From e1c1a5339bc28de54535c07b9a7737ec7ec13b64 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 21 Dec 2015 14:41:38 +0100 Subject: mod_register: Use session log instance to ease indentification --- plugins/mod_register.lua | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index e537e903..a1b4e581 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -84,6 +84,7 @@ end); local function handle_registration_stanza(event) local session, stanza = event.origin, event.stanza; + local log = session.log or module._log; local query = stanza.tags[1]; if stanza.attr.type == "get" then @@ -106,13 +107,13 @@ local function handle_registration_stanza(event) local ok, err = usermanager_delete_user(username, host); if not ok then - module:log("debug", "Removing user account %s@%s failed: %s", username, host, err); + log("debug", "Removing user account %s@%s failed: %s", username, host, err); session.close = old_session_close; session.send(st.error_reply(stanza, "cancel", "service-unavailable", err)); return true; end - module:log("info", "User removed their account: %s@%s", username, host); + log("info", "User removed their account: %s@%s", username, host); module:fire_event("user-deregistered", { username = username, host = host, source = "mod_register", session = session }); else local username = nodeprep(query:get_child_text("username")); @@ -177,6 +178,7 @@ local blacklisted_ips = module:get_option_set("registration_blacklist", {})._ite module:hook("stanza/iq/jabber:iq:register:query", function(event) local session, stanza = event.origin, event.stanza; + local log = session.log or module._log; if not(allow_registration) or session.type ~= "c2s_unauthed" then session.send(st.error_reply(stanza, "cancel", "service-unavailable")); @@ -196,7 +198,7 @@ module:hook("stanza/iq/jabber:iq:register:query", function(event) else -- Check that the user is not blacklisted or registering too often if not session.ip then - module:log("debug", "User's IP not known; can't apply blacklist/whitelist"); + log("debug", "User's IP not known; can't apply blacklist/whitelist"); elseif blacklisted_ips[session.ip] or (whitelist_only and not whitelisted_ips[session.ip]) then session.send(st.error_reply(stanza, "cancel", "not-acceptable", "You are not allowed to register an account.")); return true; @@ -238,7 +240,7 @@ module:hook("stanza/iq/jabber:iq:register:query", function(event) return true; end session.send(st.reply(stanza)); -- user created! - module:log("info", "User account created: %s@%s", username, host); + log("info", "User account created: %s@%s", username, host); module:fire_event("user-registered", { username = username, host = host, source = "mod_register", session = session }); -- cgit v1.2.3 From d8fd2b081bac8587364fc2e57fe2810e826211a2 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 21 Dec 2015 14:48:33 +0100 Subject: mod_register: Add comment explaining the workaround for replying when the account is being deleted --- plugins/mod_register.lua | 1 + 1 file changed, 1 insertion(+) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index a1b4e581..7e1cdc8f 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -98,6 +98,7 @@ local function handle_registration_stanza(event) if query.tags[1] and query.tags[1].name == "remove" then local username, host = session.username, session.host; + -- This one weird trick sends a reply to this stanza before the user is deleted local old_session_close = session.close; session.close = function(session, ...) session.send(st.reply(stanza)); -- cgit v1.2.3 From 563690a1ae3ac4533f19c6ea689025bb516cbe96 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 23 Dec 2015 08:57:12 +0100 Subject: mod_register: Switch to using util.throttle for limiting registrations per ip per time --- plugins/mod_register.lua | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index 7e1cdc8f..5e73dbf7 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -13,9 +13,9 @@ local usermanager_user_exists = require "core.usermanager".user_exists; local usermanager_create_user = require "core.usermanager".create_user; local usermanager_set_password = require "core.usermanager".set_password; local usermanager_delete_user = require "core.usermanager".delete_user; -local os_time = os.time; local nodeprep = require "util.encodings".stringprep.nodeprep; local jid_bare = require "util.jid".bare; +local create_throttle = require "util.throttle".create; local compat = module:get_option_boolean("registration_compat", true); local allow_registration = module:get_option_boolean("allow_registration", false); @@ -177,6 +177,19 @@ local whitelist_only = module:get_option_boolean("whitelist_registration_only"); local whitelisted_ips = module:get_option_set("registration_whitelist", { "127.0.0.1" })._items; local blacklisted_ips = module:get_option_set("registration_blacklist", {})._items; +local throttle_max = module:get_option_number("registration_throttle_max", min_seconds_between_registrations and 1); +local throttle_period = module:get_option_number("registration_throttle_period", min_seconds_between_registrations); + +local function check_throttle(ip) + if not throttle_max then return true end + local throttle = recent_ips[ip]; + if not throttle then + throttle = create_throttle(throttle_max, throttle_period); + recent_ips[ip] = throttle; + end + return throttle:poll(1); +end + module:hook("stanza/iq/jabber:iq:register:query", function(event) local session, stanza = event.origin, event.stanza; local log = session.log or module._log; @@ -204,18 +217,9 @@ module:hook("stanza/iq/jabber:iq:register:query", function(event) session.send(st.error_reply(stanza, "cancel", "not-acceptable", "You are not allowed to register an account.")); return true; elseif min_seconds_between_registrations and not whitelisted_ips[session.ip] then - if not recent_ips[session.ip] then - recent_ips[session.ip] = { time = os_time(), count = 1 }; - else - local ip = recent_ips[session.ip]; - ip.count = ip.count + 1; - - if os_time() - ip.time < min_seconds_between_registrations then - ip.time = os_time(); - session.send(st.error_reply(stanza, "wait", "not-acceptable")); - return true; - end - ip.time = os_time(); + if check_throttle(session.ip) then + session.send(st.error_reply(stanza, "wait", "not-acceptable")); + return true; end end local username, password = nodeprep(data.username), data.password; -- cgit v1.2.3 From ae05f1e162553a7477982a0b075463a77d809986 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 23 Dec 2015 08:58:34 +0100 Subject: mod_register: Use util.cache to limit the number of per-ip throttles kept --- plugins/mod_register.lua | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index 5e73dbf7..ee196722 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -16,6 +16,7 @@ local usermanager_delete_user = require "core.usermanager".delete_user; local nodeprep = require "util.encodings".stringprep.nodeprep; local jid_bare = require "util.jid".bare; local create_throttle = require "util.throttle".create; +local new_cache = require "util.cache".new; local compat = module:get_option_boolean("registration_compat", true); local allow_registration = module:get_option_boolean("allow_registration", false); @@ -171,7 +172,6 @@ local function parse_response(query) end end -local recent_ips = {}; local min_seconds_between_registrations = module:get_option_number("min_seconds_between_registrations"); local whitelist_only = module:get_option_boolean("whitelist_registration_only"); local whitelisted_ips = module:get_option_set("registration_whitelist", { "127.0.0.1" })._items; @@ -179,14 +179,17 @@ local blacklisted_ips = module:get_option_set("registration_blacklist", {})._ite local throttle_max = module:get_option_number("registration_throttle_max", min_seconds_between_registrations and 1); local throttle_period = module:get_option_number("registration_throttle_period", min_seconds_between_registrations); +local throttle_cache_size = module:get_option_number("registration_throttle_cache_size", 100); + +local throttle_cache = new_cache(throttle_cache_size); local function check_throttle(ip) if not throttle_max then return true end - local throttle = recent_ips[ip]; + local throttle = throttle_cache:get(ip); if not throttle then throttle = create_throttle(throttle_max, throttle_period); - recent_ips[ip] = throttle; end + throttle_cache:set(ip, throttle); return throttle:poll(1); end -- cgit v1.2.3 From 8bef48f7a9b6041b3ff5c8704139d8bbbd6b614a Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 23 Dec 2015 09:00:03 +0100 Subject: mod_register: Support for blacklisting ips that are still over limit when they get pushed out of the cache --- plugins/mod_register.lua | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index ee196722..1961b276 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -180,8 +180,14 @@ local blacklisted_ips = module:get_option_set("registration_blacklist", {})._ite local throttle_max = module:get_option_number("registration_throttle_max", min_seconds_between_registrations and 1); local throttle_period = module:get_option_number("registration_throttle_period", min_seconds_between_registrations); local throttle_cache_size = module:get_option_number("registration_throttle_cache_size", 100); +local blacklist_overflow = module_get_option_boolean("blacklist_on_registration_throttle_overload", false); -local throttle_cache = new_cache(throttle_cache_size); +local throttle_cache = new_cache(throttle_cache_size, blacklist_overflow and function (ip, throttle) + if not throttle:peek() then + module:log("info", "Adding ip %s to registration blacklist", ip); + blacklisted_ips[ip] = true; + end +end); local function check_throttle(ip) if not throttle_max then return true end -- cgit v1.2.3