annotate mod_register_dnsbl_firewall_mark/mod_register_dnsbl_firewall_mark.lua @ 5549:01a0b67a9afd

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:06:53 +0200
parents de40686ae9c8
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2112
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local adns = require "net.adns";
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local rbl = module:get_option_string("registration_rbl");
4011
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
3 local rbl_message = module:get_option_string("registration_rbl_message");
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
4 local st = require "util.stanza";
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
5
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
6
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
7 local function cleanup_ip(ip)
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
8 if ip:sub(1,7):lower() == "::ffff:" then
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
9 return ip:sub(8);
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
10 end
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
11 return ip;
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
12 end
2112
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local function reverse(ip, suffix)
2135
42b095dab626 mod_register_dnsbl: Fix matching pattern (Thanks Ge0rG)
Kim Alvefur <zash@zash.se>
parents: 2112
diff changeset
15 local a,b,c,d = ip:match("^(%d+).(%d+).(%d+).(%d+)$");
2112
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 if not a then return end
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 return ("%d.%d.%d.%d.%s"):format(d,c,b,a, suffix);
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 end
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 module:hook("user-registered", function (event)
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 local session = event.session;
4011
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
22 local ip = session and session.ip and cleanup_ip(session.ip);
2112
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 local rbl_ip = ip and reverse(ip, rbl);
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 if rbl_ip then
2895
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
25 local registration_time = os.time();
2112
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 local log = session.log;
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 adns.lookup(function (reply)
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 if reply and reply[1] then
2203
2dcc3079572c mod_register_dnsbl: Include more information in log message
Kim Alvefur <zash@zash.se>
parents: 2135
diff changeset
29 log("warn", "Account %s@%s registered from IP %s found in RBL (%s)", event.username, event.host or module.host, ip, reply[1].a);
2895
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
30 local user = prosody.bare_sessions[event.username .. "@" .. module.host];
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
31 if user and user.firewall_marks then
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
32 user.firewall_marks.dnsbl_hit = registration_time;
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
33 else
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
34 module:open_store("firewall_marks", "map"):set(event.username, "dnsbl_hit", registration_time);
589cc51209f7 mod_register_dnsbl_firewall_mark: Another copy of DNSBL module, this time creating "user marks" for mod_firewall
Kim Alvefur <zash@zash.se>
parents: 2889
diff changeset
35 end
4011
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
36 if rbl_message then
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
37 module:log("debug", "Warning RBL registered user %s@%s", event.username, event.host);
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
38 event.ip = ip;
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
39 local rbl_stanza =
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
40 st.message({ to = event.username.."@"..event.host, from = event.host },
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
41 rbl_message:gsub("$(%w+)", event));
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
42 module:send(rbl_stanza);
de40686ae9c8 mod_register_dnsbl_firewall_mark: introduce optional registration_rbl_message with mod_welcome inspired syntax
Georg Lukas <georg@op-co.de>
parents: 3993
diff changeset
43 end
2112
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 end
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end, rbl_ip);
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 end
0890c4860f14 mod_register_dnsbl: Initial commit of module to check users registering against an DNS block list
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 end);