diff options
| -rw-r--r-- | conf/modules.conf.example | 9 | ||||
| -rw-r--r-- | src/modules/m_clones.cpp | 2 | ||||
| -rw-r--r-- | src/modules/m_connectban.cpp | 39 |
3 files changed, 39 insertions, 11 deletions
diff --git a/conf/modules.conf.example b/conf/modules.conf.example index db255cca3..0eee4541e 100644 --- a/conf/modules.conf.example +++ b/conf/modules.conf.example @@ -463,14 +463,15 @@ #<module name="m_cycle.so"> #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# Connectban: Provides per-IP connection throttling. Any IP that disconnects +# Connectban: Provides IP connection throttling. Any IP range that connects # too many times (configurable) in an hour is zlined for a (configurable) # duration, and their count resets to 0. # -# NOTE: This module may change name/behaviour later in 1.2. Please make sure -# you read release announcements! +# ipv4cidr and ipv6cidr allow you to turn the comparison from individual +# IP addresses (32 and 128 bits) into CIDR masks, to allow for throttling +# over whole ISPs/blocks of IPs, which may be needed to prevent attacks. # -#<connectban threshold="10" duration="10m"> +#<connectban threshold="10" duration="10m" ipv4cidr="32" ipv6cidr="128"> # This allows for 10 quits in an hour with a 10 minute ban if that is exceeded. # #<module name="m_connectban.so"> diff --git a/src/modules/m_clones.cpp b/src/modules/m_clones.cpp index 43d0bb1c7..82bdf5550 100644 --- a/src/modules/m_clones.cpp +++ b/src/modules/m_clones.cpp @@ -14,7 +14,7 @@ #include "inspircd.h" #include "wildcard.h" -/* $ModDesc: Provides the /clones command to retrieve information on a user, channel, or IP address */ +/* $ModDesc: Provides the /clones command to retrieve information on clones. */ /** Handle /CHECK */ diff --git a/src/modules/m_connectban.cpp b/src/modules/m_connectban.cpp index 8c39ae8ba..fc8b9aeaa 100644 --- a/src/modules/m_connectban.cpp +++ b/src/modules/m_connectban.cpp @@ -22,6 +22,8 @@ class ModuleQuitBan : public Module clonemap connects; unsigned int threshold; unsigned int banduration; + unsigned int ipv4_cidr; + unsigned int ipv6_cidr; public: ModuleQuitBan(InspIRCd* Me) : Module(Me) { @@ -44,6 +46,14 @@ class ModuleQuitBan : public Module ConfigReader Conf(ServerInstance); std::string duration; + ipv4_cidr = Conf.ReadInteger("connectban", "ipv4cidr", 0, true); + if (ipv4_cidr == 0) + ipv4_cidr = 32; + + ipv6_cidr = Conf.ReadInteger("connectban", "ipv6cidr", 0, true); + if (ipv6_cidr == 0) + ipv6_cidr = 128; + threshold = Conf.ReadInteger("connectban", "threshold", 0, true); if (threshold == 0) @@ -59,30 +69,47 @@ class ModuleQuitBan : public Module virtual void OnUserConnect(User *u) { - clonemap::iterator i = connects.find(u->GetIPString()); + int range = 32; + clonemap::iterator i; + + switch (u->GetProtocolFamily()) + { + #ifdef SUPPORT_IP6LINKS + case AF_INET6: + { + range = ipv6_cidr; + } + break; + #endif + case AF_INET: + { + range = ipv4_cidr; + } + break; + } + + i = connects.find(u->GetCIDRMask(range)); if (i != connects.end()) { i->second++; - ServerInstance->Logs->Log("m_connectban",DEBUG, "Count for IP is now %d", i->second); if (i->second >= threshold) { // Create zline for set duration. - ZLine* zl = new ZLine(ServerInstance, ServerInstance->Time(), banduration, ServerInstance->Config->ServerName, "Connect flooding", u->GetIPString()); + ZLine* zl = new ZLine(ServerInstance, ServerInstance->Time(), banduration, ServerInstance->Config->ServerName, "Connect flooding", u->GetCIDRMask(range)); if (ServerInstance->XLines->AddLine(zl,NULL)) ServerInstance->XLines->ApplyLines(); else delete zl; - ServerInstance->SNO->WriteToSnoMask('x', "Connect flooding from IP %s (%d)", u->GetIPString(), threshold); + ServerInstance->SNO->WriteToSnoMask('x', "Connect flooding from IP range %s (%d)", u->GetCIDRMask(range), threshold); connects.erase(i); } } else { - connects[u->GetIPString()] = 1; - ServerInstance->Logs->Log("m_quitban",DEBUG, "Added new record"); + connects[u->GetCIDRMask(range)] = 1; } } |