/*
* InspIRCd -- Internet Relay Chat Daemon
*
+ * Copyright (C) 2019 Matt Schatz <genius3000@g3k.solutions>
+ * Copyright (C) 2014 Googolplexed <googol@googolplexed.net>
+ * Copyright (C) 2013, 2017-2021 Sadie Powell <sadie@witchery.services>
+ * Copyright (C) 2012-2014 Attila Molnar <attilamolnar@hush.com>
+ * Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
+ * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
+ * Copyright (C) 2008, 2010 Craig Edwards <brain@inspircd.org>
* Copyright (C) 2008 Robin Burchell <robin+git@viroteck.net>
*
* This file is part of InspIRCd. InspIRCd is free software: you can
#include "inspircd.h"
#include "xline.h"
+#include "modules/webirc.h"
-/* $ModDesc: Throttles the connections of IP ranges who try to connect flood. */
-
-class ModuleConnectBan : public Module
+class ModuleConnectBan
+ : public Module
+ , public WebIRC::EventListener
{
- clonemap connects;
+ typedef std::map<irc::sockets::cidr_mask, unsigned int> ConnectMap;
+ ConnectMap connects;
unsigned int threshold;
unsigned int banduration;
unsigned int ipv4_cidr;
unsigned int ipv6_cidr;
+ std::string banmessage;
+
+ unsigned char GetRange(LocalUser* user)
+ {
+ int family = user->client_sa.family();
+ switch (family)
+ {
+ case AF_INET:
+ return ipv4_cidr;
+
+ case AF_INET6:
+ return ipv6_cidr;
+
+ case AF_UNIX:
+ // Ranges for UNIX sockets are ignored entirely.
+ return 0;
+ }
+
+ // If we have reached this point then we have encountered a bug.
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: ModuleConnectBan::GetRange(): socket type %d is unknown!", family);
+ return 0;
+ }
+
+ static bool IsExempt(LocalUser* user)
+ {
+ // E-lined and already banned users shouldn't be hit.
+ if (user->exempt || user->quitting)
+ return true;
+
+ // Users in an exempt class shouldn't be hit.
+ return user->GetClass() && !user->GetClass()->config->getBool("useconnectban", true);
+ }
public:
- void init() CXX11_OVERRIDE
+ ModuleConnectBan()
+ : WebIRC::EventListener(this)
{
- Implementation eventlist[] = { I_OnSetUserIP, I_OnGarbageCollect, I_OnRehash };
- ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
- OnRehash(NULL);
+ }
+
+ void Prioritize() CXX11_OVERRIDE
+ {
+ Module* corexline = ServerInstance->Modules->Find("core_xline");
+ ServerInstance->Modules->SetPriority(this, I_OnSetUserIP, PRIORITY_AFTER, corexline);
}
Version GetVersion() CXX11_OVERRIDE
{
- return Version("Throttles the connections of IP ranges who try to connect flood.", VF_VENDOR);
+ return Version("Z-lines IP addresses which make excessive connections to the server.", VF_VENDOR);
}
- void OnRehash(User* user) CXX11_OVERRIDE
+ void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
{
ConfigTag* tag = ServerInstance->Config->ConfValue("connectban");
- ipv4_cidr = tag->getInt("ipv4cidr", 32);
- if (ipv4_cidr == 0)
- ipv4_cidr = 32;
-
- ipv6_cidr = tag->getInt("ipv6cidr", 128);
- if (ipv6_cidr == 0)
- ipv6_cidr = 128;
+ ipv4_cidr = tag->getUInt("ipv4cidr", 32, 1, 32);
+ ipv6_cidr = tag->getUInt("ipv6cidr", 128, 1, 128);
+ threshold = tag->getUInt("threshold", 10, 1);
+ banduration = tag->getDuration("duration", 10*60, 1);
+ banmessage = tag->getString("banmessage", "Your IP range has been attempting to connect too many times in too short a duration. Wait a while, and you will be able to connect.");
+ }
- threshold = tag->getInt("threshold", 10);
- if (threshold == 0)
- threshold = 10;
+ void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) CXX11_OVERRIDE
+ {
+ if (IsExempt(user))
+ return;
- banduration = InspIRCd::Duration(tag->getString("duration", "10m"));
- if (banduration == 0)
- banduration = 10*60;
+ // HACK: Lower the connection attempts for the gateway IP address. The user
+ // will be rechecked for connect spamming shortly after when their IP address
+ // is changed and OnSetUserIP is called.
+ irc::sockets::cidr_mask mask(user->client_sa, GetRange(user));
+ ConnectMap::iterator iter = connects.find(mask);
+ if (iter != connects.end() && iter->second)
+ iter->second--;
}
void OnSetUserIP(LocalUser* u) CXX11_OVERRIDE
{
- if (u->exempt)
+ if (IsExempt(u))
return;
- int range = 32;
- clonemap::iterator i;
-
- switch (u->client_sa.sa.sa_family)
- {
- case AF_INET6:
- range = ipv6_cidr;
- break;
- case AF_INET:
- range = ipv4_cidr;
- break;
- }
-
- irc::sockets::cidr_mask mask(u->client_sa, range);
- i = connects.find(mask);
+ irc::sockets::cidr_mask mask(u->client_sa, GetRange(u));
+ ConnectMap::iterator i = connects.find(mask);
if (i != connects.end())
{
if (i->second >= threshold)
{
- // Create zline for set duration.
- ZLine* zl = new ZLine(ServerInstance->Time(), banduration, ServerInstance->Config->ServerName, "Your IP range has been attempting to connect too many times in too short a duration. Wait a while, and you will be able to connect.", mask.str());
- if (ServerInstance->XLines->AddLine(zl,NULL))
- ServerInstance->XLines->ApplyLines();
- else
+ // Create Z-line for set duration.
+ ZLine* zl = new ZLine(ServerInstance->Time(), banduration, ServerInstance->Config->ServerName, banmessage, mask.str());
+ if (!ServerInstance->XLines->AddLine(zl, NULL))
+ {
delete zl;
-
+ return;
+ }
+ ServerInstance->XLines->ApplyLines();
std::string maskstr = mask.str();
- std::string timestr = ServerInstance->TimeString(zl->expiry);
- ServerInstance->SNO->WriteGlobalSno('x',"Module m_connectban added Z:line on *@%s to expire on %s: Connect flooding",
- maskstr.c_str(), timestr.c_str());
+ ServerInstance->SNO->WriteGlobalSno('x', "Z-line added by module m_connectban on %s to expire in %s (on %s): Connect flooding",
+ maskstr.c_str(), InspIRCd::DurationString(zl->duration).c_str(), InspIRCd::TimeString(zl->expiry).c_str());
ServerInstance->SNO->WriteGlobalSno('a', "Connect flooding from IP range %s (%d)", maskstr.c_str(), threshold);
connects.erase(i);
}
}
}
- void OnGarbageCollect()
+ void OnGarbageCollect() CXX11_OVERRIDE
{
- ServerInstance->Logs->Log("m_connectban",LOG_DEBUG, "Clearing map.");
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Clearing map.");
connects.clear();
}
};
projects / user / henk / code / inspircd.git / blobdiff