view mod_limit_auth/mod_limit_auth.lua @ 1733:9abd3dce619a

mod_smacks: Handle the read timeout event (0.10+ only) and send an ack request, close the connection the second time if unanswerd
author Kim Alvefur <zash@zash.se>
date Mon, 11 May 2015 15:07:52 +0200
parents c1bb2a64aabb
children 450ada5bb1b5
line wrap: on
line source

-- mod_limit_auth

local st = require"util.stanza";
local new_throttle = require "util.throttle".create;

local period = math.max(module:get_option_number(module.name.."_period", 30), 0);
local max = math.max(module:get_option_number(module.name.."_max", 5), 1);

local tarpit_delay = module:get_option_number(module.name.."_tarpit_delay", nil);
if tarpit_delay then
	local waiter = require "util.async".waiter;
	local delay = tarpit_delay;
	function tarpit_delay()
		local wait, done = waiter();
		module:add_timer(delay, done);
		wait();
	end
else
	function tarpit_delay() end
end

local throttles = module:shared"throttles";

local reply = st.stanza("failure", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):tag("temporary-auth-failure");

local function get_throttle(ip)
	local throttle = throttles[ip];
	if not throttle then
		throttle = new_throttle(max, period);
		throttles[ip] = throttle;
	end
	return throttle;
end

module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
	local origin = event.origin;
	if not get_throttle(origin.ip):peek(1) then
		origin.log("warn", "Too many authentication attepmts for ip %s", origin.ip);
		tarpit_delay();
		origin.send(reply);
		return true;
	end
end, 10);

module:hook("authentication-failure", function (event)
	get_throttle(event.session.ip):poll(1);
end);

-- TODO remove old throttles after some time