Logged IP address for fail2ban on login failure

2021-08-27 12:54:47 +01:00 · 2021-08-27 12:54:47 +01:00 · 5fb621ca53
parent 60016c1f75
commit 5fb621ca53
5 changed files with 91 additions and 5 deletions
--- a/common/os_calls.c
+++ b/common/os_calls.c
@ -1464,6 +1464,45 @@ g_write_connection_description(int rcv_sck, char *description, int bytes)
    g_free(addr);
 }

+/*****************************************************************************/
+
+const char *g_get_ip_from_description(const char *description,
+                                      char *ip, int bytes)
+{
+    if (bytes > 0)
+    {
+        /* Look for the space after ip:port */
+        const char *end = g_strchr(description, ' ');
+        if (end == NULL)
+        {
+            end = description; /* Means we've failed */
+        }
+        else
+        {
+            /* Look back for the last ':' */
+            while (end > description && *end != ':')
+            {
+                --end;
+            }
+        }
+
+        if (end == description)
+        {
+            g_snprintf(ip, bytes, "<unknown>");
+        }
+        else if ((end - description) < (bytes - 1))
+        {
+            g_strncpy(ip, description, end - description);
+        }
+        else
+        {
+            g_strncpy(ip, description, bytes - 1);
+        }
+    }
+
+    return ip;
+}
+
 /*****************************************************************************/
 void
 g_sleep(int msecs)
--- a/common/os_calls.h
+++ b/common/os_calls.h
@ -95,6 +95,16 @@ int      g_sck_can_recv(int sck, int millis);
 int      g_sck_select(int sck1, int sck2);
 void     g_write_connection_description(int rcv_sck,
                                        char *description, int bytes);
+/**
+ * Extracts the IP address from the connection description
+ * @param description Connection description (from
+ *                    g_write_connection_description())
+ * @param ip buffer to write IP address to
+ * @param bytes Size of ip buffer
+ * @return Pointer to IP for convenience
+ */
+const char *g_get_ip_from_description(const char *description,
+                                      char *ip, int bytes);
 void     g_sleep(int msecs);
 tintptr  g_create_wait_obj(const char *name);
 tintptr  g_create_wait_obj_from_socket(tintptr socket, int write);
--- a/sesman/scp_v0.c
+++ b/sesman/scp_v0.c
@ -158,8 +158,14 @@ scp_v0_process(struct trans *t, struct SCP_SESSION *s)
    }
    else
    {
-        LOG(LOG_LEVEL_INFO, "Username or password error for user: %s",
-            s->username);
+        char ip[64];
+        g_get_ip_from_description(s->connection_description, ip, sizeof(ip));
+        /*
+         * The message is intended for use by fail2ban, so for
+         * future-proofing we only log the IP address rather than the
+         * connection description */
+        LOG(LOG_LEVEL_INFO, "Username or password error for user: %s from %s",
+            s->username, ip);
        scp_v0s_deny_connection(t);
    }
    if (do_auth_end)
--- a/sesman/scp_v1.c
+++ b/sesman/scp_v1.c
@ -79,9 +79,17 @@ scp_v1_process1(struct trans *t, struct SCP_SESSION *s)
        }
        else
        {
+            char ip[64];
+            g_get_ip_from_description(s->connection_description,
+                                      ip, sizeof(ip));
+            /*
+             * The message is intended for use by fail2ban, so for
+             * future-proofing we only log the IP address rather than the
+             * connection description */
+            LOG(LOG_LEVEL_INFO,
+                "Username or password error for user: %s from %s",
+                s->username, ip);
            scp_v1s_deny_connection(t, "Login failed");
-            LOG(LOG_LEVEL_INFO, "Login failed for user %s. "
-                "Connection terminated", s->username);
            return SCP_SERVER_STATE_END;
        }
        return SCP_SERVER_STATE_OK;
--- a/sesman/session.c
+++ b/sesman/session.c
@ -96,6 +96,7 @@ session_get_bydata(const char *name, int width, int height, int bpp, int type,
 {
    struct session_chain *tmp;
    enum SESMAN_CFG_SESS_POLICY policy = g_cfg->sess.policy;
+    char ip[64];

    tmp = g_sessions;

@ -115,12 +116,34 @@ session_get_bydata(const char *name, int width, int height, int bpp, int type,
            return 0;
    }

+    if ((policy & SESMAN_CFG_SESS_POLICY_I) != 0)
+    {
+        /* We'll need to compare on IP addresses */
+        g_get_ip_from_description(connection_description, ip, sizeof(ip));
+    }
+    else
+    {
+        ip[0] = '\0';
+    }
+
    LOG(LOG_LEVEL_DEBUG,
        "session_get_bydata: search policy %d U %s W %d H %d bpp %d T %d IP %s",
        policy, name, width, height, bpp, type, connection_description);

    while (tmp != 0)
    {
+        char tmp_ip[64];
+
+        if ((policy & SESMAN_CFG_SESS_POLICY_I) != 0)
+        {
+            g_get_ip_from_description(tmp->item->connection_description,
+                                      tmp_ip, sizeof (tmp_ip));
+        }
+        else
+        {
+            tmp_ip[0] = '\0';
+        }
+
        LOG(LOG_LEVEL_DEBUG,
            "session_get_bydata: try %p U %s W %d H %d bpp %d T %d IP %s",
            tmp->item,
@ -133,7 +156,7 @@ session_get_bydata(const char *name, int width, int height, int bpp, int type,
                (!(policy & SESMAN_CFG_SESS_POLICY_D) ||
                 (tmp->item->width == width && tmp->item->height == height)) &&
                (!(policy & SESMAN_CFG_SESS_POLICY_I) ||
-                 (g_strncmp_d(connection_description, tmp->item->connection_description, ':', 255) == 0)) &&
+                 (g_strcmp(ip, tmp_ip) == 0)) &&
                (!(policy & SESMAN_CFG_SESS_POLICY_C) ||
                 (g_strncmp(connection_description, tmp->item->connection_description, 255) == 0)) &&
                tmp->item->bpp == bpp &&