fixed brute-force + peer-disconnect - Bug

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@75 6c8d7289-2bf4-0310-a012-ef5d649a1542
20 years ago · f99930c04b
parent 4856f04797
commit f99930c04b
7 changed files with 42 additions and 19 deletions
--- a/doc/News.html
+++ b/doc/News.html
@ -50,8 +50,9 @@ globalheader();
 <li>added a concept for external parsers; pdf an doc parser are integrated but not active yet.</li>
 <li>fixed several bugs that caused thread-locks and 100% CPU load</li>
 <li>fixed bug with cookie storage; changed handling of multiple cookies</li>
+<li>fixed brute-force password attack denial</li>
 <li>check on new peer names: must not occur already and may only contain letters, numbers and '_' or '-'.</li>
-<li>many minor bug fixes and spell corrections in interface</li>
+<li>many minor bug fixes and spell corrections in web-interface</li>
 </ul>

 <br><p>v0.36_build20050326
--- a/htroot/MessageSend_p.java
+++ b/htroot/MessageSend_p.java
@ -80,10 +80,11 @@ public class MessageSend_p {
 	    HashMap result = yacyClient.permissionMessage(hash);
            //System.out.println("DEBUG: permission request result = " + result.toString());
 	    String peerName;
+            yacySeed targetPeer = null;
 	    if (hash.equals(yacyCore.seedDB.mySeed.hash)) {
 		peerName = yacyCore.seedDB.mySeed.get("Name","nameless");
            } else {
-                yacySeed targetPeer = yacyCore.seedDB.getConnected(hash);
+                targetPeer = yacyCore.seedDB.getConnected(hash);
                if (targetPeer == null)
                    peerName = "nameless";
                else
@ -92,14 +93,17 @@ public class MessageSend_p {
            String response = (result == null) ? "-1" : (String) result.get("response");
 	    if ((response == null) || (response.equals("-1"))) {
 		// we don't have permission or other peer does not exist
-		body += "<p>You cannot send a message to '" + peerName + "'. The peer does not respond.</p>";
+		body += "<p>You cannot send a message to '" + peerName + "'. The peer does not respond. It was now removed from the peer-list.</p>";
+                if (targetPeer != null) {
+                    yacyCore.peerActions.disconnectPeer(targetPeer);
+                }
 	    } else {
 		// write input form
 		int messagesize = Integer.parseInt((String) result.get("messagesize"));
 		int attachmentsize = Integer.parseInt((String) result.get("attachmentsize"));
 		body += "<p>The peer '" + peerName + "' is alive and responded:<br>";
 		body += "'" + response + " You are allowed to send me a message &le; " + messagesize + " kb and an attachment &le; " + attachmentsize + ".'</p>";
-		body += "<form action=\"MessageSend_p.html\" method=\"post\" enctype=\"multipart/form-data\"><br><br>";
+		body += "<form action=\"MessageSend_p.html\" method=\"post\" enctype=\"multipart/form-data\" accept-charset=\"UTF-8\"><br><br>";
 		body += "<p><h3>Your Message</h3></p>";
 		body += "<p>Subject:<br><input name=\"subject\" type=\"text\" size=\"80\" maxlength=\"80\" value=\"" + subject + "\"></p>";
 		body += "<p>Text:<br><textarea name=\"message\" cols=\"80\" rows=\"8\"></textarea></p>";
--- a/htroot/Wiki.java
+++ b/htroot/Wiki.java
@ -101,7 +101,7 @@ public class Wiki {
 	    try {
 		prop.put("pagecontent", "");
 		prop.put("pageedit",
-			 "<form action=\"Wiki.html\" method=\"post\" enctype=\"multipart/form-data\">" +
+			 "<form action=\"Wiki.html\" method=\"post\" enctype=\"multipart/form-data\" accept-charset=\"UTF-8\">" +
 			 //"<form action=\"Wiki.html\" method=\"post\" enctype=\"application/x-www-form-urlencoded\">" +
 			 "<p>Author:<br><input name=\"author\" type=\"text\" size=\"80\" maxlength=\"80\" value=\"" + author + "\"></p>" +
 			 "<p>Text:<br><textarea name=\"content\" cols=\"80\" rows=\"24\">" + new String(page.page(), "ISO-8859-1") + "</textarea></p>" +
--- a/makerelease.sh
+++ b/makerelease.sh
@ -191,6 +191,7 @@ cp htroot/*.xml $release/htroot/
 cp htroot/*.html $release/htroot/
 cp htroot/*.java $release/htroot/
 cp htroot/*.class $release/htroot/
+cp htroot/*.ico $release/htroot/
 cp htroot/yacy/*.html $release/htroot/yacy/
 cp htroot/yacy/*.java $release/htroot/yacy/
 cp htroot/yacy/*.class $release/htroot/yacy/
--- a/source/de/anomic/http/httpdFileHandler.java
+++ b/source/de/anomic/http/httpdFileHandler.java
@ -230,13 +230,15 @@ public final class httpdFileHandler extends httpdAbstractHandler implements http
 		serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
 	    } else {
                // a wrong authentication was given. Ask again
-                serverLog.logInfo("HTTPD", "Wrong log-in for account 'admin' in http file handler for path '" + path + "' from host '" + conProp.getProperty("CLIENTIP", "unknown-IP") + "'");
+                String clientIP = conProp.getProperty("CLIENTIP", "unknown-host");
+                serverLog.logInfo("HTTPD", "Wrong log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'");
                //try {Thread.currentThread().sleep(3000);} catch (InterruptedException e) {} // add a delay to make brute-force harder
-		serverCore.bfHost.put(conProp.getProperty("CLIENTIP"), "sleep");
+		serverCore.bfHost.put(clientIP, "sleep");
                out.write(("HTTP/1.1 401 log-in required\r\n").getBytes());
                out.write(("WWW-Authenticate: Basic realm=\"admin log-in\"\r\n").getBytes());
                out.write(("\r\n").getBytes());
                out.flush();
+                //System.out.println("httpd bfHosts=" + serverCore.bfHost.toString());
                return;
            }
 	}
--- a/source/de/anomic/server/serverCore.java
+++ b/source/de/anomic/server/serverCore.java
@ -139,6 +139,15 @@ public final class serverCore extends serverAbstractThread implements serverThre
 	    }
 	}
    }
+    
+    public static String clientAddress(Socket s) {
+        InetAddress uAddr = s.getInetAddress();
+        if (uAddr.isAnyLocalAddress()) return "localhost";
+        String cIP = uAddr.getHostAddress();
+        if (cIP.equals("0:0:0:0:0:0:0:1")) cIP = "localhost";
+        if (cIP.equals("127.0.0.1")) cIP = "localhost";
+        return cIP;
+    }

