From 4a600dabd5e2799bf0c3048859ee4f00808b7d89 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sat, 6 Feb 2021 08:29:41 -0500 Subject: [PATCH] [mod_auth] close HTTP/2 connection after bad pass mitigation slows down brute force password attacks x-ref: "Possible feature: authentication brute force hardening" https://redmine.lighttpd.net/boards/3/topics/8885 Signed-off-by: Glenn Strauss --- src/connections.c | 22 +++++++++++++++++++++- src/mod_accesslog.c | 2 +- src/mod_auth.c | 6 +++--- src/reqpool.c | 1 + src/request.h | 2 +- src/response.c | 4 ++-- 6 files changed, 29 insertions(+), 8 deletions(-) --- a/src/connections.c +++ b/src/connections.c @@ -228,7 +228,7 @@ static void connection_handle_response_e } } - if (r->keep_alive) { + if (r->keep_alive > 0) { request_reset(r); config_reset_config(r); con->is_readable = 1; /* potentially trigger optimistic read */ @@ -1265,6 +1265,19 @@ connection_set_fdevent_interest (request } +__attribute_cold__ +static void +connection_request_end_h2 (request_st * const h2r, connection * const con) +{ + if (h2r->keep_alive >= 0) { + h2r->keep_alive = -1; + h2_send_goaway(con, H2_E_NO_ERROR); + } + else /*(abort connection upon second request to close h2 connection)*/ + h2_send_goaway(con, H2_E_ENHANCE_YOUR_CALM); +} + + static void connection_state_machine_h2 (request_st * const h2r, connection * const con) { @@ -1359,8 +1372,15 @@ connection_state_machine_h2 (request_st && !chunkqueue_is_empty(con->read_queue)) resched |= 1; h2_send_end_stream(r, con); + const int alive = r->keep_alive; h2_retire_stream(r, con);/*r invalidated;removed from h2c->r[]*/ --i;/* adjust loop i; h2c->rused was modified to retire r */ + /*(special-case: allow *stream* to set r->keep_alive = -1 to + * trigger goaway on h2 connection, e.g. after mod_auth failure + * in attempt to mitigate brute force attacks by forcing a + * reconnect and (somewhat) slowing down retries)*/ + if (alive < 0) + connection_request_end_h2(h2r, con); } } } --- a/src/mod_accesslog.c +++ b/src/mod_accesslog.c @@ -1108,7 +1108,7 @@ static int log_access_record (const requ break; case FORMAT_CONNECTION_STATUS: if (r->state == CON_STATE_RESPONSE_END) { - if (0 == r->keep_alive) { + if (r->keep_alive <= 0) { buffer_append_string_len(b, CONST_STR_LEN("-")); } else { buffer_append_string_len(b, CONST_STR_LEN("+")); --- a/src/mod_auth.c +++ b/src/mod_auth.c @@ -828,7 +828,7 @@ static handler_t mod_auth_check_basic(re log_error(r->conf.errh, __FILE__, __LINE__, "password doesn't match for %s username: %s IP: %s", r->uri.path.ptr, username->ptr, r->con->dst_addr_buf->ptr); - r->keep_alive = 0; /*(disable keep-alive if bad password)*/ + r->keep_alive = -1; /*(disable keep-alive if bad password)*/ rc = HANDLER_UNSET; break; } @@ -1461,7 +1461,7 @@ static handler_t mod_auth_check_digest(r return HANDLER_FINISHED; case HANDLER_ERROR: default: - r->keep_alive = 0; /*(disable keep-alive if unknown user)*/ + r->keep_alive = -1; /*(disable keep-alive if unknown user)*/ buffer_free(b); return mod_auth_send_401_unauthorized_digest(r, require, 0); } @@ -1482,7 +1482,7 @@ static handler_t mod_auth_check_digest(r log_error(r->conf.errh, __FILE__, __LINE__, "digest: auth failed for %s: wrong password, IP: %s", username, r->con->dst_addr_buf->ptr); - r->keep_alive = 0; /*(disable keep-alive if bad password)*/ + r->keep_alive = -1; /*(disable keep-alive if bad password)*/ buffer_free(b); return mod_auth_send_401_unauthorized_digest(r, require, 0); --- a/src/reqpool.c +++ b/src/reqpool.c @@ -58,6 +58,7 @@ request_reset (request_st * const r) http_response_reset(r); r->loops_per_request = 0; + r->keep_alive = 0; r->h2state = 0; /* H2_STATE_IDLE */ r->h2id = 0; --- a/src/request.h +++ b/src/request.h @@ -175,7 +175,7 @@ struct request_st { char resp_header_repeated; char loops_per_request; /* catch endless loops in a single request */ - char keep_alive; /* only request.c can enable it, all other just disable */ + int8_t keep_alive; /* only request.c can enable it, all other just disable */ char async_callback; buffer *tmp_buf; /* shared; same as srv->tmp_buf */ --- a/src/response.c +++ b/src/response.c @@ -103,9 +103,9 @@ http_response_write_header (request_st * if (light_btst(r->resp_htags, HTTP_HEADER_UPGRADE) && r->http_version == HTTP_VERSION_1_1) { http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("upgrade")); - } else if (0 == r->keep_alive) { + } else if (r->keep_alive <= 0) { http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("close")); - } else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive != 0)*/ + } else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive > 0)*/ http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("keep-alive")); }