Mercurial > prosody-modules
changeset 1583:c1bb2a64aabb
mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 06 Dec 2014 17:42:51 +0100 (2014-12-06) |
parents | 8e282eb0c70c |
children | 4713f9d453ec |
files | mod_limit_auth/mod_limit_auth.lua |
diffstat | 1 files changed, 49 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_limit_auth/mod_limit_auth.lua Sat Dec 06 17:42:51 2014 +0100 @@ -0,0 +1,49 @@ +-- mod_limit_auth + +local st = require"util.stanza"; +local new_throttle = require "util.throttle".create; + +local period = math.max(module:get_option_number(module.name.."_period", 30), 0); +local max = math.max(module:get_option_number(module.name.."_max", 5), 1); + +local tarpit_delay = module:get_option_number(module.name.."_tarpit_delay", nil); +if tarpit_delay then + local waiter = require "util.async".waiter; + local delay = tarpit_delay; + function tarpit_delay() + local wait, done = waiter(); + module:add_timer(delay, done); + wait(); + end +else + function tarpit_delay() end +end + +local throttles = module:shared"throttles"; + +local reply = st.stanza("failure", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):tag("temporary-auth-failure"); + +local function get_throttle(ip) + local throttle = throttles[ip]; + if not throttle then + throttle = new_throttle(max, period); + throttles[ip] = throttle; + end + return throttle; +end + +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event) + local origin = event.origin; + if not get_throttle(origin.ip):peek(1) then + origin.log("warn", "Too many authentication attepmts for ip %s", origin.ip); + tarpit_delay(); + origin.send(reply); + return true; + end +end, 10); + +module:hook("authentication-failure", function (event) + get_throttle(event.session.ip):poll(1); +end); + +-- TODO remove old throttles after some time