# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
-#rate-limit-ms = 100
+rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
# a failed authentication attempt.
min-reauth-time = 360
+# Banning clients in ocserv works with a point system. IP addresses
+# that get a score over that configured number are banned for
+# min-reauth-time seconds. By default a wrong password attempt is 10 points,
+# a KKDCP POST is 1 point, and a connection is 1 point. Note that
+# due to difference processes being involved the count of points
+# will not be real-time precise.
+#
+# Score banning cannot be reliably used when receiving proxied connections
+# locally from an HTTP server (i.e., when listen-clear-file is used).
+#
+# Set to zero to disable.
+max-ban-score = 50
+
+# The time (in seconds) that all score kept for a client is reset.
+ban-reset-time = 300
+
+# In case you'd like to change the default points.
+#ban-points-wrong-password = 10
+#ban-points-connection = 1
+#ban-points-kkdcp = 1
+
# Cookie timeout (in seconds)
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
--- /dev/null
+From 0967f05f8d7665a67f3cb0fbed46c48dc7ec74cb Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 31 Mar 2015 10:13:08 +0200
+Subject: [PATCH] sec-mod: do not impose timeouts on reads from main
+
+---
+ src/sec-mod.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 53 insertions(+), 7 deletions(-)
+
+diff --git a/src/sec-mod.c b/src/sec-mod.c
+index b824e87..5a0763d 100644
+--- a/src/sec-mod.c
++++ b/src/sec-mod.c
+@@ -404,7 +404,56 @@ static void check_other_work(sec_mod_st *sec)
+ }
+
+ static
+-int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, unsigned buffer_size)
++int serve_request_main(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
++{
++ int ret, e;
++ unsigned cmd, length;
++ uint16_t l16;
++ void *pool = buffer;
++
++ /* read request */
++ ret = force_read(cfd, buffer, 3);
++ if (ret == 0)
++ goto leave;
++ else if (ret < 3) {
++ e = errno;
++ seclog(sec, LOG_INFO, "error receiving msg head: %s",
++ strerror(e));
++ ret = ERR_BAD_COMMAND;
++ goto leave;
++ }
++
++ cmd = buffer[0];
++ memcpy(&l16, &buffer[1], 2);
++ length = l16;
++
++ if (length > buffer_size - 4) {
++ seclog(sec, LOG_INFO, "too big message (%d)", length);
++ ret = ERR_BAD_COMMAND;
++ goto leave;
++ }
++
++ /* read the body */
++ ret = force_read(cfd, buffer, length);
++ if (ret < 0) {
++ e = errno;
++ seclog(sec, LOG_INFO, "error receiving msg body: %s",
++ strerror(e));
++ ret = ERR_BAD_COMMAND;
++ goto leave;
++ }
++
++ ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
++ if (ret < 0) {
++ seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
++ }
++
++ leave:
++ return ret;
++}
++
++static
++int serve_request(sec_mod_st *sec, int cfd, uint8_t *buffer, unsigned buffer_size)
+ {
+ int ret, e;
+ unsigned cmd, length;
+@@ -443,10 +492,7 @@ int serve_request(sec_mod_st *sec, int cfd, unsigned is_main, uint8_t *buffer, u
+ goto leave;
+ }
+
+- if (is_main)
+- ret = process_packet_from_main(pool, cfd, sec, cmd, buffer, ret);
+- else
+- ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
++ ret = process_packet(pool, cfd, sec, cmd, buffer, ret);
+ if (ret < 0) {
+ seclog(sec, LOG_INFO, "error processing data for '%s' command (%d)", cmd_request_to_str(cmd), ret);
+ }
+@@ -677,7 +723,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
+ if (buffer == NULL) {
+ seclog(sec, LOG_ERR, "error in memory allocation");
+ } else {
+- ret = serve_request(sec, cmd_fd, 1, buffer, buffer_size);
++ ret = serve_request_main(sec, cmd_fd, buffer, buffer_size);
+ if (ret < 0 && ret == ERR_BAD_COMMAND) {
+ seclog(sec, LOG_ERR, "error processing command from main");
+ exit(1);
+@@ -710,7 +756,7 @@ void sec_mod_server(void *main_pool, struct perm_cfg_st *perm_config, const char
+ if (buffer == NULL) {
+ seclog(sec, LOG_ERR, "error in memory allocation");
+ } else {
+- serve_request(sec, cfd, 0, buffer, buffer_size);
++ serve_request(sec, cfd, buffer, buffer_size);
+ talloc_free(buffer);
+ }
+ }
+--
+2.1.4
+
--- /dev/null
+From 99dd4a6e03b669a5b5fe234fa665b75bbd95c593 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Tue, 7 Apr 2015 17:13:29 +0200
+Subject: [PATCH] reject bad commands from main
+
+---
+ src/sec-mod.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sec-mod.c b/src/sec-mod.c
+index 5a0763d..7783264 100644
+--- a/src/sec-mod.c
++++ b/src/sec-mod.c
+@@ -325,7 +325,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
+ data.data);
+ if (msg == NULL) {
+ seclog(sec, LOG_INFO, "error unpacking auth ban ip reply\n");
+- return -1;
++ return ERR_BAD_COMMAND;
+ }
+
+ handle_sec_auth_ban_ip_reply(cfd, sec, msg);
+@@ -342,7 +342,7 @@ int process_packet_from_main(void *pool, int cfd, sec_mod_st * sec, cmd_request_
+ data.data);
+ if (msg == NULL) {
+ seclog(sec, LOG_INFO, "error unpacking session close\n");
+- return -1;
++ return ERR_BAD_COMMAND;
+ }
+
+ ret = handle_sec_auth_session_cmd(cfd, sec, msg, cmd);
+--
+2.1.4
+
projects / feed / packages.git / commitdiff