Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

Commit da141f4c authored by rswindell's avatar rswindell

Implement login attempt tracking/throttling/filtering in the terminal server.

parent 08a60471
......@@ -47,13 +47,11 @@ bool sbbs_t::answer()
char path[MAX_PATH+1];
int i,l,in;
struct tm tm;
struct in_addr addr;
useron.number=0;
answertime=logontime=starttime=now=time(NULL);
/* Caller ID is IP address */
addr.s_addr=client_addr;
SAFECOPY(cid,inet_ntoa(addr));
SAFECOPY(cid,inet_ntoa(client_addr.sin_addr));
memset(&tm,0,sizeof(tm));
localtime_r(&now,&tm);
......@@ -118,6 +116,7 @@ bool sbbs_t::answer()
,rlogin_pass);
for(i=0;i<3;i++) {
if(stricmp(tmp,useron.pass)) {
badlogin(useron.alias, tmp);
rioctl(IOFI); /* flush input buffer */
bputs(text[InvalidLogon]);
if(cfg.sys_misc&SM_ECHO_PW)
......@@ -148,6 +147,7 @@ bool sbbs_t::answer()
}
if(i) {
if(stricmp(tmp,useron.pass)) {
badlogin(useron.alias, tmp);
bputs(text[InvalidLogon]);
if(cfg.sys_misc&SM_ECHO_PW)
sprintf(str,"(%04u) %-25s FAILED Password attempt: '%s'"
......@@ -200,6 +200,7 @@ bool sbbs_t::answer()
,rlogin_pass);
for(i=0;i<3;i++) {
if(stricmp(tmp,useron.pass)) {
badlogin(useron.alias, tmp);
rioctl(IOFI); /* flush input buffer */
bputs(text[InvalidLogon]);
if(cfg.sys_misc&SM_ECHO_PW)
......@@ -236,6 +237,7 @@ bool sbbs_t::answer()
}
if(i) {
if(stricmp(tmp,useron.pass)) {
badlogin(useron.alias, tmp);
bputs(text[InvalidLogon]);
if(cfg.sys_misc&SM_ECHO_PW)
sprintf(str,"(%04u) %-25s FAILED Password attempt: '%s'"
......@@ -443,5 +445,8 @@ bool sbbs_t::answer()
return(false);
}
if(useron.pass[0])
loginSuccess(startup->login_attempt_list, &client_addr);
return(true);
}
......@@ -116,6 +116,7 @@ int sbbs_t::login(char *username, char *pw)
return(LOGIC_FALSE);
}
if(stricmp(useron.pass,str)) {
badlogin(useron.alias, str);
bputs(text[InvalidLogon]);
if(cfg.sys_misc&SM_ECHO_PW)
sprintf(tmp,"(%04u) %-25s FAILED Password: '%s' Attempt: '%s'"
......@@ -132,8 +133,25 @@ int sbbs_t::login(char *username, char *pw)
bputs(text[InvalidLogon]);
useron.number=0;
useron.misc=useron_misc;
return(LOGIC_FALSE); }
return(LOGIC_FALSE);
}
}
return(LOGIC_TRUE);
}
void sbbs_t::badlogin(char* user, char* passwd)
{
char reason[128];
ulong count;
SAFEPRINTF(reason,"%s LOGIN", connection);
count=loginFailure(startup->login_attempt_list, &client_addr, connection, user, passwd);
if(startup->login_attempt_hack_threshold && count>=startup->login_attempt_hack_threshold)
hacklog(&cfg, reason, user, passwd, client_name, &client_addr);
if(startup->login_attempt_filter_threshold && count>=startup->login_attempt_filter_threshold)
filter_ip(&cfg, connection, "- TOO MANY CONSECUTIVE FAILED LOGIN ATTEMPTS"
,client_name, inet_ntoa(client_addr.sin_addr), user, /* fname: */NULL);
mswait(startup->login_attempt_delay);
}
......@@ -2818,7 +2818,7 @@ void event_thread(void* arg)
//****************************************************************************
sbbs_t::sbbs_t(ushort node_num, DWORD addr, const char* name, SOCKET sd,
sbbs_t::sbbs_t(ushort node_num, SOCKADDR_IN addr, const char* name, SOCKET sd,
