Auto ban anonymous IP:

* New settings: "Ban anonymous user's IP when user is banned from a chatroom": * if enabled, every time a streamer bans an anonymous user, it will ban its IP on the chat server, * banned IPs are logged on disk, so server's admin can use them to feed fail2ban (for example), * option disabled by default, because could be used to create trapped-rooms on public servers
2023-09-22 18:17:54 +02:00 · 2023-09-22 18:17:54 +02:00 · d80cedfee5
commit d80cedfee5
parent 812eb89856
9 changed files with 176 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,10 @@
    * make it send pre-recorded messages every X minutes,
    * respond message to custom commands.
    * many other features will be available in future releases!
 * New settings: "Ban anonymous user's IP when user is banned from a chatroom":
  * if enabled, every time a streamer bans an anonymous user, it will ban its IP on the chat server,
  * banned IPs are logged on disk, so server's admin can use them to feed fail2ban (for example),
  * option disabled by default, because could be used to create trapped-rooms on public servers
 ### Minor changes and fixes
--- a/client/admin-plugin-client-plugin.ts
+++ b/client/admin-plugin-client-plugin.ts
@ -240,6 +240,8 @@ function register ({ registerHook, registerSettingsScript, peertubeHelpers }: Re
          return options.formValues['converse-theme'] !== 'peertube'
        case 'chat-per-live-video-warning':
          return !(options.formValues['chat-all-lives'] === true && options.formValues['chat-per-live-video'] === true)
        case 'auto-ban-anonymous-ip':
          return options.formValues['chat-no-anonymous'] !== false
      }
      return false
--- a/languages/en.yml
+++ b/languages/en.yml
@ -122,6 +122,13 @@ no_anonymous_description: |
  If you enabled it, it is highly recommended to also check "Don't publish chat information".
  Otherwise, some third party tools could try to open the chat, and have unpredictable behaviours.
 auto_ban_anonymous_ip_label: "Ban anonymous user's IP when user is banned from a chatroom"
 auto_ban_anonymous_ip_description: |
  By enabling this option, each time an anonymous user is banned from a chatroom, it's IP will also be banned from the chat server.
  Warning: if your instance is open to registration, any user could create a trapped-room, invite users to join, and automatically ban all anonymous user's IPs.
  The banned IP list is not stored, it will be cleared on server restart, or when you change some plugin's settings.
  The banned IP are logged in the Prosody server log files, so server's administrators can eventually use some external tools (like fail2ban) to ban IPs more widely.
 theming_advanced_description: "<h3>Theming</h3>"
 converse_theme_label: "ConverseJS theme"
--- a/prosody-modules/mod_muc_ban_ip/README.markdown
+++ b/prosody-modules/mod_muc_ban_ip/README.markdown
@ -0,0 +1,63 @@
 ---
 labels:
 - 'Stage-Alpha'
 summary: Ban users from chatrooms by their IP address
 ...
 Note: this is a slightly modified version: the log level for IP bans is
 set to info, instead of debug.
 So we can use external tools (fail2ban for example) to block IPs more widely.
 Introduction
 ============
 One frequent complaint about XMPP chatrooms (MUCs) compared to IRC is
 the inability for a room admin to ban a user based on their IP address.
 This is because an XMPP user is not identified on the network by their
 IP address, only their JID.
 This means that it is possible to create a new account (usually quite
 easily), and rejoin the room that you were banned from.
 This module allows the **user's** server to enforce bans by IP address,
 which is very desirable for server admins who want to prevent their
 server being used for spamming and abusive behaviour.
 Details
 =======
 An important point to note is that this module enforces the IP ban on
 the banned user's server, not on the MUC server. This means that:
 -   The user's server MUST have this module loaded, however -
 -   The module works even when the MUC is on a different server to the
    user
 -   The MUC server does not need this module (it only needs to support
    the [standard ban
    protocol](http://xmpp.org/extensions/xep-0045.html#ban))
 -   The module works for effectively banning [anonymous
    users](http://prosody.im/doc/anonymous_logins)
 Also note that IP bans are not saved permanently, and are reset upon a
 server restart.
