+ ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
+ case is_loaded_at_other_hosts(Host) of
+ true ->
+ ok;
+ false ->
+ ejabberd_hooks:delete(check_bl_c2s, ?MODULE, check_bl_c2s, 100),
+ ets:delete(failed_auth)
+ end.
+
+code_change(_OldVsn, State, _Extra) ->
+ {ok, State}.
+
+%%%===================================================================
+%%% Internal functions
+%%%===================================================================
+unban_timestamp(BanLifetime) ->
+ {MegaSecs, MSecs, USecs} = now(),
+ UnbanSecs = MegaSecs * 1000000 + MSecs + BanLifetime,
+ {UnbanSecs div 1000000, UnbanSecs rem 1000000, USecs}.
+
+is_loaded_at_other_hosts(Host) ->
+ lists:any(
+ fun(VHost) when VHost == Host ->
+ false;
+ (VHost) ->
+ gen_mod:is_loaded(VHost, ?MODULE)
+ end, ?MYHOSTS).
+
+format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
+ io_lib:format("~2..0w:~2..0w:~2..0w ~2..0w.~2..0w.~4..0w",
+ [Hour, Minute, Second, Day, Month, Year]).
projects / ejabberd / commitdiff