diff options
author | Robert Adam <dev@robert-adam.de> | 2020-04-21 10:59:47 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-21 10:59:47 +0300 |
commit | c84f0a5ebf337fa28ec37475537a584ad9dfaed3 (patch) | |
tree | 7789b1196f07b213b4952d7574cdde09a87f7933 | |
parent | 35c1d01b216f1d7e7fb9bd0cd8ecce09681f02c3 (diff) | |
parent | 6c6a5918264cc9d202f302c31c8f4959d6b4f563 (diff) |
Merge pull request #4087: Add autobanSuccessfulConnections flag.
The idea here is that sometimes you really do have a lot of folks connecting from a single IP,
and if those connections are successful you don't want to ban any of them.
However, in cases where the server needs to guard against malicious users attempting a DDOS
by reconnecting their valid user account over and over, we need to be able to configure the
server to still ban those successful attempts.
-rw-r--r-- | scripts/murmur.ini | 4 | ||||
-rw-r--r-- | src/murmur/Meta.cpp | 17 | ||||
-rw-r--r-- | src/murmur/Meta.h | 5 | ||||
-rw-r--r-- | src/murmur/Server.cpp | 2 |
4 files changed, 27 insertions, 1 deletions
diff --git a/scripts/murmur.ini b/scripts/murmur.ini index b18881c13..651918c37 100644 --- a/scripts/murmur.ini +++ b/scripts/murmur.ini @@ -373,9 +373,13 @@ allowping=true ; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these ; settings out will cause Murmur to use the defaults: ; +; To avoid autobanning successful connection attempts from the same IP address, +; set autobanSuccessfulConnections=False. +; ;autobanAttempts=10 ;autobanTimeframe=120 ;autobanTime=300 +;autobanSuccessfulConnections=True ; Enables logging of group changes. This means that every time a group in a ; channel changes, the server will log all groups and their members from before diff --git a/src/murmur/Meta.cpp b/src/murmur/Meta.cpp index 39c0e4ebb..8c6ab9502 100644 --- a/src/murmur/Meta.cpp +++ b/src/murmur/Meta.cpp @@ -78,6 +78,7 @@ MetaParams::MetaParams() { iBanTries = 10; iBanTimeframe = 120; iBanTime = 300; + bBanSuccessful = true; #ifdef Q_OS_UNIX uiUid = uiGid = 0; @@ -329,6 +330,7 @@ void MetaParams::read(QString fname) { iBanTries = typeCheckedFromSettings("autobanAttempts", iBanTries); iBanTimeframe = typeCheckedFromSettings("autobanTimeframe", iBanTimeframe); iBanTime = typeCheckedFromSettings("autobanTime", iBanTime); + bBanSuccessful = typeCheckedFromSettings("autobanSuccessfulConnections", bBanSuccessful); qvSuggestVersion = MumbleVersion::getRaw(qsSettings->value("suggestVersion").toString()); if (qvSuggestVersion.toUInt() == 0) @@ -747,8 +749,21 @@ void Meta::killAll() { qhServers.clear(); } +void Meta::successfulConnectionFrom(const QHostAddress &addr) { + if (!mp.bBanSuccessful) { + QList<Timer> &ql = qhAttempts[addr]; + // Seems like this is the most efficient way to clear the list, given: + // 1. ql.clear() allocates a new array + // 2. ql has less than iBanAttempts members + // 3. seems like ql.removeFirst() might actually copy elements to shift to the front + while (!ql.empty()) { + ql.removeLast(); + } + } +} + bool Meta::banCheck(const QHostAddress &addr) { - if ((mp.iBanTries == 0) || (mp.iBanTimeframe == 0)) + if ((mp.iBanTries <= 0) || (mp.iBanTimeframe <= 0)) return false; if (qhBans.contains(addr)) { diff --git a/src/murmur/Meta.h b/src/murmur/Meta.h index 470ffbdc2..9720180fb 100644 --- a/src/murmur/Meta.h +++ b/src/murmur/Meta.h @@ -59,6 +59,7 @@ public: int iBanTries; int iBanTimeframe; int iBanTime; + bool bBanSuccessful; QString qsDatabase; int iSQLiteWAL; @@ -192,6 +193,10 @@ class Meta : public QObject { void bootAll(); bool boot(int); bool banCheck(const QHostAddress &); + + /// Called whenever we get a successful connection from a client. + /// Used to reset autoban tracking for the address. + void successfulConnectionFrom(const QHostAddress &); void kill(int); void killAll(); void getOSInfo(); diff --git a/src/murmur/Server.cpp b/src/murmur/Server.cpp index bce2a2172..9a1f76099 100644 --- a/src/murmur/Server.cpp +++ b/src/murmur/Server.cpp @@ -1362,6 +1362,8 @@ void Server::newClient() { sock->setProtocol(QSsl::TlsV1_0); #endif sock->startServerEncryption(); + + meta->successfulConnectionFrom(adr); } } |