2024-01-01 10:31:45 +00:00
|
|
|
// Copyright (C) 2019 Nicola Murino
|
2022-07-17 18:16:00 +00:00
|
|
|
//
|
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
|
// it under the terms of the GNU Affero General Public License as published
|
|
|
|
|
// by the Free Software Foundation, version 3.
|
|
|
|
|
//
|
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
|
//
|
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
2023-01-03 09:18:30 +00:00
|
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
2022-07-17 18:16:00 +00:00
|
|
|
|
2021-01-02 13:05:09 +00:00
|
|
|
package common
|
|
|
|
|
|
|
|
|
|
import (
|
2021-06-07 19:52:43 +00:00
|
|
|
"encoding/hex"
|
2021-01-02 13:05:09 +00:00
|
|
|
"fmt"
|
|
|
|
|
"net"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
"github.com/yl2chen/cidranger"
|
2023-02-09 08:33:33 +00:00
|
|
|
|
|
|
|
|
"github.com/drakkan/sftpgo/v2/internal/dataprovider"
|
2021-01-02 13:05:09 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestBasicDefender(t *testing.T) {
|
2023-02-09 08:33:33 +00:00
|
|
|
entries := []dataprovider.IPListEntry{
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "172.16.1.1/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeDeny,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "172.16.1.2/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeDeny,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "10.8.0.0/24",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeDeny,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "192.168.1.1/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeDeny,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "192.168.1.2/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeDeny,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "10.8.9.0/24",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeDeny,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "172.16.1.3/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeAllow,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "172.16.1.4/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeAllow,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "192.168.8.0/24",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeAllow,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "192.168.1.3/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeAllow,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "192.168.1.4/32",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeAllow,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
IPOrNet: "192.168.9.0/24",
|
|
|
|
|
Type: dataprovider.IPListTypeDefender,
|
|
|
|
|
Mode: dataprovider.ListModeAllow,
|
|
|
|
|
},
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-09 08:33:33 +00:00
|
|
|
for idx := range entries {
|
|
|
|
|
e := entries[idx]
|
|
|
|
|
err := dataprovider.AddIPListEntry(&e, "", "", "")
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
}
|
2021-01-02 13:05:09 +00:00
|
|
|
|
|
|
|
|
config := &DefenderConfig{
|
2021-05-08 17:45:21 +00:00
|
|
|
Enabled: true,
|
|
|
|
|
BanTime: 10,
|
|
|
|
|
BanTimeIncrement: 2,
|
|
|
|
|
Threshold: 5,
|
|
|
|
|
ScoreInvalid: 2,
|
|
|
|
|
ScoreValid: 1,
|
2023-01-25 17:49:03 +00:00
|
|
|
ScoreNoAuth: 2,
|
2021-05-08 17:45:21 +00:00
|
|
|
ScoreLimitExceeded: 3,
|
|
|
|
|
ObservationTime: 15,
|
|
|
|
|
EntriesSoftLimit: 1,
|
|
|
|
|
EntriesHardLimit: 2,
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d, err := newInMemoryDefender(config)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
defender := d.(*memoryDefender)
|
2023-02-09 08:33:33 +00:00
|
|
|
assert.True(t, defender.IsBanned("172.16.1.1", ProtocolSSH))
|
|
|
|
|
assert.True(t, defender.IsBanned("192.168.1.1", ProtocolFTP))
|
|
|
|
|
assert.False(t, defender.IsBanned("172.16.1.10", ProtocolSSH))
|
|
|
|
|
assert.False(t, defender.IsBanned("192.168.1.10", ProtocolSSH))
|
|
|
|
|
assert.False(t, defender.IsBanned("10.8.2.3", ProtocolSSH))
|
|
|
|
|
assert.False(t, defender.IsBanned("10.9.2.3", ProtocolSSH))
|
|
|
|
|
assert.True(t, defender.IsBanned("10.8.0.3", ProtocolSSH))
|
|
|
|
|
assert.True(t, defender.IsBanned("10.8.9.3", ProtocolSSH))
|
|
|
|
|
assert.False(t, defender.IsBanned("invalid ip", ProtocolSSH))
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 0, defender.countBanned())
|
|
|
|
|
assert.Equal(t, 0, defender.countHosts())
|
2021-12-25 11:08:07 +00:00
|
|
|
hosts, err := defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Len(t, hosts, 0)
|
2021-06-07 19:52:43 +00:00
|
|
|
_, err = defender.GetHost("10.8.0.4")
|
|
|
|
|
assert.Error(t, err)
|
2021-01-02 13:05:09 +00:00
|
|
|
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent("172.16.1.4", ProtocolSSH, HostEventLoginFailed)
|
|
|
|
|
defender.AddEvent("192.168.1.4", ProtocolSSH, HostEventLoginFailed)
|
|
|
|
|
defender.AddEvent("192.168.8.4", ProtocolSSH, HostEventUserNotFound)
|
|
|
|
|
defender.AddEvent("172.16.1.3", ProtocolSSH, HostEventLimitExceeded)
|
|
|
|
|
defender.AddEvent("192.168.1.3", ProtocolSSH, HostEventLimitExceeded)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 0, defender.countHosts())
|
|
|
|
|
|
|
|
|
|
testIP := "12.34.56.78"
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP, ProtocolSSH, HostEventLoginFailed)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 1, defender.countHosts())
|
|
|
|
|
assert.Equal(t, 0, defender.countBanned())
|
2021-12-25 11:08:07 +00:00
|
|
|
score, err := defender.GetScore(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 1, score)
|
|
|
|
|
hosts, err = defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
if assert.Len(t, hosts, 1) {
|
|
|
|
|
assert.Equal(t, 1, hosts[0].Score)
|
|
|
|
|
assert.True(t, hosts[0].BanTime.IsZero())
|
|
|
|
|
assert.Empty(t, hosts[0].GetBanTime())
|
2021-06-07 19:52:43 +00:00
|
|
|
}
|
|
|
|
|
host, err := defender.GetHost(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 1, host.Score)
|
|
|
|
|
assert.Empty(t, host.GetBanTime())
|
2021-12-25 11:08:07 +00:00
|
|
|
banTime, err := defender.GetBanTime(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Nil(t, banTime)
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP, ProtocolSSH, HostEventLimitExceeded)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 1, defender.countHosts())
|
|
|
|
|
assert.Equal(t, 0, defender.countBanned())
|
2021-12-25 11:08:07 +00:00
|
|
|
score, err = defender.GetScore(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 4, score)
|
|
|
|
|
hosts, err = defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
if assert.Len(t, hosts, 1) {
|
|
|
|
|
assert.Equal(t, 4, hosts[0].Score)
|
|
|
|
|
assert.True(t, hosts[0].BanTime.IsZero())
|
|
|
|
|
assert.Empty(t, hosts[0].GetBanTime())
|
2021-06-07 19:52:43 +00:00
|
|
|
}
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP, ProtocolSSH, HostEventUserNotFound)
|
|
|
|
|
defender.AddEvent(testIP, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 0, defender.countHosts())
|
|
|
|
|
assert.Equal(t, 1, defender.countBanned())
|
2021-12-25 11:08:07 +00:00
|
|
|
score, err = defender.GetScore(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 0, score)
|
|
|
|
|
banTime, err = defender.GetBanTime(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, banTime)
|
|
|
|
|
hosts, err = defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
if assert.Len(t, hosts, 1) {
|
|
|
|
|
assert.Equal(t, 0, hosts[0].Score)
|
|
|
|
|
assert.False(t, hosts[0].BanTime.IsZero())
|
|
|
|
|
assert.NotEmpty(t, hosts[0].GetBanTime())
