-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
L4 module "remote_ip_list" to support fail2ban #266
base: master
Are you sure you want to change the base?
Conversation
Hi! I actually like the idea of this matcher. As far as I understand, it requires https://github.com/Javex/caddy-fail2ban (a realtively new plugin I haven't conducted a deep analysis of, but it will be inside a go binary, so it's not a big deal then) and https://github.com/fail2ban/fail2ban (a completely separate non-go project). In other words, even if Caddy is built with caddy-l4 and this matcher included, the desired fail2ban functionality won't work unless one installs and configures fail2ban separately. Thus, it makes me doubt whether this matcher should be part of caddy-l4, https://github.com/Javex/caddy-fail2ban, or even be a separate solution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing stood out to me. I couldn't capture all the references as I'm trying to do it on the phone.
Hi, thank you for your review! |
@trefzaxSICKAG Thanks for keeping your PR updated. I have another topic for discussion with regards to this matcher: shall we actually name it If the renaming is approved, I think the code has to be cleared to exclude any words derived from |
... and replaced all occurrences of banfile / ban / fail2ban
Thank you for your suggestion @vnxme |
At this point, this is just a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for the contribution/working on this. I don't really have much/any experience with fail2ban, so I will continue to defer other reviews to the others who have already commented, but I just had a couple stylistic nits. Conventionally, initialisms in Go are capitalized, so all instances of Ip
in identifiers should become IP
. I commented on a few of them but there are more.
I'm good with merging this, however, it does bring in fsnotify, a moderately complex dependency (not in terms of dependencies, thankfully, just code), and it would be a new dependency for Caddy if, someday, the caddy-l4 module is merged into the standard distribution. There's a good chance this would be an external plugin at that point (as would possibly some other L4 modules but I haven't looked closely yet). That's okay -- just an FYI for the future.
Thanks!
modules/l4remoteiplist/iplist.go
Outdated
func (b *IpList) StartMonitoring() { | ||
go b.monitor() | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's more about code styling, but is there much sense in a one-line function that is called from a single place? I believe, it's just an additional execution hop we could eliminate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left it like this for the time being to simplify the code at the provision. The idea was to avoid starting goroutines there.
... and ignore e.g. comments
Thank you for your review @mholt |
and refactored test cases
Just a quick update: I have implemented all the requested changes. From my side, this would be ready to merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, sorry I forgot about this one. @mohammed90 Do you have any other thoughts before we merge? (OK if you don't / are busy!)
func (b *IPList) StartMonitoring() { | ||
go b.monitor() | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to double check, this won't leak goroutines on every reload because Caddy closes/shuts the caddy.Context
on config reload and/or shutdown, right?
This is the only concern I have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good eye. It does seem to check the context in its loop, and return after an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @mholt said, the main loop within the goroutine currently returns as soon as ctx.Done()
is true or an error occurs.
Is there anything else that should be checked to prevent a goroutine leak? Is ctx.Done()
always true when the configuration is reloaded?
This PR provides a module to integrate fail2ban into L4 and works similar to https://github.com/Javex/caddy-fail2ban.
The module can be used to protect protocols on layer 4 against brute force attacks by allowing to block an IP address after too many failed login attempts. I have used it to protect a MQTT server, but it could also be used for other protocols with login mechanisms like FTP, SSH, OPC UA, SNMP, IMAP, POP3, SMTP, LDAP...
The module introduces a matcher
remote_ip_list
which can be used to check if the IP address of the sender is contained in a remote IP list. This can be used to e.g. ban the matched IP.Example Caddyfile: