annotate mod_audit_auth/mod_audit_auth.lua @ 5906:cc30c4b5f006

mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time This can be triggered by e.g. a distributed brute force attack, or from Monal.
author Matthew Wild <mwild1@gmail.com>
date Mon, 13 May 2024 18:30:18 +0100
parents f199bff16f1f
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5906
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
1 local cache = require "util.cache";
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
2 local jid = require "util.jid";
5749
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
3 local st = require "util.stanza";
5712
b357ff3d0c8a mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents: 4934
diff changeset
4
4933
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
5 module:depends("audit");
4934
08dea42a302a mod_audit*: fix luacheck warnings
Jonas Schäfer <jonas@wielicki.name>
parents: 4933
diff changeset
6 -- luacheck: read globals module.audit
4933
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
7
5748
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5712
diff changeset
8 local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true);
5906
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
9 local cache_size = module:get_option_number("audit_auth_cache_size", 128);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
10 local repeat_failure_timeout = module:get_option_number("audit_auth_repeat_failure_timeout");
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
11 local repeat_success_timeout = module:get_option_number("audit_auth_repeat_success_timeout");
5748
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5712
diff changeset
12
5906
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
13 local failure_cache = cache.new(cache_size);
4933
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
14 module:hook("authentication-failure", function(event)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
15 local session = event.session;
5906
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
16
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
17 local username = session.sasl_handler.username;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
18 if repeat_failure_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
19 local cache_key = ("%s\0%s"):format(username, session.ip);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
20 local last_failure = failure_cache:get(cache_key);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
21 local now = os.time();
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
22 if last_failure and (now - last_failure) > repeat_failure_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
23 return;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
24 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
25 failure_cache:set(cache_key, now);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
26 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
27
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
28 module:audit(jid.join(username, module.host), "authentication-failure", {
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
29 session = session;
4933
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
30 });
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
31 end)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
32
5906
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
33 local success_cache = cache.new(cache_size);
4933
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
34 module:hook("authentication-success", function(event)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
35 local session = event.session;
5748
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5712
diff changeset
36 if only_passwords and session.sasl_handler.fast then
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5712
diff changeset
37 return;
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5712
diff changeset
38 end
5906
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
39
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
40 local username = session.sasl_handler.username;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
41 if repeat_success_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
42 local cache_key = ("%s\0%s"):format(username, session.ip);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
43 local last_success = success_cache:get(cache_key);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
44 local now = os.time();
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
45 if last_success and (now - last_success) > repeat_success_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
46 return;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
47 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
48 success_cache:set(cache_key, now);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
49 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
50
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
51 module:audit(jid.join(username, module.host), "authentication-success", {
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5780
diff changeset
52 session = session;
4933
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
53 });
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
54 end)
5749
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
55
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
56 module:hook("client_management/new-client", function (event)
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
57 local session, client = event.session, event.client;
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
58
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
59 local client_info = st.stanza("client", { id = client.id });
5780
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
60
5749
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
61 if client.user_agent then
5780
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
62 local user_agent = st.stanza("user-agent", { xmlns = "urn:xmpp:sasl:2" })
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
63 if client.user_agent.software then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
64 user_agent:text_tag("software", client.user_agent.software, { id = client.user_agent.software_id; version = client.user_agent.software_version });
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
65 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
66 if client.user_agent.device then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
67 user_agent:text_tag("device", client.user_agent.device);
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
68 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
69 if client.user_agent.uri then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
70 user_agent:text_tag("uri", client.user_agent.uri);
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
71 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
72 client_info:add_child(user_agent);
5749
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
73 end
5780
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5749
diff changeset
74
5749
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
75 if client.legacy then
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
76 client_info:text_tag("legacy");
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
77 end
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
78
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
79 module:audit(jid.join(session.username, module.host), "new-client", {
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
80 session = session;
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
81 custom = {
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
82 };
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
83 });
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5748
diff changeset
84 end);