Software / code / prosody-modules
Annotate
mod_audit_auth/mod_audit_auth.lua @ 6120:bd3ff802d883
mod_anti_spam: Fix another traceback for origin sessions without an IP
This is likely to be the case for stanzas originating from local hosts, for
example (so not true s2s). It should be safe to bypass the IP check for those.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Sat, 28 Dec 2024 21:02:08 +0000 |
| parent | 5930:cc30c4b5f006 |
| rev | line source |
|---|---|
|
5930
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
1 local cache = require "util.cache"; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
2 local jid = require "util.jid"; |
|
5772
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
3 local st = require "util.stanza"; |
|
5735
b357ff3d0c8a
mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents:
4933
diff
changeset
|
4 |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 module:depends("audit"); |
|
4933
08dea42a302a
mod_audit*: fix luacheck warnings
Jonas Schäfer <jonas@wielicki.name>
parents:
4932
diff
changeset
|
6 -- luacheck: read globals module.audit |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 |
|
5771
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5735
diff
changeset
|
8 local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true); |
|
5930
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
9 local cache_size = module:get_option_number("audit_auth_cache_size", 128); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
10 local repeat_failure_timeout = module:get_option_number("audit_auth_repeat_failure_timeout"); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
11 local repeat_success_timeout = module:get_option_number("audit_auth_repeat_success_timeout"); |
|
5771
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5735
diff
changeset
|
12 |
|
5930
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
13 local failure_cache = cache.new(cache_size); |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 module:hook("authentication-failure", function(event) |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 local session = event.session; |
|
5930
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
16 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
17 local username = session.sasl_handler.username; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
18 if repeat_failure_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
19 local cache_key = ("%s\0%s"):format(username, session.ip); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
20 local last_failure = failure_cache:get(cache_key); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
21 local now = os.time(); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
22 if last_failure and (now - last_failure) > repeat_failure_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
23 return; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
24 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
25 failure_cache:set(cache_key, now); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
26 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
27 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
28 module:audit(jid.join(username, module.host), "authentication-failure", { |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
29 session = session; |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 }); |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 end) |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 |
|
5930
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
33 local success_cache = cache.new(cache_size); |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 module:hook("authentication-success", function(event) |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 local session = event.session; |
|
5771
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5735
diff
changeset
|
36 if only_passwords and session.sasl_handler.fast then |
|
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5735
diff
changeset
|
37 return; |
|
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5735
diff
changeset
|
38 end |
|
5930
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
39 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
40 local username = session.sasl_handler.username; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
41 if repeat_success_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
42 local cache_key = ("%s\0%s"):format(username, session.ip); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
43 local last_success = success_cache:get(cache_key); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
44 local now = os.time(); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
45 if last_success and (now - last_success) > repeat_success_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
46 return; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
47 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
48 success_cache:set(cache_key, now); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
49 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
50 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
51 module:audit(jid.join(username, module.host), "authentication-success", { |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5803
diff
changeset
|
52 session = session; |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 }); |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 end) |
|
5772
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
55 |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
56 module:hook("client_management/new-client", function (event) |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
57 local session, client = event.session, event.client; |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
58 |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
59 local client_info = st.stanza("client", { id = client.id }); |
|
5803
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
60 |
|
5772
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
61 if client.user_agent then |
|
5803
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
62 local user_agent = st.stanza("user-agent", { xmlns = "urn:xmpp:sasl:2" }) |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
63 if client.user_agent.software then |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
64 user_agent:text_tag("software", client.user_agent.software, { id = client.user_agent.software_id; version = client.user_agent.software_version }); |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
65 end |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
66 if client.user_agent.device then |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
67 user_agent:text_tag("device", client.user_agent.device); |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
68 end |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
69 if client.user_agent.uri then |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
70 user_agent:text_tag("uri", client.user_agent.uri); |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
71 end |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
72 client_info:add_child(user_agent); |
|
5772
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
73 end |
|
5803
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5772
diff
changeset
|
74 |
|
5772
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
75 if client.legacy then |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
76 client_info:text_tag("legacy"); |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
77 end |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
78 |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
79 module:audit(jid.join(session.username, module.host), "new-client", { |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
80 session = session; |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
81 custom = { |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
82 }; |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
83 }); |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5771
diff
changeset
|
84 end); |
