Use libucw mainloop

[bouncer.git] / bouncer.c

/*
 *      Bouncer -- A Daemon for Turning Away Mischievous Guests
 *
 *      (c) 2016 Martin Mares <mj@ucw.cz>
 *
 *      FIXME: ipset create bouncer4 hash:ip family inet
 *      FIXME: ipset create bouncer6 hash:ip family inet6
 *      FIXME: sshd_config: UseDNS no
 */

#define LOCAL_DEBUG

#include <ucw/lib.h>
#include <ucw/clists.h>
#include <ucw/conf.h>
#include <ucw/mainloop.h>
#include <ucw/string.h>

#include <alloca.h>
#include <arpa/inet.h>
#include <errno.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <time.h>
#include <unistd.h>

#include <libipset/data.h>
#include <libipset/session.h>
#include <libipset/types.h>

/*** Internal representation of IPv4/IPv6 addresses ***/

// In network byte order, IPv4 represented as ::ffff:1.2.3.4
struct addr {
  u32 a[4];
};

#define ADDR_BUFSIZE 64
#define AFMT(_a) ({ char *_buf = alloca(ADDR_BUFSIZE); addr_format(_buf, _a); _buf; })

static bool addr_is_v4(struct addr addr)
{
  return !addr.a[0] && !addr.a[1] && addr.a[2] == htonl(0xffff);
}

static void addr_format(char *buf, struct addr addr)
{
  const char *ok;
  if (addr_is_v4(addr))
    {
      struct in_addr in4;
      in4.s_addr = addr.a[3];
      ok = inet_ntop(AF_INET, &in4, buf, ADDR_BUFSIZE);
    }
  else
    {
      struct in6_addr in6;
      memcpy(&in6, &addr, sizeof(addr));
      ok = inet_ntop(AF_INET6, &in6, buf, ADDR_BUFSIZE);
    }
  if (!ok)
    snprintf(buf, ADDR_BUFSIZE, "<error %d>", errno);
}

static bool addr_parse(struct addr *addr, const char *src)
{
  struct in_addr a4;
  struct in6_addr a6;

  if (inet_pton(AF_INET, src, &a4))
    {
      addr->a[0] = addr->a[1] = 0;
      addr->a[2] = htonl(0xffff);
      addr->a[3] = a4.s_addr;
      return 1;
    }
  else if (inet_pton(AF_INET6, src, &a6))
    {
      memcpy(&addr, &a6, 16);
      return 1;
    }
  else
    return 0;
}

/*** Configuration ***/

static uns max_culprits = 3;    // FIXME
static uns max_failures = 3;    // FIXME
static uns max_idle_time = 600; // FIXME
static uns max_banned_time = 600;       // FIXME

/*** An interface to IP sets ***/

static struct ipset_session *is_sess;

enum is_index {
  IS_IPV4,
  IS_IPV6,
};

static const char * const is_names[] = {
  "bouncer4",
  "bouncer6",
};

static const char *trim_eol(const char *msg)
{
  int len = strlen(msg);
  if (!len || msg[len-1] != '\n')
    return msg;
  else
    {
      char *x = xstrdup(msg);
      x[len-1] = 0;
      return x;
    }
}

static void is_die(const char *when)
{
  const char *warn = ipset_session_warning(is_sess);
  if (warn)
    msg(L_WARN, "%s: %s", when, trim_eol(warn));

  const char *err = ipset_session_error(is_sess);
  die("%s: %s", when, err ? trim_eol(err) : "Unknown error");
}

static void is_err(const char *when)
{
  const char *warn = ipset_session_warning(is_sess);
  if (warn)
    msg(L_WARN, "%s: %s", when, trim_eol(warn));

  const char *err = ipset_session_error(is_sess);
  msg(L_ERROR, "%s: %s", when, err ? trim_eol(err) : "Unknown error");

  ipset_session_report_reset(is_sess);
}

static void is_init(void)
{
  ipset_load_types();

  is_sess = ipset_session_init(printf);
  if (!is_sess)
    die("Unable to initialize ipset session");
}

static void is_setup(int set)
{
  if (ipset_parse_setname(is_sess, IPSET_SETNAME, is_names[set]) < 0)
    is_die("ipset_parse_setname");
}

static void is_flush(int set)
{
  is_setup(set);

  if (ipset_cmd(is_sess, IPSET_CMD_FLUSH, 0) < 0)
    return is_err("IPSET_CMD_FLUSH");
}

static void is_modify(bool add, struct addr addr)
{
  is_setup(addr_is_v4(addr) ? IS_IPV4 : IS_IPV6);
  int cmd = add ? IPSET_CMD_ADD : IPSET_CMD_DEL;

  if (ipset_envopt_parse(is_sess, IPSET_ENV_EXIST, NULL) < 0)
    is_die("IPSET_ENV_EXIST");

  const struct ipset_type *is_type = ipset_type_get(is_sess, cmd);
  if (!is_type)
    is_die("ipset_type_get");

  if (is_type->dimension != 1)
    die("Invalid ipset dimension %d", is_type->dimension);

  char buf[ADDR_BUFSIZE];
  addr_format(buf, addr);
  if (ipset_parse_elem(is_sess, 0, buf) < 0)
    return is_err("ipset_parse_elem");

  if (ipset_cmd(is_sess, cmd, 0) < 0)
    return is_err(add ? "IPSET_CMD_ADD" : "IPSET_CMD_DEL");
}

/*** Handling of login failures ***/

struct culprit_node {
  cnode n;
  union {
    struct addr addr;
    byte addr_bytes[16];
  };
  timestamp_t last_fail;
  uns fail_count;
  bool banned;
};

#define HASH_NODE struct culprit_node
#define HASH_PREFIX(x) culprit_##x
#define HASH_KEY_MEMORY addr_bytes
#define HASH_KEY_SIZE 16
#define HASH_WANT_LOOKUP
#define HASH_WANT_REMOVE
#define HASH_USE_AUTO_ELTPOOL 1000
#define HASH_ZERO_FILL
#define HASH_LOOKUP_DETECT_NEW
#include <ucw/hashtable.h>

static uns num_culprits;
static clist culprit_lru, culprit_bans;
static struct main_timer cleanup_timer;

static void cleanup_list(clist *list, timestamp_t max_time, timestamp_t *next)
{
  timestamp_t now = main_get_now();

  for (;;)
    {
      struct culprit_node *c = clist_head(list);
      if (!c)
        break;

      timestamp_t expire_in = c->last_fail + max_time - now;
      if (num_culprits > max_culprits)
        expire_in = 0;

      if (expire_in > now)
        {
          *next = MIN(*next, expire_in);
          break;
        }

      if (c->banned)
        {
          DBG("%s: unbanned", AFMT(c->addr));
          is_modify(0, c->addr);
        }
      else
        {
          DBG("%s: removed from LRU", AFMT(c->addr));
        }

      clist_remove(&c->n);
      culprit_remove(c);
      num_culprits--;
    }
}

static void culprit_cleanup(void)
{
  timestamp_t next_cleanup = main_get_now() + (timestamp_t)3600 * 1000;
  cleanup_list(&culprit_bans, (timestamp_t)max_banned_time * 1000, &next_cleanup);
  cleanup_list(&culprit_lru, (timestamp_t)max_idle_time * 1000, &next_cleanup);
  timer_add(&cleanup_timer, next_cleanup);
}

static void handle_failed_login(struct addr addr)
{
  int is_new;
  timestamp_t now = main_get_now();

  struct culprit_node *c = culprit_lookup((byte *) &addr, &is_new);
  if (is_new)
    {
      c->fail_count = 1;
      c->banned = 0;
      clist_add_tail(&culprit_lru, &c->n);
      num_culprits++;
      // FIXME: Warn on overflow, but not too frequently
      DBG("%s: first fail", AFMT(addr));
    }
  else if (!c->banned)
    {
      c->fail_count++;
      clist_remove(&c->n);
      clist_add_tail(&culprit_lru, &c->n);
      DBG("%s: next fail, cnt=%u", AFMT(addr), c->fail_count);
    }
  c->last_fail = now;

  if (!c->banned && c->fail_count >= max_failures)
    {
      DBG("%s: banned", AFMT(addr));
      c->banned = 1;
      clist_remove(&c->n);
      clist_add_tail(&culprit_bans, &c->n);
      is_modify(1, c->addr);
    }
}

static void culprit_timer(struct main_timer *tm UNUSED)
{
  culprit_cleanup();
}

static void fail_init(void)
{
  culprit_init();
  clist_init(&culprit_lru);
  clist_init(&culprit_bans);
  cleanup_timer.handler = culprit_timer;
}