|
|
|
|
|
assert.Equal(t, hex.EncodeToString([]byte(testIP)), hosts[0].GetID())
|
2021-06-07 19:52:43 +00:00
|
|
|
}
|
|
|
|
|
host, err = defender.GetHost(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 0, host.Score)
|
|
|
|
|
assert.NotEmpty(t, host.GetBanTime())
|
2021-01-02 13:05:09 +00:00
|
|
|
|
|
|
|
|
// now test cleanup, testIP is already banned
|
|
|
|
|
testIP1 := "12.34.56.79"
|
|
|
|
|
testIP2 := "12.34.56.80"
|
|
|
|
|
testIP3 := "12.34.56.81"
|
|
|
|
|
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP1, ProtocolSSH, HostEventNoLoginTried)
|
|
|
|
|
defender.AddEvent(testIP2, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 2, defender.countHosts())
|
|
|
|
|
time.Sleep(20 * time.Millisecond)
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, defender.config.EntriesSoftLimit, defender.countHosts())
|
|
|
|
|
// testIP1 and testIP2 should be removed
|
|
|
|
|
assert.Equal(t, defender.config.EntriesSoftLimit, defender.countHosts())
|
2021-12-25 11:08:07 +00:00
|
|
|
score, err = defender.GetScore(testIP1)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 0, score)
|
|
|
|
|
score, err = defender.GetScore(testIP2)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 0, score)
|
|
|
|
|
score, err = defender.GetScore(testIP3)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 2, score)
|
2021-01-02 13:05:09 +00:00
|
|
|
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)
|
|
|
|
|
defender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
// IP3 is now banned
|
2021-12-25 11:08:07 +00:00
|
|
|
banTime, err = defender.GetBanTime(testIP3)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, banTime)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.Equal(t, 0, defender.countHosts())
|
|
|
|
|
|
|
|
|
|
time.Sleep(20 * time.Millisecond)
|
|
|
|
|
for i := 0; i < 3; i++ {
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP1, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
assert.Equal(t, 0, defender.countHosts())
|
|
|
|
|
assert.Equal(t, config.EntriesSoftLimit, defender.countBanned())
|
2021-12-25 11:08:07 +00:00
|
|
|
banTime, err = defender.GetBanTime(testIP)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Nil(t, banTime)
|
|
|
|
|
banTime, err = defender.GetBanTime(testIP3)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Nil(t, banTime)
|
|
|
|
|
banTime, err = defender.GetBanTime(testIP1)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.NotNil(t, banTime)
|
2021-01-02 13:05:09 +00:00
|
|
|
|
|
|
|
|
for i := 0; i < 3; i++ {
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
time.Sleep(10 * time.Millisecond)
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP3, ProtocolSSH, HostEventNoLoginTried)
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
assert.Equal(t, 0, defender.countHosts())
|
|
|
|
|
assert.Equal(t, defender.config.EntriesSoftLimit, defender.countBanned())
|
|
|
|
|
|
2021-12-25 11:08:07 +00:00
|
|
|
banTime, err = defender.GetBanTime(testIP3)
|
|
|
|
|
assert.NoError(t, err)
|
2021-01-02 13:05:09 +00:00
|
|
|
if assert.NotNil(t, banTime) {
|
2023-02-09 08:33:33 +00:00
|
|
|
assert.True(t, defender.IsBanned(testIP3, ProtocolFTP))
|
2021-01-02 13:05:09 +00:00
|
|
|
// ban time should increase
|
2021-12-25 11:08:07 +00:00
|
|
|
newBanTime, err := defender.GetBanTime(testIP3)
|
|
|
|
|
assert.NoError(t, err)
|
2021-01-02 13:05:09 +00:00
|
|
|
assert.True(t, newBanTime.After(*banTime))
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-07 19:52:43 +00:00
|
|
|
assert.True(t, defender.DeleteHost(testIP3))
|
|
|
|
|
assert.False(t, defender.DeleteHost(testIP3))
|
2021-01-02 18:33:24 +00:00
|
|
|
|
2023-02-09 08:33:33 +00:00
|
|
|
for _, e := range entries {
|
|
|
|
|