 Configuration
 =============
 There is no extra configuration for this module except for loading it.
 Remember... do not load it on the MUC host, simply add it to your global
 `modules_enabled` list, or under a specific host like:
 ``` lua
 VirtualHost "anon.example.com"
  authentication = "anonymous"
  modules_enabled = { "muc_ban_ip" }
 ```
 Compatibility
 =============
  ----- --------------
  0.9   Works
  0.8   Doesn't work
  ----- --------------
--- a/prosody-modules/mod_muc_ban_ip/mod_muc_ban_ip.lua
+++ b/prosody-modules/mod_muc_ban_ip/mod_muc_ban_ip.lua
@ -0,0 +1,80 @@
 module:set_global();
 local jid_bare, jid_host = require "util.jid".bare, require "util.jid".host;
 local st = require "util.stanza";
 local xmlns_muc_user = "http://jabber.org/protocol/muc#user";
 local trusted_services = module:get_option_inherited_set("muc_ban_ip_trusted_services", {});
 local trust_local_restricted_services = module:get_option_boolean("muc_ban_ip_trust_local_restricted_services", true);
 local ip_bans = module:shared("bans");
 local full_sessions = prosody.full_sessions;
 local function is_local_restricted_service(host)
 	local muc_service = prosody.hosts[host] and prosody.hosts[host].modules.muc;
 	if muc_service and module:context(host):get_option("restrict_room_creation") ~= nil then -- COMPAT: May need updating post-0.12
 		return true;
 	end
 	return false;
 end
 local function ban_ip(session, from)
 	local ip = session.ip;
 	if not ip then
 		module:log("warn", "Failed to ban IP (IP unknown) for %s", session.full_jid);
 		return;
 	end
 	local from_host = jid_host(from);
 	if trusted_services:contains(from_host) or (trust_local_restricted_services and is_local_restricted_service(from_host)) then
 		from = from_host; -- Ban from entire host
 	end
 	local banned_from = ip_bans[ip];
 	if not banned_from then
 		banned_from = {};
 		ip_bans[ip] = banned_from;
 	end
 	banned_from[from] = true;
 	-- Specific to peertube-plugin-livechat: log level=info.
 	module:log("info", "Added ban for IP address %s from %s", ip, from);
 end
 local function check_for_incoming_ban(event)
 	local stanza = event.stanza;
 	local to_session = full_sessions[stanza.attr.to];
 	if to_session then
 		local directed = to_session.directed;
 		local from = stanza.attr.from;
 		if directed and directed[from] and stanza.attr.type == "unavailable" then
 			-- This is a stanza from somewhere we sent directed presence to (may be a MUC)
 			local x = stanza:get_child("x", xmlns_muc_user);
 			if x then
 				for status in x:childtags("status") do
 					if status.attr.code == '301' then
 						ban_ip(to_session, jid_bare(from));
 					end
 				end
 			end
 		end
 	end
 end
 local function check_for_ban(event)
 	local origin, stanza = event.origin, event.stanza;
 	local ip = origin.ip;
 	local to, to_host = jid_bare(stanza.attr.to), jid_host(stanza.attr.to);
 	if ip_bans[ip] and (ip_bans[ip][to] or ip_bans[ip][to_host]) then
 		(origin.log or module._log)("debug", "IP banned: %s is banned from %s", ip, to)
 		if stanza.attr.type ~= "error" then
 			origin.send(st.error_reply(stanza, "auth", "forbidden")
 				:tag("x", { xmlns = xmlns_muc_user })
 					:tag("status", { code = '301' }));
 		end
 		return true;
 	end
 	(origin.log or module._log)("debug", "IP not banned: %s from %s", ip, to)
 end
 function module.add_host(module)