/*** Parsing of log messages ***/

static bool check_next(char **pp, char *want)
{
  char *p = *pp;
  while (*want)
    {
      if (*p++ != *want++)
        return 0;
    }
  *pp = p;
  return 1;
}

static void process_msg(char *line)
{
  DBG("Parse: <%s>", line);

  char *p = line;
  int c;
  // 2016-11-04T17:18:54.825821+01:00 sshd[6733]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4

  // We shall start with 32 non-spaces
  for (int i=0; i<32; i++)
    {
      c = *p++;
      if (!c || c == ' ')
        return;
    }
  DBG("Parse 1: <%s>", p);

  // Space, something, colon, space
  if (*p++ != ' ')
    return;
  while (*p && *p != ' ' && *p != ':')
    p++;
  if (!check_next(&p, ": "))
    return;
  DBG("Parse 2: <%s>", p);

  // pam_unix(something), colon, space (FIXME: make configurable)
  if (!check_next(&p, "pam_unix("))
    return;
  do
    {
      c = *p++;
      if (!c || c == ' ')
        return;
    }
  while (c != ')');
  if (!check_next(&p, ": "))
    return;
  DBG("Parse 3: <%s>", p);

  // "authentication failure;"
  if (!check_next(&p, "authentication failure; "))
    return;
  DBG("Parse 4: <%s>", p);

  // Decode attributes
  bool done = 0;
  char *rhost = NULL;
  while (!done)
    {
      while (*p == ' ')
        p++;
      if (!*p)
        break;

      char *key = p;
      while (*p && *p != ' ' && *p != '=')
        p++;
      if (*p != '=')
        continue;
      *p++ = 0;

      char *val = p;
      while (*p && *p != ' ')
        p++;
      if (*p)
        *p++ = 0;
      else
        done = 1;

      DBG("Parse KV: %s=<%s>", key, val);
      if (!strcmp(key, "rhost"))
        rhost = val;
    }

  // Act on the message
  struct addr addr;
  if (addr_parse(&addr, rhost))
    handle_failed_login(addr);
  else
    msg(L_WARN, "Unable to parse address %s", rhost);
}

/*** Socket for receiving messages from rsyslog ***/

static const char sk_name[] = "/var/run/bouncer.sock";
struct main_file sk_file;

static int sk_read(struct main_file *mf)
{
  char line[1024];
  int len = recv(mf->fd, line, sizeof(line), MSG_TRUNC);
  if (len < 0)
    {
      if (errno == EINTR || errno == EAGAIN)
        return HOOK_IDLE;
      die("recv: %m");
    }

  if (len >= (int) sizeof(line))
    {
      msg(L_WARN, "Truncated message received (length=%d)", len);
      len = sizeof(line) - 1;
    }
  line[len] = 0;

  if (len > 0 && line[len-1] == '\n')
    line[--len] = 0;
  if (len > 0 && line[len-1] == '\r')
    line[--len] = 0;

  process_msg(line);
  return HOOK_RETRY;
}

static void sk_init(void)
{
  unlink(sk_name);

  int fd;
  if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
    die("Cannot create PF_UNIX socket: %m");

  struct sockaddr_un sa = { .sun_family = AF_UNIX };
  strcpy(sa.sun_path, sk_name);
  if (bind(fd, (struct sockaddr *) &sa, sizeof(sa)) < 0)
    die("Cannot bind socket %s: %m", sk_name);

  // FIXME: Permissions

  sk_file.fd = fd;
  sk_file.read_handler = sk_read;
  file_add(&sk_file);
}

/*** Main ***/

int main(void)
{
  main_init();
  is_init();
  fail_init();

  msg(L_INFO, "Clearing previous state");
  is_flush(IS_IPV4);
  is_flush(IS_IPV6);

  sk_init();

  main_loop();
  return 0;
}