forked from PowerDNS/weakforced
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wforce.conf
84 lines (68 loc) · 2.57 KB
/
wforce.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
-- Old way to configure the webserver (doesn't handle HTTPS or multiple listeners)
-- webserver("0.0.0.0:8084", "--WEBPWD")
-- New way to configure the webserver
-- IP addr:port Use SSL? Certificate File Private Key TLS Options - see https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html
addListener("0.0.0.0:8084", false, "", "", {})
setWebserverPassword("--WEBPWD")
--SETKEY
controlSocket("127.0.0.1:4004")
addACL("127.0.0.0/8")
addACL("192.168.0.0/16")
local bulkRetrievers = newNetmaskGroup()
--bulkRetrievers:addMask("130.161.0.0/16")
--bulkRetrievers:addMask("145.132.0.0/16")
local string_find = string.find
local field_map = {}
field_map["diffFailedPasswords"] = "hll"
newStringStatsDB("OneHourDB", 600, 6, field_map)
function twreport(lt)
if (not lt.success and not lt.policy_reject)
then
local sdb = getStringStatsDB("OneHourDB")
sdb:twAdd(lt.remote, "diffFailedPasswords", lt.pwhash)
addrlogin = lt.remote:tostring() .. ":" .. lt.login
sdb:twAdd(addrlogin, "diffFailedPasswords", lt.pwhash)
end
end
setReport(twreport)
function allow(lt)
local sdb = getStringStatsDB("OneHourDB")
if(bulkRetrievers:match(lt.remote))
then
-- return <return value>, <message for client>, <log message>, <log key-values>
return 0, "", "bulkRetrievers match", {}
end
if(sdb:twGet(lt.remote, "diffFailedPasswords") > 50)
then
return -1, "", "too many different failed password attempts by IP", { attempts=50 }
end
local addrlogin = lt.remote:tostring() .. ":" .. lt.login
if(sdb:twGet(addrlogin, "diffFailedPasswords") > 3)
then
return 3, "", "too many different failed password attempts by IP/login", { attempts=3 }
end
-- you *must* return with 4 arguments like this: <return value>, <message for client>, <log message>, <log key-values>
return 0, "", "", { defaultReturn=1 }
end
setAllow(allow)
function reset(type, login, ip)
local sdb = getStringStatsDB("OneHourDB")
if (string_find(type, "ip"))
then
sdb:twReset(ip)
-- if you set a non-default prefix for IP addresses, then reset will not necessarily do what you expect
-- for example if v4Prefix==24 and you reset an IP address it will reset the stats for all IPs in that range
end
if (string_find(type, "login"))
then
-- we do not actually set any login-only keys
sdb:twReset(login)
end
if (string_find(type, "ip") and string_find(type, "login"))
then
local iplogin = ip:tostring() .. ":" .. login
sdb:twReset(iplogin)
end
return true
end
setReset(reset)