scfg_t* global_cfg, char* global_text[], client_t* client_info)
{
char nodestr[32];
......@@ -3442,14 +3442,12 @@ int sbbs_t::nopen(char *str, int access)
void sbbs_t::spymsg(const char* msg)
{
char str[512];
struct in_addr addr;
if(cfg.node_num<1)
return;
addr.s_addr=client_addr;
SAFEPRINTF4(str,"\r\n\r\n*** Spy Message ***\r\nNode %d: %s [%s]\r\n*** %s ***\r\n\r\n"
,cfg.node_num,client_name,inet_ntoa(addr),msg);
,cfg.node_num,client_name,inet_ntoa(client_addr.sin_addr),msg);
if(startup->node_spybuf!=NULL
&& startup->node_spybuf[cfg.node_num-1]!=NULL) {
RingBufWrite(startup->node_spybuf[cfg.node_num-1],(uchar*)str,strlen(str));
......@@ -3876,6 +3874,7 @@ void node_thread(void* arg)
int file;
uint curshell=0;
node_t node;
ulong login_attempts;
sbbs_t* sbbs = (sbbs_t*) arg;
update_clients();
......@@ -3895,6 +3894,13 @@ void node_thread(void* arg)
}
#endif
if(startup->login_attempt_throttle
&& (login_attempts=loginAttempts(startup->login_attempt_list, &sbbs->client_addr)) > 1) {
lprintf(LOG_DEBUG,"Node %d Throttling suspicious connection from: %s (%u login attempts)"
,sbbs->cfg.node_num, inet_ntoa(sbbs->client_addr.sin_addr), login_attempts);
mswait(login_attempts*startup->login_attempt_throttle);
}
if(sbbs->answer()) {
if(sbbs->qwklogon) {
......@@ -4715,7 +4721,7 @@ void DLLCALL bbs_thread(void* arg)
NO_SSH:
#endif
sbbs = new sbbs_t(0, server_addr.sin_addr.s_addr
sbbs = new sbbs_t(0, server_addr
,"Terminal Server", telnet_socket, &scfg, text, NULL);
sbbs->online = 0;
if(sbbs->init()==false) {
......@@ -4726,7 +4732,7 @@ NO_SSH:
_beginthread(output_thread, 0, sbbs);
if(!(startup->options&BBS_OPT_NO_EVENTS)) {
events = new sbbs_t(0, server_addr.sin_addr.s_addr
events = new sbbs_t(0, server_addr
,"BBS Events", INVALID_SOCKET, &scfg, text, NULL);
events->online = 0;
if(events->init()==false) {
......@@ -5253,7 +5259,7 @@ NO_SSH:
node_socket[i-1]=client_socket;
sbbs_t* new_node = new sbbs_t(i, client_addr.sin_addr.s_addr, host_name
sbbs_t* new_node = new sbbs_t(i, client_addr, host_name
,client_socket
,&scfg, text, &client);
......
......@@ -163,7 +163,7 @@ class sbbs_t
public:
sbbs_t(ushort node_num, DWORD addr, const char* host_name, SOCKET
sbbs_t(ushort node_num, SOCKADDR_IN addr, const char* host_name, SOCKET
,scfg_t*, char* text[], client_t* client_info);
~sbbs_t();
......@@ -175,7 +175,7 @@ public:
client_t client;
SOCKET client_socket;
SOCKET client_socket_dup;
DWORD client_addr;
SOCKADDR_IN client_addr;
char client_name[128];
char client_ident[128];
DWORD local_addr;
......@@ -584,15 +584,23 @@ public:
int putnodedat(uint number, node_t * node);
int putnodeext(uint number, char * str);
/* logonoff.cpp */
bool answer();
/* login.ccp */
int login(char *str, char *pw);
void badlogin(char* user, char* passwd);
/* answer.cpp */
bool answer();
/* logon.ccp */
bool logon(void);
/* logout.cpp */
void logout(void);
void logoff(void);
BOOL newuser(void); /* Get new user */
void backout(void);
/* newuser.cpp */
BOOL newuser(void); /* Get new user */
/* text_sec.cpp */
int text_sec(void); /* Text sections */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment