summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--conf/modules.conf.example9
-rw-r--r--src/modules/m_clones.cpp2
-rw-r--r--src/modules/m_connectban.cpp39
3 files changed, 39 insertions, 11 deletions
diff --git a/conf/modules.conf.example b/conf/modules.conf.example
index db255cca3..0eee4541e 100644
--- a/conf/modules.conf.example
+++ b/conf/modules.conf.example
@@ -463,14 +463,15 @@
#<module name="m_cycle.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
-# Connectban: Provides per-IP connection throttling. Any IP that disconnects
+# Connectban: Provides IP connection throttling. Any IP range that connects
# too many times (configurable) in an hour is zlined for a (configurable)
# duration, and their count resets to 0.
#
-# NOTE: This module may change name/behaviour later in 1.2. Please make sure
-# you read release announcements!
+# ipv4cidr and ipv6cidr allow you to turn the comparison from individual
+# IP addresses (32 and 128 bits) into CIDR masks, to allow for throttling
+# over whole ISPs/blocks of IPs, which may be needed to prevent attacks.
#
-#<connectban threshold="10" duration="10m">
+#<connectban threshold="10" duration="10m" ipv4cidr="32" ipv6cidr="128">
# This allows for 10 quits in an hour with a 10 minute ban if that is exceeded.
#
#<module name="m_connectban.so">
diff --git a/src/modules/m_clones.cpp b/src/modules/m_clones.cpp
index 43d0bb1c7..82bdf5550 100644
--- a/src/modules/m_clones.cpp
+++ b/src/modules/m_clones.cpp
@@ -14,7 +14,7 @@
#include "inspircd.h"
#include "wildcard.h"
-/* $ModDesc: Provides the /clones command to retrieve information on a user, channel, or IP address */
+/* $ModDesc: Provides the /clones command to retrieve information on clones. */
/** Handle /CHECK
*/
diff --git a/src/modules/m_connectban.cpp b/src/modules/m_connectban.cpp
index 8c39ae8ba..fc8b9aeaa 100644
--- a/src/modules/m_connectban.cpp
+++ b/src/modules/m_connectban.cpp
@@ -22,6 +22,8 @@ class ModuleQuitBan : public Module
clonemap connects;
unsigned int threshold;
unsigned int banduration;
+ unsigned int ipv4_cidr;
+ unsigned int ipv6_cidr;
public:
ModuleQuitBan(InspIRCd* Me) : Module(Me)
{
@@ -44,6 +46,14 @@ class ModuleQuitBan : public Module
ConfigReader Conf(ServerInstance);
std::string duration;
+ ipv4_cidr = Conf.ReadInteger("connectban", "ipv4cidr", 0, true);
+ if (ipv4_cidr == 0)
+ ipv4_cidr = 32;
+
+ ipv6_cidr = Conf.ReadInteger("connectban", "ipv6cidr", 0, true);
+ if (ipv6_cidr == 0)
+ ipv6_cidr = 128;
+
threshold = Conf.ReadInteger("connectban", "threshold", 0, true);
if (threshold == 0)
@@ -59,30 +69,47 @@ class ModuleQuitBan : public Module
virtual void OnUserConnect(User *u)
{
- clonemap::iterator i = connects.find(u->GetIPString());
+ int range = 32;
+ clonemap::iterator i;
+
+ switch (u->GetProtocolFamily())
+ {
+ #ifdef SUPPORT_IP6LINKS
+ case AF_INET6:
+ {
+ range = ipv6_cidr;
+ }
+ break;
+ #endif
+ case AF_INET:
+ {
+ range = ipv4_cidr;
+ }
+ break;
+ }
+
+ i = connects.find(u->GetCIDRMask(range));
if (i != connects.end())
{
i->second++;
- ServerInstance->Logs->Log("m_connectban",DEBUG, "Count for IP is now %d", i->second);
if (i->second >= threshold)
{
// Create zline for set duration.
- ZLine* zl = new ZLine(ServerInstance, ServerInstance->Time(), banduration, ServerInstance->Config->ServerName, "Connect flooding", u->GetIPString());
+ ZLine* zl = new ZLine(ServerInstance, ServerInstance->Time(), banduration, ServerInstance->Config->ServerName, "Connect flooding", u->GetCIDRMask(range));
if (ServerInstance->XLines->AddLine(zl,NULL))
ServerInstance->XLines->ApplyLines();
else
delete zl;
- ServerInstance->SNO->WriteToSnoMask('x', "Connect flooding from IP %s (%d)", u->GetIPString(), threshold);
+ ServerInstance->SNO->WriteToSnoMask('x', "Connect flooding from IP range %s (%d)", u->GetCIDRMask(range), threshold);
connects.erase(i);
}
}
else
{
- connects[u->GetIPString()] = 1;
- ServerInstance->Logs->Log("m_quitban",DEBUG, "Added new record");
+ connects[u->GetCIDRMask(range)] = 1;
}
}