 	module:hook("presence/full", check_for_incoming_ban, 100);
 	module:hook("pre-presence/full", check_for_ban, 100);
 end
--- a/server/lib/prosody/config.ts
+++ b/server/lib/prosody/config.ts
@ -152,6 +152,7 @@ async function getProsodyConfig (options: RegisterServerOptionsV5): Promise<Pros
    'prosody-components-interfaces',
    'prosody-components-list',
    'chat-no-anonymous',
    'auto-ban-anonymous-ip',
    'federation-dont-publish-remotely',
    'disable-channel-configuration'
  ])
@ -163,6 +164,7 @@ async function getProsodyConfig (options: RegisterServerOptionsV5): Promise<Pros
  }
  const logByDefault = (settings['prosody-muc-log-by-default'] as boolean) ?? true
  const disableAnon = (settings['chat-no-anonymous'] as boolean) || false
  const autoBanIP = (settings['auto-ban-anonymous-ip'] as boolean) || false
  const logExpirationSetting = (settings['prosody-muc-expiration'] as string) ?? DEFAULTLOGEXPIRATION
  const enableC2S = (settings['prosody-c2s'] as boolean) || false
  // enableRoomS2S: room can be joined from remote XMPP servers (Peertube or not)
@ -224,7 +226,7 @@ async function getProsodyConfig (options: RegisterServerOptionsV5): Promise<Pros
  const config = new ProsodyConfigContent(paths, prosodyDomain)
  if (!disableAnon) {
-    config.useAnonymous()
+    config.useAnonymous(autoBanIP)
  }
  config.useHttpAuthentication(authApiUrl)
  const useWS = !!options.registerWebSocketRoute // this comes with Peertube >=5.0.0, and is a prerequisite to websocket
--- a/server/lib/prosody/config/content.ts
+++ b/server/lib/prosody/config/content.ts
@ -207,10 +207,13 @@ class ProsodyConfigContent {
    this.muc.set('muc_room_default_history_length', 20)
  }
-  useAnonymous (): void {
+  useAnonymous (autoBanIP: boolean): void {
    this.anon = new ProsodyConfigVirtualHost('anon.' + this.prosodyDomain)
    this.anon.set('authentication', 'anonymous')
    this.anon.set('modules_enabled', ['ping'])
    if (autoBanIP) {
      this.anon.add('modules_enabled', 'muc_ban_ip')
    }
  }
  useHttpAuthentication (url: string): void {
--- a/server/lib/settings.ts
+++ b/server/lib/settings.ts
@ -83,7 +83,7 @@ Please read
    private: true
  })
-  // ********** Moderation and advances customization
+  // ********** Advanced channel customization
  registerSetting({
    type: 'html',
    private: true,
@ -197,6 +197,14 @@ Please read
    descriptionHTML: loc('no_anonymous_description'),
    private: false
  })
  registerSetting({
    name: 'auto-ban-anonymous-ip',
    label: loc('auto_ban_anonymous_ip_label'),
    type: 'input-checkbox',
    default: false,
    descriptionHTML: loc('auto_ban_anonymous_ip_description'),
    private: true
  })
  // ********** Theming
  registerSetting({
--- a/support/documentation/content/en/documentation/admin/settings.md
+++ b/support/documentation/content/en/documentation/admin/settings.md
@ -82,6 +82,10 @@ Note: for now this feature simply hide the chat.
 In a future release, the chat will be replaced by a message saying «please log in to [...]».
 See [v5.7.0 Release Notes](https://github.com/JohnXLivingston/peertube-plugin-livechat/blob/main/CHANGELOG.md#570) for more information.
 ### {{% livechat_label auto_ban_anonymous_ip_label %}}
 {{% livechat_label auto_ban_anonymous_ip_description %}}
 ## Theming
 ### {{% livechat_label converse_theme_label %}}