fixed brute-force + peer-disconnect - Bug

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@75 6c8d7289-2bf4-0310-a012-ef5d649a1542
pull/1/head
orbiter 20 years ago
parent 4856f04797
commit f99930c04b

@ -50,8 +50,9 @@ globalheader();
<li>added a concept for external parsers; pdf an doc parser are integrated but not active yet.</li>
<li>fixed several bugs that caused thread-locks and 100% CPU load</li>
<li>fixed bug with cookie storage; changed handling of multiple cookies</li>
<li>fixed brute-force password attack denial</li>
<li>check on new peer names: must not occur already and may only contain letters, numbers and '_' or '-'.</li>
<li>many minor bug fixes and spell corrections in interface</li>
<li>many minor bug fixes and spell corrections in web-interface</li>
</ul>
<br><p>v0.36_build20050326

@ -80,10 +80,11 @@ public class MessageSend_p {
HashMap result = yacyClient.permissionMessage(hash);
//System.out.println("DEBUG: permission request result = " + result.toString());
String peerName;
yacySeed targetPeer = null;
if (hash.equals(yacyCore.seedDB.mySeed.hash)) {
peerName = yacyCore.seedDB.mySeed.get("Name","nameless");
} else {
yacySeed targetPeer = yacyCore.seedDB.getConnected(hash);
targetPeer = yacyCore.seedDB.getConnected(hash);
if (targetPeer == null)
peerName = "nameless";
else
@ -92,14 +93,17 @@ public class MessageSend_p {
String response = (result == null) ? "-1" : (String) result.get("response");
if ((response == null) || (response.equals("-1"))) {
// we don't have permission or other peer does not exist
body += "<p>You cannot send a message to '" + peerName + "'. The peer does not respond.</p>";
body += "<p>You cannot send a message to '" + peerName + "'. The peer does not respond. It was now removed from the peer-list.</p>";
if (targetPeer != null) {
yacyCore.peerActions.disconnectPeer(targetPeer);
}
} else {
// write input form
int messagesize = Integer.parseInt((String) result.get("messagesize"));
int attachmentsize = Integer.parseInt((String) result.get("attachmentsize"));
body += "<p>The peer '" + peerName + "' is alive and responded:<br>";
body += "'" + response + " You are allowed to send me a message &le; " + messagesize + " kb and an attachment &le; " + attachmentsize + ".'</p>";
body += "<form action=\"MessageSend_p.html\" method=\"post\" enctype=\"multipart/form-data\"><br><br>";
body += "<form action=\"MessageSend_p.html\" method=\"post\" enctype=\"multipart/form-data\" accept-charset=\"UTF-8\"><br><br>";
body += "<p><h3>Your Message</h3></p>";
body += "<p>Subject:<br><input name=\"subject\" type=\"text\" size=\"80\" maxlength=\"80\" value=\"" + subject + "\"></p>";
body += "<p>Text:<br><textarea name=\"message\" cols=\"80\" rows=\"8\"></textarea></p>";

@ -101,7 +101,7 @@ public class Wiki {
try {
prop.put("pagecontent", "");
prop.put("pageedit",
"<form action=\"Wiki.html\" method=\"post\" enctype=\"multipart/form-data\">" +
"<form action=\"Wiki.html\" method=\"post\" enctype=\"multipart/form-data\" accept-charset=\"UTF-8\">" +
//"<form action=\"Wiki.html\" method=\"post\" enctype=\"application/x-www-form-urlencoded\">" +
"<p>Author:<br><input name=\"author\" type=\"text\" size=\"80\" maxlength=\"80\" value=\"" + author + "\"></p>" +
"<p>Text:<br><textarea name=\"content\" cols=\"80\" rows=\"24\">" + new String(page.page(), "ISO-8859-1") + "</textarea></p>" +

@ -191,6 +191,7 @@ cp htroot/*.xml $release/htroot/
cp htroot/*.html $release/htroot/
cp htroot/*.java $release/htroot/
cp htroot/*.class $release/htroot/
cp htroot/*.ico $release/htroot/
cp htroot/yacy/*.html $release/htroot/yacy/
cp htroot/yacy/*.java $release/htroot/yacy/
cp htroot/yacy/*.class $release/htroot/yacy/