    // class initializer
    public serverCore(int port, int maxSessions, int timeout,
@ -299,19 +308,20 @@ public final class serverCore extends serverAbstractThread implements serverThre
        announceThreadBlockApply();
        Socket controlSocket = this.socket.accept();
        announceThreadBlockRelease();
-	String clientIP = ""+controlSocket.getInetAddress().getHostAddress();
-        if (bfHost.get(clientIP) != null) {
-            log.logInfo("SLOWING DOWN ACCESS FOR BRUTE-FORCE PREVENTION FROM " + clientIP);
+        String cIP = clientAddress(controlSocket);
+        //System.out.println("server bfHosts=" + bfHost.toString());
+        if (bfHost.get(cIP) != null) {
+            log.logInfo("SLOWING DOWN ACCESS FOR BRUTE-FORCE PREVENTION FROM " + cIP);
 	    // add a delay to make brute-force harder
-	    try {Thread.currentThread().sleep(1000);} catch (InterruptedException e) {}
+	    try {Thread.currentThread().sleep(3000);} catch (InterruptedException e) {}
 	}
-        if ((this.denyHost == null) || (this.denyHost.get(clientIP) == null)) {
+        if ((this.denyHost == null) || (this.denyHost.get(cIP) == null)) {
            controlSocket.setSoTimeout(this.timeout);
            Session connection = (Session) this.theSessionPool.borrowObject();
            connection.execute(controlSocket);
            //log.logDebug("* NEW SESSION: " + connection.request + " from " + clientIP);
        } else {
-            System.out.println("ACCESS FROM " + clientIP + " DENIED");
+            System.out.println("ACCESS FROM " + cIP + " DENIED");
        }
        // idle until number of maximal threads is (again) reached
        //synchronized(this) {
--- a/source/de/anomic/yacy/yacySeedDB.java
+++ b/source/de/anomic/yacy/yacySeedDB.java
@ -340,13 +340,15 @@ public class yacySeedDB {
    }
    
    public void addDisconnected(yacySeed seed) {
-	if ((seed == null) || (!(seed.isProper()))) return;
-	//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
+	if (seed == null) return;
        try {
            nameLookupCache.remove(seed.getName());
-            seedPassiveDB.set(seed.hash, seed.getMap());
            seedActiveDB.remove(seed.hash);
            seedPotentialDB.remove(seed.hash);
+        } catch (Exception e) {}
+	//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
+        try {
+            seedPassiveDB.set(seed.hash, seed.getMap());
 	} catch (IOException e) {
 	    System.out.println("ERROR add: seed.db corrupt (" + e.getMessage() + "); resetting seed.db");
 	    e.printStackTrace();
@ -363,13 +365,16 @@ public class yacySeedDB {
    }
    
    public void addPotential(yacySeed seed) {
-	if ((seed == null) || (!(seed.isProper()))) return;
-	//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
+        if (seed == null) return;
        try {
            nameLookupCache.remove(seed.getName());
-            seedPotentialDB.set(seed.hash, seed.getMap());
            seedActiveDB.remove(seed.hash);
            seedPassiveDB.remove(seed.hash);
+        } catch (Exception e) {}
+	if (!(seed.isProper())) return;
+	//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
+        try {
+            seedPotentialDB.set(seed.hash, seed.getMap());
 	} catch (IOException e) {
 	    System.out.println("ERROR add: seed.db corrupt (" + e.getMessage() + "); resetting seed.db");
 	    e.printStackTrace();