File: wforce.conf

package info (click to toggle)
weakforced 3.0.0-4
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 3,196 kB
  • sloc: cpp: 20,397; python: 2,002; sh: 700; makefile: 432
file content (88 lines) | stat: -rw-r--r-- 2,903 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
-- Old way to configure the webserver (doesn't handle HTTPS or multiple listeners)
-- webserver("0.0.0.0:8084", "--WEBPWD")
-- New way to configure the webserver
--          IP addr:port    Use SSL? Certificate File Private Key TLS Options - see https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html
addListener("0.0.0.0:8084", false,    "",             "",         {})
setWebserverPassword("--WEBPWD")

--SETKEY
controlSocket("127.0.0.1:4004")

addACL("127.0.0.0/8")
addACL("192.168.0.0/16")

local bulkRetrievers = newNetmaskGroup()
--bulkRetrievers:addMask("130.161.0.0/16")
--bulkRetrievers:addMask("145.132.0.0/16")

local string_find = string.find

local field_map = {}
field_map["diffFailedPasswords"] = "hll"
newStringStatsDB("OneHourDB", 600, 6, field_map)

function twreport(lt)
   if (not lt.success and not lt.policy_reject)
   then
      local sdb = getStringStatsDB("OneHourDB")
      sdb:twAdd(lt.remote, "diffFailedPasswords", lt.pwhash)
      addrlogin = lt.remote:tostring() .. ":" .. lt.login
      sdb:twAdd(addrlogin, "diffFailedPasswords", lt.pwhash)
   end
end

setReport(twreport)

function allow(lt)
   local sdb = getStringStatsDB("OneHourDB")

   if(bulkRetrievers:match(lt.remote))
   then
      -- return <return value>, <message for client>, <log message>, <log key-values>
      return 0, "", "bulkRetrievers match", {}
   end

   if(sdb:twGet(lt.remote, "diffFailedPasswords") > 50)
   then
      return -1, "", "too many different failed password attempts by IP", { attempts=50 }
   end

   local addrlogin = lt.remote:tostring() .. ":" .. lt.login

   if(sdb:twGet(addrlogin, "diffFailedPasswords") > 3)
   then
      return 3, "", "too many different failed password attempts by IP/login", { attempts=3 }
   end

   -- you *must* return with 4 arguments like this:  <return value>, <message for client>, <log message>, <log key-values>
   return 0, "", "", { defaultReturn=1 }
end

setAllow(allow)

function reset(type, login, ip)
   local sdb = getStringStatsDB("OneHourDB")
   if (string_find(type, "ip") and string_find(type, "login"))
   then
      local iplogin = ip:tostring() .. ":" .. login
      sdb:twReset(iplogin)
   elseif (string_find(type, "ip") and string_find(type, "ja3"))
   then
      -- the login parameter is also used for ja3
      local ja3 = login
      local ipja3 = ip:tostring() .. "::" .. ja3
      sdb:twReset(ipja3)
   elseif (string_find(type, "ip"))
   then
      sdb:twReset(ip)
      -- if you set a non-default prefix for IP addresses, then reset will not necessarily do what you expect
      -- for example if v4Prefix==24 and you reset an IP address it will reset the stats for all IPs in that range
   elseif string_find(type, "login") or string_find(type, "ja3")
   then
      -- we do not actually set any js3 or login-only keys in this sample policy
      sdb:twReset(login)
   end
   return true
end

setReset(reset)