%%%-------------------------------------------------------------------
%%% File : mod_fail2ban.erl
%%% Author : Evgeny Khramtsov <ekhramtsov@process-one.net>
%%% Purpose :
%%% Created : 15 Aug 2014 by Evgeny Khramtsov <ekhramtsov@process-one.net>
%%%
%%%
%%% ejabberd, Copyright (C) 2014-2022 ProcessOne
%%%
%%% This program is free software; you can redistribute it and/or
%%% modify it under the terms of the GNU General Public License as
%%% published by the Free Software Foundation; either version 2 of the
%%% License, or (at your option) any later version.
%%%
%%% This program is distributed in the hope that it will be useful,
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
%%% General Public License for more details.
%%%
%%% You should have received a copy of the GNU General Public License along
%%% with this program; if not, write to the Free Software Foundation, Inc.,
%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
%%%
%%%-------------------------------------------------------------------
-module(mod_fail2ban).
-behaviour(gen_mod).
-behaviour(gen_server).
%% API
-export([start/2, stop/1, reload/3, c2s_auth_result/3,
c2s_stream_started/2]).
-export([init/1, handle_call/3, handle_cast/2,
handle_info/2, terminate/2, code_change/3,
mod_opt_type/1, mod_options/1, depends/2, mod_doc/0]).
%% ejabberd command.
-export([get_commands_spec/0, unban/1]).
-include_lib("stdlib/include/ms_transform.hrl").
-include("ejabberd_commands.hrl").
-include("logger.hrl").
-include_lib("xmpp/include/xmpp.hrl").
-include("translate.hrl").
-define(CLEAN_INTERVAL, timer:minutes(10)).
-record(state, {host = <<"">> :: binary()}).
%%%===================================================================
%%% API
%%%===================================================================
-spec c2s_auth_result(ejabberd_c2s:state(), true | {false, binary()}, binary())
-> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
c2s_auth_result(#{sasl_mech := Mech} = State, {false, _}, _User)
when Mech == <<"EXTERNAL">> ->
State;
c2s_auth_result(#{ip := {Addr, _}, lserver := LServer} = State, {false, _}, _User) ->
case is_whitelisted(LServer, Addr) of
true ->
State;
false ->
BanLifetime = mod_fail2ban_opt:c2s_auth_ban_lifetime(LServer),
MaxFailures = mod_fail2ban_opt:c2s_max_auth_failures(LServer),
UnbanTS = current_time() + BanLifetime,
Attempts = case ets:lookup(failed_auth, Addr) of
[{Addr, N, _, _}] ->
ets:insert(failed_auth,
{Addr, N+1, UnbanTS, MaxFailures}),
N+1;
[] ->
ets:insert(failed_auth,
{Addr, 1, UnbanTS, MaxFailures}),
1
end,
if Attempts >= MaxFailures ->
log_and_disconnect(State, Attempts, UnbanTS);
true ->
State
end
end;
c2s_auth_result(#{ip := {Addr, _}} = State, true, _User) ->
ets:delete(failed_auth, Addr),
State.
-spec c2s_stream_started(ejabberd_c2s:state(), stream_start())
-> ejabberd_c2s:state() | {stop, ejabberd_c2s:state()}.
c2s_stream_started(#{ip := {Addr, _}} = State, _) ->
case ets:lookup(failed_auth, Addr) of
[{Addr, N, TS, MaxFailures}] when N >= MaxFailures ->
case TS > current_time() of
true ->
log_and_disconnect(State, N, TS);
false ->
ets:delete(failed_auth, Addr),
State
end;
_ ->
State
end.
%%====================================================================
%% gen_mod callbacks
%%====================================================================
start(Host, Opts) ->
catch ets:new(failed_auth, [named_table, public,
{heir, erlang:group_leader(), none}]),
ejabberd_commands:register_commands(?MODULE, get_commands_spec()),
gen_mod:start_child(?MODULE, Host, Opts).
stop(Host) ->
case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
false ->
ejabberd_commands:unregister_commands(get_commands_spec());
true ->
ok
end,
gen_mod:stop_child(?MODULE, Host).
reload(_Host, _NewOpts, _OldOpts) ->
ok.
depends(_Host, _Opts) ->
[].
%%%===================================================================
%%% gen_server callbacks
%%%===================================================================
init([Host|_]) ->
process_flag(trap_exit, true),
ejabberd_hooks:add(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
ejabberd_hooks:add(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
{ok, #state{host = Host}}.
handle_call(Request, From, State) ->
?WARNING_MSG("Unexpected call from ~p: ~p", [From, Request]),
{noreply, State}.
handle_cast(_Msg, State) ->
?WARNING_MSG("Unexpected cast = ~p", [_Msg]),
{noreply, State}.
handle_info(clean, State) ->
?DEBUG("Cleaning ~p ETS table", [failed_auth]),
Now = current_time(),
ets:select_delete(
failed_auth,
ets:fun2ms(fun({_, _, UnbanTS, _}) -> UnbanTS =< Now end)),
erlang:send_after(?CLEAN_INTERVAL, self(), clean),
{noreply, State};
handle_info(_Info, State) ->
?WARNING_MSG("Unexpected info = ~p", [_Info]),
{noreply, State}.
terminate(_Reason, #state{host = Host}) ->
ejabberd_hooks:delete(c2s_auth_result, Host, ?MODULE, c2s_auth_result, 100),
ejabberd_hooks:delete(c2s_stream_started, Host, ?MODULE, c2s_stream_started, 100),
case gen_mod:is_loaded_elsewhere(Host, ?MODULE) of
true ->
ok;
false ->
ets:delete(failed_auth)
end.
code_change(_OldVsn, State, _Extra) ->
{ok, State}.
