# HG changeset patch # User Kim Alvefur # Date 1417884171 -3600 # Node ID c1bb2a64aabbaf07e36eaab25b3d3fa65a9e6434 # Parent 8e282eb0c70c605b864c885e6fc1923da17aea6d mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit diff -r 8e282eb0c70c -r c1bb2a64aabb mod_limit_auth/mod_limit_auth.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_limit_auth/mod_limit_auth.lua Sat Dec 06 17:42:51 2014 +0100 @@ -0,0 +1,49 @@ +-- mod_limit_auth + +local st = require"util.stanza"; +local new_throttle = require "util.throttle".create; + +local period = math.max(module:get_option_number(module.name.."_period", 30), 0); +local max = math.max(module:get_option_number(module.name.."_max", 5), 1); + +local tarpit_delay = module:get_option_number(module.name.."_tarpit_delay", nil); +if tarpit_delay then + local waiter = require "util.async".waiter; + local delay = tarpit_delay; + function tarpit_delay() + local wait, done = waiter(); + module:add_timer(delay, done); + wait(); + end +else + function tarpit_delay() end +end + +local throttles = module:shared"throttles"; + +local reply = st.stanza("failure", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):tag("temporary-auth-failure"); + +local function get_throttle(ip) + local throttle = throttles[ip]; + if not throttle then + throttle = new_throttle(max, period); + throttles[ip] = throttle; + end + return throttle; +end + +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event) + local origin = event.origin; + if not get_throttle(origin.ip):peek(1) then + origin.log("warn", "Too many authentication attepmts for ip %s", origin.ip); + tarpit_delay(); + origin.send(reply); + return true; + end +end, 10); + +module:hook("authentication-failure", function (event) + get_throttle(event.session.ip):poll(1); +end); + +-- TODO remove old throttles after some time