@ -230,13 +230,15 @@ public final class httpdFileHandler extends httpdAbstractHandler implements http
serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
} else {
// a wrong authentication was given. Ask again
serverLog.logInfo("HTTPD", "Wrong log-in for account 'admin' in http file handler for path '" + path + "' from host '" + conProp.getProperty("CLIENTIP", "unknown-IP") + "'");
String clientIP = conProp.getProperty("CLIENTIP", "unknown-host");
serverLog.logInfo("HTTPD", "Wrong log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'");
//try {Thread.currentThread().sleep(3000);} catch (InterruptedException e) {} // add a delay to make brute-force harder
serverCore.bfHost.put(conProp.getProperty("CLIENTIP"), "sleep");
serverCore.bfHost.put(clientIP, "sleep");
out.write(("HTTP/1.1 401 log-in required\r\n").getBytes());
out.write(("WWW-Authenticate: Basic realm=\"admin log-in\"\r\n").getBytes());
out.write(("\r\n").getBytes());
out.flush();
//System.out.println("httpd bfHosts=" + serverCore.bfHost.toString());
return;
}
}

@ -140,6 +140,15 @@ public final class serverCore extends serverAbstractThread implements serverThre
}
}
public static String clientAddress(Socket s) {
InetAddress uAddr = s.getInetAddress();
if (uAddr.isAnyLocalAddress()) return "localhost";
String cIP = uAddr.getHostAddress();
if (cIP.equals("0:0:0:0:0:0:0:1")) cIP = "localhost";
if (cIP.equals("127.0.0.1")) cIP = "localhost";
return cIP;
}
// class initializer
public serverCore(int port, int maxSessions, int timeout,
boolean termSleepingThreads, boolean blockAttack,
@ -299,19 +308,20 @@ public final class serverCore extends serverAbstractThread implements serverThre
announceThreadBlockApply();
Socket controlSocket = this.socket.accept();
announceThreadBlockRelease();
String clientIP = ""+controlSocket.getInetAddress().getHostAddress();
if (bfHost.get(clientIP) != null) {
log.logInfo("SLOWING DOWN ACCESS FOR BRUTE-FORCE PREVENTION FROM " + clientIP);
String cIP = clientAddress(controlSocket);
//System.out.println("server bfHosts=" + bfHost.toString());
if (bfHost.get(cIP) != null) {
log.logInfo("SLOWING DOWN ACCESS FOR BRUTE-FORCE PREVENTION FROM " + cIP);
// add a delay to make brute-force harder
try {Thread.currentThread().sleep(1000);} catch (InterruptedException e) {}
try {Thread.currentThread().sleep(3000);} catch (InterruptedException e) {}
}
if ((this.denyHost == null) || (this.denyHost.get(clientIP) == null)) {
if ((this.denyHost == null) || (this.denyHost.get(cIP) == null)) {
controlSocket.setSoTimeout(this.timeout);
Session connection = (Session) this.theSessionPool.borrowObject();
connection.execute(controlSocket);
//log.logDebug("* NEW SESSION: " + connection.request + " from " + clientIP);
} else {
System.out.println("ACCESS FROM " + clientIP + " DENIED");
System.out.println("ACCESS FROM " + cIP + " DENIED");
}
// idle until number of maximal threads is (again) reached
//synchronized(this) {

@ -340,13 +340,15 @@ public class yacySeedDB {
}
public void addDisconnected(yacySeed seed) {
if ((seed == null) || (!(seed.isProper()))) return;
//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
if (seed == null) return;
try {
nameLookupCache.remove(seed.getName());
seedPassiveDB.set(seed.hash, seed.getMap());
seedActiveDB.remove(seed.hash);
seedPotentialDB.remove(seed.hash);
} catch (Exception e) {}
//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
try {
seedPassiveDB.set(seed.hash, seed.getMap());
} catch (IOException e) {
System.out.println("ERROR add: seed.db corrupt (" + e.getMessage() + "); resetting seed.db");
e.printStackTrace();
@ -363,13 +365,16 @@ public class yacySeedDB {
}
public void addPotential(yacySeed seed) {
if ((seed == null) || (!(seed.isProper()))) return;
//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
if (seed == null) return;
try {
nameLookupCache.remove(seed.getName());
seedPotentialDB.set(seed.hash, seed.getMap());
seedActiveDB.remove(seed.hash);
seedPassiveDB.remove(seed.hash);
} catch (Exception e) {}
if (!(seed.isProper())) return;
//seed.put("LastSeen", yacyCore.shortFormatter.format(new Date(yacyCore.universalTime())));
try {
seedPotentialDB.set(seed.hash, seed.getMap());
} catch (IOException e) {
System.out.println("ERROR add: seed.db corrupt (" + e.getMessage() + "); resetting seed.db");
e.printStackTrace();

Loading…
Cancel
Save