Mercurial > dovecot > core-2.2
annotate src/auth/auth-penalty.c @ 22614:cf66220d281e
doveadm proxy: Don't crash if remote doesn't support log proxying
author | Timo Sirainen <timo.sirainen@dovecot.fi> |
---|---|
date | Sat, 14 Oct 2017 12:54:18 +0300 |
parents | 2e2563132d5f |
children | cb108f786fb4 |
rev | line source |
---|---|
21390
2e2563132d5f
Updated copyright notices to include the year 2017.
Stephan Bosch <stephan.bosch@dovecot.fi>
parents:
19552
diff
changeset
|
1 /* Copyright (c) 2009-2017 Dovecot authors, see the included COPYING file */ |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 #include "lib.h" |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "ioloop.h" |
15187
02451e967a06
Renamed network.[ch] to net.[ch].
Timo Sirainen <tss@iki.fi>
parents:
14133
diff
changeset
|
5 #include "net.h" |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
6 #include "crc32.h" |
12449
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
7 #include "master-service.h" |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 #include "anvil-client.h" |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 #include "auth-request.h" |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include "auth-penalty.h" |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
12 #include <stdio.h> |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 |
10774
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
14 /* We don't want IPv6 hosts being able to flood our penalty |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
15 tracking with tons of different IPs. */ |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
16 #define PENALTY_IPV6_MASK_BITS 48 |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
17 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 struct auth_penalty_request { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 struct auth_request *auth_request; |
12449
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
20 struct anvil_client *client; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 auth_penalty_callback_t *callback; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 }; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
23 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
24 struct auth_penalty { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 struct anvil_client *client; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 unsigned int disabled:1; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 }; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
30 struct auth_penalty *auth_penalty_init(const char *path) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
31 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
32 struct auth_penalty *penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
33 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
34 penalty = i_new(struct auth_penalty, 1); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
35 penalty->client = anvil_client_init(path, NULL, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
36 ANVIL_CLIENT_FLAG_HIDE_ENOENT); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
37 if (anvil_client_connect(penalty->client, TRUE) < 0) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
38 penalty->disabled = TRUE; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
39 else { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
40 anvil_client_cmd(penalty->client, t_strdup_printf( |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
41 "PENALTY-SET-EXPIRE-SECS\t%u", AUTH_PENALTY_TIMEOUT)); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
43 return penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
44 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
45 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
46 void auth_penalty_deinit(struct auth_penalty **_penalty) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
47 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
48 struct auth_penalty *penalty = *_penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
49 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
50 *_penalty = NULL; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
51 anvil_client_deinit(&penalty->client); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
52 i_free(penalty); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
53 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
54 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
55 unsigned int auth_penalty_to_secs(unsigned int penalty) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 unsigned int i, secs = AUTH_PENALTY_INIT_SECS; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
58 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
59 for (i = 0; i < penalty; i++) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 secs *= 2; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 return secs < AUTH_PENALTY_MAX_SECS ? secs : AUTH_PENALTY_MAX_SECS; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
64 static void auth_penalty_anvil_callback(const char *reply, void *context) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
65 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 struct auth_penalty_request *request = context; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 unsigned int penalty = 0; |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
68 unsigned long last_penalty = 0; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 unsigned int secs, drop_penalty; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
70 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
71 if (reply == NULL) { |
12449
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
72 /* internal failure. */ |
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
73 if (!anvil_client_is_connected(request->client)) { |
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
74 /* we probably didn't have permissions to reconnect |
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
75 back to anvil. need to restart ourself. */ |
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
76 master_service_stop(master_service); |
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
77 } |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
78 } else if (sscanf(reply, "%u %lu", &penalty, &last_penalty) != 2) { |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
79 i_error("Invalid PENALTY-GET reply: %s", reply); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
80 } else { |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
81 if ((time_t)last_penalty > ioloop_time) { |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 /* time moved backwards? */ |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
83 last_penalty = ioloop_time; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
84 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
85 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
86 /* update penalty. */ |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
87 drop_penalty = AUTH_PENALTY_MAX_PENALTY; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 while (penalty > 0) { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
89 secs = auth_penalty_to_secs(drop_penalty); |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
90 if (ioloop_time - last_penalty < secs) |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
91 break; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
92 drop_penalty--; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
93 penalty--; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
95 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 request->callback(penalty, request->auth_request); |
12279
0b509f1ee95c
auth: Make sure auth request is kept referenced during the lookup.