err := dataprovider.DeleteIPListEntry(e.IPOrNet, e.Type, "", "", "")
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
}
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
|
2021-06-19 09:02:46 +00:00
|
|
|
func TestExpiredHostBans(t *testing.T) {
|
|
|
|
|
config := &DefenderConfig{
|
|
|
|
|
Enabled: true,
|
|
|
|
|
BanTime: 10,
|
|
|
|
|
BanTimeIncrement: 2,
|
|
|
|
|
Threshold: 5,
|
|
|
|
|
ScoreInvalid: 2,
|
|
|
|
|
ScoreValid: 1,
|
|
|
|
|
ScoreLimitExceeded: 3,
|
|
|
|
|
ObservationTime: 15,
|
|
|
|
|
EntriesSoftLimit: 1,
|
|
|
|
|
EntriesHardLimit: 2,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d, err := newInMemoryDefender(config)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
defender := d.(*memoryDefender)
|
|
|
|
|
|
|
|
|
|
testIP := "1.2.3.4"
|
|
|
|
|
defender.banned[testIP] = time.Now().Add(-24 * time.Hour)
|
|
|
|
|
|
|
|
|
|
// the ban is expired testIP should not be listed
|
2021-12-25 11:08:07 +00:00
|
|
|
res, err := defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
2021-06-19 09:02:46 +00:00
|
|
|
assert.Len(t, res, 0)
|
|
|
|
|
|
2023-02-09 08:33:33 +00:00
|
|
|
assert.False(t, defender.IsBanned(testIP, ProtocolFTP))
|
2021-06-20 19:57:19 +00:00
|
|
|
_, err = defender.GetHost(testIP)
|
|
|
|
|
assert.Error(t, err)
|
|
|
|
|
_, ok := defender.banned[testIP]
|
|
|
|
|
assert.True(t, ok)
|
2021-06-19 09:02:46 +00:00
|
|
|
// now add an event for an expired banned ip, it should be removed
|
2023-02-09 08:33:33 +00:00
|
|
|
defender.AddEvent(testIP, ProtocolFTP, HostEventLoginFailed)
|
|
|
|
|
assert.False(t, defender.IsBanned(testIP, ProtocolFTP))
|
2021-06-20 19:57:19 +00:00
|
|
|
entry, err := defender.GetHost(testIP)
|
2021-06-19 09:02:46 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, testIP, entry.IP)
|
|
|
|
|
assert.Empty(t, entry.GetBanTime())
|
|
|
|
|
assert.Equal(t, 1, entry.Score)
|
|
|
|
|
|
2021-12-25 11:08:07 +00:00
|
|
|
res, err = defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
2021-06-19 09:02:46 +00:00
|
|
|
if assert.Len(t, res, 1) {
|
|
|
|
|
assert.Equal(t, testIP, res[0].IP)
|
|
|
|
|
assert.Empty(t, res[0].GetBanTime())
|
|
|
|
|
assert.Equal(t, 1, res[0].Score)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
events := []hostEvent{
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-24 * time.Hour),
|
|
|
|
|
score: 2,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-24 * time.Hour),
|
|
|
|
|
score: 3,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hs := hostScore{
|
|
|
|
|
Events: events,
|
|
|
|
|
TotalScore: 5,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defender.hosts[testIP] = hs
|
|
|
|
|
// the recorded scored are too old
|
2021-12-25 11:08:07 +00:00
|
|
|
res, err = defender.GetHosts()
|
|
|
|
|
assert.NoError(t, err)
|
2021-06-19 09:02:46 +00:00
|
|
|
assert.Len(t, res, 0)
|
2021-06-19 16:51:33 +00:00
|
|
|
_, err = defender.GetHost(testIP)
|
|
|
|
|
assert.Error(t, err)
|
2021-06-20 19:57:19 +00:00
|
|
|
_, ok = defender.hosts[testIP]
|
2021-06-19 16:51:33 +00:00
|
|
|
assert.True(t, ok)
|
2021-06-19 09:02:46 +00:00
|
|
|
}
|
|
|
|
|
|
2021-01-02 13:05:09 +00:00
|
|
|
func TestDefenderCleanup(t *testing.T) {
|
|
|
|
|
d := memoryDefender{
|
2021-12-25 11:08:07 +00:00
|
|
|
baseDefender: baseDefender{
|
|
|
|
|
config: &DefenderConfig{
|
|
|
|
|
ObservationTime: 1,
|
|
|
|
|
EntriesSoftLimit: 2,
|
|
|
|
|
EntriesHardLimit: 3,
|
|
|
|
|
},
|
|
|
|
|
},
|
2021-01-02 13:05:09 +00:00
|
|
|
banned: make(map[string]time.Time),
|
|
|
|
|
hosts: make(map[string]hostScore),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.banned["1.1.1.1"] = time.Now().Add(-24 * time.Hour)
|
|
|
|
|
d.banned["1.1.1.2"] = time.Now().Add(-24 * time.Hour)
|
|
|
|
|
