Software /
code /
prosody-modules
Changeset
5930:cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
This can be triggered by e.g. a distributed brute force attack, or from Monal.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Mon, 13 May 2024 18:30:18 +0100 (7 months ago) |
parents | 5929:02657e8693bc |
children | 5931:d194d1012fd3 |
files | mod_audit_auth/mod_audit_auth.lua |
diffstat | 1 files changed, 35 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_audit_auth/mod_audit_auth.lua Sun May 12 17:01:20 2024 +0200 +++ b/mod_audit_auth/mod_audit_auth.lua Mon May 13 18:30:18 2024 +0100 @@ -1,25 +1,55 @@ -local jid = require"util.jid"; +local cache = require "util.cache"; +local jid = require "util.jid"; local st = require "util.stanza"; module:depends("audit"); -- luacheck: read globals module.audit local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true); +local cache_size = module:get_option_number("audit_auth_cache_size", 128); +local repeat_failure_timeout = module:get_option_number("audit_auth_repeat_failure_timeout"); +local repeat_success_timeout = module:get_option_number("audit_auth_repeat_success_timeout"); +local failure_cache = cache.new(cache_size); module:hook("authentication-failure", function(event) local session = event.session; - module:audit(jid.join(session.sasl_handler.username, module.host), "authentication-failure", { - session = session, + + local username = session.sasl_handler.username; + if repeat_failure_timeout then + local cache_key = ("%s\0%s"):format(username, session.ip); + local last_failure = failure_cache:get(cache_key); + local now = os.time(); + if last_failure and (now - last_failure) > repeat_failure_timeout then + return; + end + failure_cache:set(cache_key, now); + end + + module:audit(jid.join(username, module.host), "authentication-failure", { + session = session; }); end) +local success_cache = cache.new(cache_size); module:hook("authentication-success", function(event) local session = event.session; if only_passwords and session.sasl_handler.fast then return; end - module:audit(jid.join(session.sasl_handler.username, module.host), "authentication-success", { - session = session, + + local username = session.sasl_handler.username; + if repeat_success_timeout then + local cache_key = ("%s\0%s"):format(username, session.ip); + local last_success = success_cache:get(cache_key); + local now = os.time(); + if last_success and (now - last_success) > repeat_success_timeout then + return; + end + success_cache:set(cache_key, now); + end + + module:audit(jid.join(username, module.host), "authentication-success", { + session = session; }); end)