Timo Sirainen <tss@iki.fi>
parents:
11500
diff
changeset
|
98 auth_request_unref(&request->auth_request); |
11500
6f85840f8171
auth: Fixed a memory leak when looking up penalty value from anvil.
Timo Sirainen <tss@iki.fi>
parents:
10774
diff
changeset
|
99 i_free(request); |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 |
10774
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
102 static const char * |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
103 auth_penalty_get_ident(struct auth_request *auth_request) |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
104 { |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
105 struct ip_addr ip; |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
106 |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
107 ip = auth_request->remote_ip; |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
108 #ifdef HAVE_IPV6 |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
109 if (IPADDR_IS_V6(&ip)) { |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
110 memset(ip.u.ip6.s6_addr + PENALTY_IPV6_MASK_BITS/CHAR_BIT, 0, |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
111 sizeof(ip.u.ip6.s6_addr) - |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
112 PENALTY_IPV6_MASK_BITS/CHAR_BIT); |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
113 } |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
114 #endif |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
115 return net_ip2addr(&ip); |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
116 } |
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
117 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
118 void auth_penalty_lookup(struct auth_penalty *penalty, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 struct auth_request *auth_request, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
120 auth_penalty_callback_t *callback) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
121 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
122 struct auth_penalty_request *request; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
123 const char *ident; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
124 |
10774
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
125 ident = auth_penalty_get_ident(auth_request); |
12812
bf6749d4db08
auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents:
12449
diff
changeset
|
126 if (penalty->disabled || ident == NULL || auth_request->no_penalty) { |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 callback(0, auth_request); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
128 return; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
129 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
130 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
131 request = i_new(struct auth_penalty_request, 1); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
132 request->auth_request = auth_request; |
12449
3e4a65a74c40
auth: If we get disconnected from anvil and can't reconnect, die.
Timo Sirainen <tss@iki.fi>
parents:
12279
diff
changeset
|
133 request->client = penalty->client; |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
134 request->callback = callback; |
12279
0b509f1ee95c
auth: Make sure auth request is kept referenced during the lookup.
Timo Sirainen <tss@iki.fi>
parents:
11500
diff
changeset
|
135 auth_request_ref(auth_request); |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
136 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
137 T_BEGIN { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
138 anvil_client_query(penalty->client, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
139 t_strdup_printf("PENALTY-GET\t%s", ident), |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 auth_penalty_anvil_callback, request); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 } T_END; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
143 |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
144 static unsigned int |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
145 get_userpass_checksum(struct auth_request *auth_request) |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
146 { |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
147 return auth_request->mech_password == NULL ? 0 : |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
148 crc32_str_more(crc32_str(auth_request->mech_password), |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
149 auth_request->user); |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
150 } |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
151 |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 void auth_penalty_update(struct auth_penalty *penalty, |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
153 struct auth_request *auth_request, unsigned int value) |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
154 { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
155 const char *ident; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
156 |
10774
77d990bee666
auth: Track penalty for IPv6 addresses with their /48 mask.
Timo Sirainen <tss@iki.fi>
parents:
10773
diff
changeset
|
157 ident = auth_penalty_get_ident(auth_request); |
12812
bf6749d4db08
auth: Allow clients to specify that they want to skip auth penalty check.
Timo Sirainen <tss@iki.fi>
parents:
12449
diff
changeset
|
158 if (penalty->disabled || ident == NULL || auth_request->no_penalty) |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 return; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
161 if (value > AUTH_PENALTY_MAX_PENALTY) { |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
162 /* even if the actual value doesn't change, the last_change |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
163 timestamp does. */ |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
164 value = AUTH_PENALTY_MAX_PENALTY; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
165 } |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 T_BEGIN { |
10773
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
167 const char *cmd; |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
168 unsigned int checksum; |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
169 |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
170 checksum = value == 0 ? 0 : get_userpass_checksum(auth_request); |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
171 cmd = t_strdup_printf("PENALTY-INC\t%s\t%u\t%u", |
4cdb58bb0360
auth/anvil: Penalty is no longer increased if the same user+pass combination was recently used.
Timo Sirainen <tss@iki.fi>
parents:
10582
diff
changeset
|
172 ident, checksum, value); |
10301
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
173 anvil_client_cmd(penalty->client, cmd); |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
174 } T_END; |
fbff8ca77d2e
auth: Added auth failure penalty tracking based on remote IP address.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
175 } |