d.banned["1.1.1.3"] = time.Now().Add(-24 * time.Hour)
|
|
|
|
|
d.banned["1.1.1.4"] = time.Now().Add(-24 * time.Hour)
|
|
|
|
|
|
|
|
|
|
d.cleanupBanned()
|
|
|
|
|
assert.Equal(t, 0, d.countBanned())
|
|
|
|
|
|
|
|
|
|
d.banned["2.2.2.2"] = time.Now().Add(2 * time.Minute)
|
|
|
|
|
d.banned["2.2.2.3"] = time.Now().Add(1 * time.Minute)
|
|
|
|
|
d.banned["2.2.2.4"] = time.Now().Add(3 * time.Minute)
|
|
|
|
|
d.banned["2.2.2.5"] = time.Now().Add(4 * time.Minute)
|
|
|
|
|
|
|
|
|
|
d.cleanupBanned()
|
|
|
|
|
assert.Equal(t, d.config.EntriesSoftLimit, d.countBanned())
|
2021-12-25 11:08:07 +00:00
|
|
|
banTime, err := d.GetBanTime("2.2.2.3")
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Nil(t, banTime)
|
2021-01-02 13:05:09 +00:00
|
|
|
|
|
|
|
|
d.hosts["3.3.3.3"] = hostScore{
|
|
|
|
|
TotalScore: 0,
|
|
|
|
|
Events: []hostEvent{
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-5 * time.Minute),
|
|
|
|
|
score: 1,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-3 * time.Minute),
|
|
|
|
|
score: 1,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now(),
|
|
|
|
|
score: 1,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
d.hosts["3.3.3.4"] = hostScore{
|
|
|
|
|
TotalScore: 1,
|
|
|
|
|
Events: []hostEvent{
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-3 * time.Minute),
|
|
|
|
|
score: 1,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
d.hosts["3.3.3.5"] = hostScore{
|
|
|
|
|
TotalScore: 1,
|
|
|
|
|
Events: []hostEvent{
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-2 * time.Minute),
|
|
|
|
|
score: 1,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
d.hosts["3.3.3.6"] = hostScore{
|
|
|
|
|
TotalScore: 1,
|
|
|
|
|
Events: []hostEvent{
|
|
|
|
|
{
|
|
|
|
|
dateTime: time.Now().Add(-1 * time.Minute),
|
|
|
|
|
score: 1,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-25 11:08:07 +00:00
|
|
|
score, err := d.GetScore("3.3.3.3")
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 1, score)
|
2021-01-02 13:05:09 +00:00
|
|
|
|
|
|
|
|
d.cleanupHosts()
|
|
|
|
|
assert.Equal(t, d.config.EntriesSoftLimit, d.countHosts())
|
2021-12-25 11:08:07 +00:00
|
|
|
score, err = d.GetScore("3.3.3.4")
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 0, score)
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestDefenderConfig(t *testing.T) {
|
|
|
|
|
c := DefenderConfig{}
|
|
|
|
|
err := c.validate()
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
c.Enabled = true
|
|
|
|
|
c.Threshold = 10
|
|
|
|
|
c.ScoreInvalid = 10
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.ScoreInvalid = 2
|
2021-05-08 17:45:21 +00:00
|
|
|
c.ScoreLimitExceeded = 10
|
2021-04-18 10:31:06 +00:00
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
2021-05-08 17:45:21 +00:00
|
|
|
c.ScoreLimitExceeded = 2
|
2021-01-02 13:05:09 +00:00
|
|
|
c.ScoreValid = 10
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.ScoreValid = 1
|
2023-01-25 17:49:03 +00:00
|
|
|
c.ScoreNoAuth = 10
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.ScoreNoAuth = 2
|
2021-01-02 13:05:09 +00:00
|
|
|
c.BanTime = 0
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.BanTime = 30
|
|
|
|
|
c.BanTimeIncrement = 0
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.BanTimeIncrement = 50
|
|
|
|
|
c.ObservationTime = 0
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.ObservationTime = 30
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.EntriesSoftLimit = 10
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.EntriesHardLimit = 10
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
|
|
c.EntriesHardLimit = 20
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.NoError(t, err)
|
2023-01-25 17:49:03 +00:00
|
|
|
|
|
|
|
|
c = DefenderConfig{
|
