You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

143 lines
5.3 KiB

From 4a600dabd5e2799bf0c3048859ee4f00808b7d89 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sat, 6 Feb 2021 08:29:41 -0500
Subject: [PATCH] [mod_auth] close HTTP/2 connection after bad pass
mitigation slows down brute force password attacks
x-ref:
"Possible feature: authentication brute force hardening"
https://redmine.lighttpd.net/boards/3/topics/8885
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
src/connections.c | 22 +++++++++++++++++++++-
src/mod_accesslog.c | 2 +-
src/mod_auth.c | 6 +++---
src/reqpool.c | 1 +
src/request.h | 2 +-
src/response.c | 4 ++--
6 files changed, 29 insertions(+), 8 deletions(-)
--- a/src/connections.c
+++ b/src/connections.c
@@ -228,7 +228,7 @@ static void connection_handle_response_e
}
}
- if (r->keep_alive) {
+ if (r->keep_alive > 0) {
request_reset(r);
config_reset_config(r);
con->is_readable = 1; /* potentially trigger optimistic read */
@@ -1265,6 +1265,19 @@ connection_set_fdevent_interest (request
}
+__attribute_cold__
+static void
+connection_request_end_h2 (request_st * const h2r, connection * const con)
+{
+ if (h2r->keep_alive >= 0) {
+ h2r->keep_alive = -1;
+ h2_send_goaway(con, H2_E_NO_ERROR);
+ }
+ else /*(abort connection upon second request to close h2 connection)*/
+ h2_send_goaway(con, H2_E_ENHANCE_YOUR_CALM);
+}
+
+
static void
connection_state_machine_h2 (request_st * const h2r, connection * const con)
{
@@ -1359,8 +1372,15 @@ connection_state_machine_h2 (request_st
&& !chunkqueue_is_empty(con->read_queue))
resched |= 1;
h2_send_end_stream(r, con);
+ const int alive = r->keep_alive;
h2_retire_stream(r, con);/*r invalidated;removed from h2c->r[]*/
--i;/* adjust loop i; h2c->rused was modified to retire r */
+ /*(special-case: allow *stream* to set r->keep_alive = -1 to
+ * trigger goaway on h2 connection, e.g. after mod_auth failure
+ * in attempt to mitigate brute force attacks by forcing a
+ * reconnect and (somewhat) slowing down retries)*/
+ if (alive < 0)
+ connection_request_end_h2(h2r, con);
}
}
}
--- a/src/mod_accesslog.c
+++ b/src/mod_accesslog.c
@@ -1108,7 +1108,7 @@ static int log_access_record (const requ
break;
case FORMAT_CONNECTION_STATUS:
if (r->state == CON_STATE_RESPONSE_END) {
- if (0 == r->keep_alive) {
+ if (r->keep_alive <= 0) {
buffer_append_string_len(b, CONST_STR_LEN("-"));
} else {
buffer_append_string_len(b, CONST_STR_LEN("+"));
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -828,7 +828,7 @@ static handler_t mod_auth_check_basic(re
log_error(r->conf.errh, __FILE__, __LINE__,
"password doesn't match for %s username: %s IP: %s",
r->uri.path.ptr, username->ptr, r->con->dst_addr_buf->ptr);
- r->keep_alive = 0; /*(disable keep-alive if bad password)*/
+ r->keep_alive = -1; /*(disable keep-alive if bad password)*/
rc = HANDLER_UNSET;
break;
}
@@ -1461,7 +1461,7 @@ static handler_t mod_auth_check_digest(r
return HANDLER_FINISHED;
case HANDLER_ERROR:
default:
- r->keep_alive = 0; /*(disable keep-alive if unknown user)*/
+ r->keep_alive = -1; /*(disable keep-alive if unknown user)*/
buffer_free(b);
return mod_auth_send_401_unauthorized_digest(r, require, 0);
}
@@ -1482,7 +1482,7 @@ static handler_t mod_auth_check_digest(r
log_error(r->conf.errh, __FILE__, __LINE__,
"digest: auth failed for %s: wrong password, IP: %s",
username, r->con->dst_addr_buf->ptr);
- r->keep_alive = 0; /*(disable keep-alive if bad password)*/
+ r->keep_alive = -1; /*(disable keep-alive if bad password)*/
buffer_free(b);
return mod_auth_send_401_unauthorized_digest(r, require, 0);
--- a/src/reqpool.c
+++ b/src/reqpool.c
@@ -58,6 +58,7 @@ request_reset (request_st * const r)
http_response_reset(r);
r->loops_per_request = 0;
+ r->keep_alive = 0;
r->h2state = 0; /* H2_STATE_IDLE */
r->h2id = 0;
--- a/src/request.h
+++ b/src/request.h
@@ -175,7 +175,7 @@ struct request_st {
char resp_header_repeated;
char loops_per_request; /* catch endless loops in a single request */
- char keep_alive; /* only request.c can enable it, all other just disable */
+ int8_t keep_alive; /* only request.c can enable it, all other just disable */
char async_callback;
buffer *tmp_buf; /* shared; same as srv->tmp_buf */
--- a/src/response.c
+++ b/src/response.c
@@ -103,9 +103,9 @@ http_response_write_header (request_st *
if (light_btst(r->resp_htags, HTTP_HEADER_UPGRADE)
&& r->http_version == HTTP_VERSION_1_1) {
http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("upgrade"));
- } else if (0 == r->keep_alive) {
+ } else if (r->keep_alive <= 0) {
http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("close"));
- } else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive != 0)*/
+ } else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive > 0)*/
http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("keep-alive"));
}