%%--------------------------------------------------------------------
%% ejabberd command callback.
%%--------------------------------------------------------------------
-spec get_commands_spec() -> [ejabberd_commands()].
get_commands_spec() ->
[#ejabberd_commands{name = unban_ip, tags = [accounts],
desc = "Remove banned IP addresses from the fail2ban table",
longdesc = "Accepts an IP address with a network mask. "
"Returns the number of unbanned addresses, or a negative integer if there were any error.",
module = ?MODULE, function = unban,
args = [{address, binary}],
args_example = [<<"::FFFF:127.0.0.1/128">>],
args_desc = ["IP address, optionally with network mask."],
result_example = 3,
result_desc = "Amount of unbanned entries, or negative in case of error.",
result = {unbanned, integer}}].
-spec unban(binary()) -> integer().
unban(S) ->
case misc:parse_ip_mask(S) of
{ok, {Net, Mask}} ->
unban(Net, Mask);
error ->
?WARNING_MSG("Invalid network address when trying to unban: ~p", [S]),
-1
end.
-spec unban(inet:ip_address(), 0..128) -> non_neg_integer().
unban(Net, Mask) ->
ets:foldl(
fun({Addr, _, _, _}, Acc) ->
case misc:match_ip_mask(Addr, Net, Mask) of
true ->
ets:delete(failed_auth, Addr),
Acc+1;
false -> Acc
end
end, 0, failed_auth).
%%%===================================================================
%%% Internal functions
%%%===================================================================
-spec log_and_disconnect(ejabberd_c2s:state(), pos_integer(), non_neg_integer())
-> {stop, ejabberd_c2s:state()}.
log_and_disconnect(#{ip := {Addr, _}, lang := Lang} = State, Attempts, UnbanTS) ->
IP = misc:ip_to_list(Addr),
UnbanDate = format_date(
calendar:now_to_universal_time(msec_to_now(UnbanTS))),
Format = ?T("Too many (~p) failed authentications "
"from this IP address (~s). The address "
"will be unblocked at ~s UTC"),
Args = [Attempts, IP, UnbanDate],
?WARNING_MSG("Connection attempt from blacklisted IP ~ts: ~ts",
[IP, io_lib:fwrite(Format, Args)]),
Err = xmpp:serr_policy_violation({Format, Args}, Lang),
{stop, ejabberd_c2s:send(State, Err)}.
-spec is_whitelisted(binary(), inet:ip_address()) -> boolean().
is_whitelisted(Host, Addr) ->
Access = mod_fail2ban_opt:access(Host),
acl:match_rule(Host, Access, Addr) == allow.
-spec msec_to_now(pos_integer()) -> erlang:timestamp().
msec_to_now(MSecs) ->
Secs = MSecs div 1000,
{Secs div 1000000, Secs rem 1000000, 0}.
-spec format_date(calendar:datetime()) -> iolist().
format_date({{Year, Month, Day}, {Hour, Minute, Second}}) ->
io_lib:format("~2..0w:~2..0w:~2..0w ~2..0w.~2..0w.~4..0w",
[Hour, Minute, Second, Day, Month, Year]).
current_time() ->
erlang:system_time(millisecond).
mod_opt_type(access) ->
econf:acl();
mod_opt_type(c2s_auth_ban_lifetime) ->
econf:timeout(second);
mod_opt_type(c2s_max_auth_failures) ->
econf:pos_int().
mod_options(_Host) ->
[{access, none},
{c2s_auth_ban_lifetime, timer:hours(1)},
{c2s_max_auth_failures, 20}].
mod_doc() ->
#{desc =>
[?T("The module bans IPs that show the malicious signs. "
"Currently only C2S authentication failures are detected."), "",
?T("Unlike the standalone program, 'mod_fail2ban' clears the "
"record of authentication failures after some time since the "
"first failure or on a successful authentication. "
"It also does not simply block network traffic, but "
"provides the client with a descriptive error message."), "",
?T("WARNING: You should not use this module behind a proxy or load "
"balancer. ejabberd will see the failures as coming from the "
"load balancer and, when the threshold of auth failures is "
"reached, will reject all connections coming from the load "
"balancer. You can lock all your user base out of ejabberd "
"when using this module behind a proxy.")],
opts =>
[{access,
#{value => ?T("AccessName"),
desc =>
?T("Specify an access rule for whitelisting IP "
"addresses or networks. If the rule returns 'allow' "
"for a given IP address, that address will never be "
"banned. The 'AccessName' should be of type 'ip'. "
"The default value is 'none'.")}},
{c2s_auth_ban_lifetime,
#{value => "timeout()",
desc =>
?T("The lifetime of the IP ban caused by too many "
"C2S authentication failures. The default value is "
"'1' hour.")}},
{c2s_max_auth_failures,
#{value => ?T("Number"),
desc =>
?T("The number of C2S authentication failures to "
"trigger the IP ban. The default value is '20'.")}}]}.