|
|
|
|
Enabled: true,
|
|
|
|
|
ScoreInvalid: -1,
|
|
|
|
|
ScoreLimitExceeded: -1,
|
|
|
|
|
ScoreNoAuth: -1,
|
|
|
|
|
ScoreValid: -1,
|
|
|
|
|
}
|
|
|
|
|
err = c.validate()
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
assert.Equal(t, 0, c.ScoreInvalid)
|
|
|
|
|
assert.Equal(t, 0, c.ScoreValid)
|
|
|
|
|
assert.Equal(t, 0, c.ScoreLimitExceeded)
|
|
|
|
|
assert.Equal(t, 0, c.ScoreNoAuth)
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkDefenderBannedSearch(b *testing.B) {
|
|
|
|
|
d := getDefenderForBench()
|
|
|
|
|
|
|
|
|
|
ip, ipnet, err := net.ParseCIDR("10.8.0.0/12") // 1048574 ip addresses
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for ip := ip.Mask(ipnet.Mask); ipnet.Contains(ip); inc(ip) {
|
|
|
|
|
d.banned[ip.String()] = time.Now().Add(10 * time.Minute)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
|
|
|
|
|
for i := 0; i < b.N; i++ {
|
2023-02-09 08:33:33 +00:00
|
|
|
d.IsBanned("192.168.1.1", ProtocolSSH)
|
2021-01-02 13:05:09 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkCleanup(b *testing.B) {
|
|
|
|
|
d := getDefenderForBench()
|
|
|
|
|
|
|
|
|
|
ip, ipnet, err := net.ParseCIDR("192.168.4.0/24")
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
|
|
|
|
|
for i := 0; i < b.N; i++ {
|
|
|
|
|
for ip := ip.Mask(ipnet.Mask); ipnet.Contains(ip); inc(ip) {
|
2023-02-09 08:33:33 +00:00
|
|
|
d.AddEvent(ip.String(), ProtocolSSH, HostEventLoginFailed)
|
2021-01-02 13:05:09 +00:00
|
|
|
if d.countHosts() > d.config.EntriesHardLimit {
|
|
|
|
|
panic("too many hosts")
|
|
|
|
|
}
|
|
|
|
|
if d.countBanned() > d.config.EntriesSoftLimit {
|
|
|
|
|
panic("too many ip banned")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkCIDRanger(b *testing.B) {
|
|
|
|
|
ranger := cidranger.NewPCTrieRanger()
|
|
|
|
|
for i := 0; i < 255; i++ {
|
2023-02-09 08:33:33 +00:00
|
|
|
cidr := fmt.Sprintf("192.168.%d.1/24", i)
|
2021-01-02 13:05:09 +00:00
|
|
|
_, network, _ := net.ParseCIDR(cidr)
|
|
|
|
|
if err := ranger.Insert(cidranger.NewBasicRangerEntry(*network)); err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ipToMatch := net.ParseIP("192.167.1.2")
|
|
|
|
|
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
for i := 0; i < b.N; i++ {
|
|
|
|
|
if _, err := ranger.Contains(ipToMatch); err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkNetContains(b *testing.B) {
|
|
|
|
|
var nets []*net.IPNet
|
|
|
|
|
for i := 0; i < 255; i++ {
|
2023-02-09 08:33:33 +00:00
|
|
|
cidr := fmt.Sprintf("192.168.%d.1/24", i)
|
2021-01-02 13:05:09 +00:00
|
|
|
_, network, _ := net.ParseCIDR(cidr)
|
|
|
|
|
nets = append(nets, network)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ipToMatch := net.ParseIP("192.167.1.1")
|
|
|
|
|
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
for i := 0; i < b.N; i++ {
|
|
|
|
|
for _, n := range nets {
|
|
|
|
|
n.Contains(ipToMatch)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getDefenderForBench() *memoryDefender {
|
|
|
|
|
config := &DefenderConfig{
|
|
|
|
|
Enabled: true,
|
|
|
|
|
BanTime: 30,
|
|
|
|
|
BanTimeIncrement: 50,
|
|
|
|
|
Threshold: 10,
|
|
|
|
|
ScoreInvalid: 2,
|
|
|
|
|
ScoreValid: 2,
|
|
|
|
|
ObservationTime: 30,
|
|
|
|
|
EntriesSoftLimit: 50,
|
|
|
|
|
EntriesHardLimit: 100,
|
|
|
|
|
}
|
|
|
|
|
return &memoryDefender{
|
2021-12-25 11:08:07 +00:00
|
|
|
baseDefender: baseDefender{
|
|
|
|
|
config: config,
|
|
|
|
|
},
|
2021-01-02 13:05:09 +00:00
|
|
|
hosts: make(map[string]hostScore),
|
|
|
|
|
banned: make(map[string]time.Time),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func inc(ip net.IP) {
|
|
|
|
|
for j := len(ip) - 1; j >= 0; j-- {
|
|
|
|
|
ip[j]++
|
|
|
|
|
if ip[j] > 0 {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
