prosody-modules: mod_limit_auth/mod_limit_auth.lua@1656d4fd71d0 (annotated)

1583 c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	1	-- mod_limit_auth
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	2
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	3	local st = require"util.stanza";
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	4	local new_throttle = require "util.throttle".create;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	5
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	6	local period = math.max(module:get_option_number(module.name.."_period", 30), 0);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	7	local max = math.max(module:get_option_number(module.name.."_max", 5), 1);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	8
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	9	local tarpit_delay = module:get_option_number(module.name.."_tarpit_delay", nil);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	10	if tarpit_delay then
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	11	local waiter = require "util.async".waiter;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	12	local delay = tarpit_delay;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	13	function tarpit_delay()
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	14	local wait, done = waiter();
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	15	module:add_timer(delay, done);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	16	wait();
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	17	end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	18	else
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	19	function tarpit_delay() end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	20	end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	21
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	22	local throttles = module:shared"throttles";
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	23
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	24	local reply = st.stanza("failure", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):tag("temporary-auth-failure");
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	25
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	26	local function get_throttle(ip)
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	27	local throttle = throttles[ip];
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	28	if not throttle then
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	29	throttle = new_throttle(max, period);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	30	throttles[ip] = throttle;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	31	end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	32	return throttle;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	33	end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	34
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	35	module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	36	local origin = event.origin;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	37	if not get_throttle(origin.ip):peek(1) then
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	38	origin.log("warn", "Too many authentication attepmts for ip %s", origin.ip);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	39	tarpit_delay();
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	40	origin.send(reply);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	41	return true;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	42	end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	43	end, 10);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	44
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	45	module:hook("authentication-failure", function (event)
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	46	get_throttle(event.session.ip):poll(1);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	47	end);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	48
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit Kim Alvefur <zash@zash.se> parents: diff changeset	49	-- TODO remove old throttles after some time

author	Kim Alvefur <zash@zash.se>
	Mon, 24 Aug 2015 23:17:36 +0200
changeset 1788	1656d4fd71d0
parent 1583	c1bb2a64aabb
child 1593	3e4d15ae2133
child 1858	450ada5bb1b5
permissions	-rw-r--r--