From 8189ca025640e565fac4e96dd85f231fddae28d3 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Wed, 13 Oct 2021 17:15:26 -0700 Subject: [PATCH] Added exclusion to MaxInvalidLogin. #3192 --- meshcentral-config-schema.json | 8 +++++--- webserver.js | 9 +++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index 8cd4994d..d5174133 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -228,10 +228,12 @@ "maxInvalidLogin": { "type": "object", "additionalProperties": false, + "description": "This section described a policy for how many times an IP address is allowed to attempt to login incorrectly. By default it's 10 times in 10 minutes, but this can be changed here.", "properties": { - "time": { "type": "integer" }, - "count": { "type": "integer" }, - "coolofftime": { "type": "integer" } + "exclude": { "type": "string", "default": null, "description": "Ranges of IP addresses that are not subject to invalid login limitations. For example: 192.168.1.0/24,172.16.0.1"}, + "time": { "type": "integer", "default": 10, "description": "Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address." }, + "count": { "type": "integer", "default": 10, "description": "Maximum number of invalid login attempts from an IP address in the time period." }, + "coolofftime": { "type": "integer", "default": null, "description": "Additional time in minute that login attempts will be denied once the invalid login limit is reached." } } }, "amtProvisioningServer": { diff --git a/webserver.js b/webserver.js index dbd654bc..1353e6a1 100644 --- a/webserver.js +++ b/webserver.js @@ -7665,6 +7665,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { obj.setbadLogin = function (ip) { // Set an IP address that just did a bad login request if (parent.config.settings.maxinvalidlogin === false) return; if (typeof ip == 'object') { ip = ip.clientIp; } + if (parent.config.settings.maxinvalidlogin != null) { + if (typeof parent.config.settings.maxinvalidlogin.exclude == 'string') { + const excludeSplit = parent.config.settings.maxinvalidlogin.exclude.split(','); + for (var i in excludeSplit) { if (require('ipcheck').match(ip, excludeSplit[i])) return; } + } else if (Array.isArray(parent.config.settings.maxinvalidlogin.exclude)) { + for (var i in parent.config.settings.maxinvalidlogin.exclude) { if (require('ipcheck').match(ip, parent.config.settings.maxinvalidlogin.exclude[i])) return; } + } + return; + } var splitip = ip.split('.'); if (splitip.length == 4) { ip = (splitip[0] + '.' + splitip[1] + '.' + splitip[2] + '.*'); } if (++obj.badLoginTableLastClean > 100) { obj.cleanBadLoginTable(); }