equalitie / banjax Goto Github PK
View Code? Open in Web Editor NEWApache Traffic Server Plugin performing various anti-DDoS measures
License: GNU Affero General Public License v3.0
Apache Traffic Server Plugin performing various anti-DDoS measures
License: GNU Affero General Public License v3.0
Address Sanitizer (ASAN) an Valgrind are useful tools to detect memory corruption bugs in C and C++ software. ASAN is ~2x slower than the normal execution. It may be reasonable to run Banjax in production with ASAN enabled to give us some defense-in-depth.
https://github.com/google/sanitizers/wiki/AddressSanitizer
http://valgrind.org/
Setting the following rule:
- rule: mywebsite_dos_no_ua
regex: '^GET\ .*mywebsite\.org\ $'
interval: 1
hits_per_interval: 0
is never matched, even though traffic.out
reports this:
Examining GET http:/// mywebsite.org for banned matches
Notice the double space in the log message, indicating a blank user-agent. According to the source, putting a final whitespace and $
should match an empty UA. But the rule never gets matched.
The ability to set a banjax auth page of /wp-admin/ is nice but very broad. It would be very good if we could set /wp-admin/ to use auth but then also exclude /wp-admin/publicthing from auth protection. Not sure how feasible this is internally.
Banjax doesn't log when configuration files are invalid, it just silently fails. Banjax should log when it's successfully loaded, how many rules it has loaded (for example - it could be another metric to indicate that it has successfully loaded the configuration file) and indicate when it has failed to load a log file and, if possible, why and where in the configuration file it has failed.
where is the source code
Hi everybody,
I have a Apache Traffic Server . And now I want to use banjax on it. Now the ATS has been installed on my server (ATS v 8.0.8). I installed banjax based on guide in github. When I installed it from so file all the tests were passed and there is not any error. But there is not any banjax.so file . And when I installed it from source there is an error , how can I fix it ?
OS : Centos
ATS version : 8.0.8
Error :
[ 19%] Building CXX object CMakeFiles/banjax_static.dir/src/banjax.cpp.o
/opt/banjax/src/banjax.cpp:13:10: fatal error: ts/ts.h: No such file or directory
#include <ts/ts.h>
^~~~~~~~~
compilation terminated.
make[2]: *** [CMakeFiles/banjax_static.dir/src/banjax.cpp.o] Error 1
make[1]: *** [CMakeFiles/banjax_static.dir/all] Error 2
make: *** [all] Error 2
When ATS receives an ERR_CONNECT_FAIL from the origin server, Banjax does not return a 400 or 500 error, it simply hangs leaving the user with an unterminated connection. On a really bad day this could increase server load, but it at the very least leaves users annoyed and blaming Deflect because the spinning logo may stick around instead of loading a blank page (which also happens in some browsers).
This is to allow for semi-whitelisting of proxies and so on - rules will still stop dangerous accesses and so on (say ban POSTs to a particular host for example) but not block them via swabber (so we don't ban Tor for example).
The browser solves the sha_inv challenge and returns the result, but banjax bans the IP anyway, as it can't set a cookie. The user receives a 504 error and cannot access the website.
Detect whether cookies are enabled, and if they are not but the browser solves the sha_inv successfully, inform the user that cookies are required instead of banning them (at least the first time).
We currently need to restart Banjax in order for new rules to take effect - is there a way that Banjax could add a handler for reloading the config? I'd like to think that ATS implements a way of plugins being notified of a traffic_line -x.
Currently Banjax Auth send this cookie which has an invalid expiry time: "Set-Cookie: deflect=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly". The presence of this specific time makes me think that the expiry is not being set within Banjax itself at all, and so is being automatically populated.
Simple PCRE ones, so that we can say "^/mysecretpage" and so that we can avoid matching "news/story-about-mysecretpage".
Make the ban_ip_list.log path configurable.
We received an email from a client who thought Challenger was a broken captcha when in fact they needed to submit the password they set through Dashboard. Why do we have no copy on this page to explain what users need to do?
If it's to stop robots from figuring out it's a password field, and attempting to brute-force it, are we sure:
I think we should include text on this page to remind users what they need to do. The current page is pretty bad UX and worse for accessibility.
The sha_inverse
challenge is very efficient against bots but may block some legitimate traffic too (e.g. simple RSS readers and text-based browsers).
In some cases, only a specific path is attacked by bots: to avoid impacting legitimate users on other paths when setting up the challenge, it would be great to be able to restrict this challenge to a specific path.
To be more specifc, a recent attack was carried by a botnet comprising ~1400 IP addresses, all of them requesting the exact same path on the attacked website.
libconfig isn't very well supported (no good python lib, messy perl lib deps) and is a bit too formless for my taste. I'd like to replace it with YAML, INI or JSON. Anything really.
Until we upgrade across the Deflect network, banjax must be buildable on Debian 7. At the moment building Banjax fails with this error:
libtool: Version mismatch error. This is libtool 2.4.6, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6
libtool: and run autoconf again.
traffic.out
is written to by ATS (not by any plugins) so you can't do it directly. but you can log the value of some http header to traffic.out
and write to that header from a plugin.
copy/pasting from mattermost:
ok, re: adding a banjax-set field to the trafficserver-written deflect.log:
deflect_log = format {
Format = '%<chi> %<caun> [%<cqtn>] \"%<cqhm> /%<cqup> %<cqhv>\" %<cqus> %<{Host}cqh> %<pssc> %<pscl> \"%<{User-Agent}cqh>\" %<crc> %<psct> %<pqsn> %<ttms> %<cquc> \"%<{Referer}cqh>\" \"%<{X-Forwarded-For}cqh>\"'
}
%<{X-Forwarded-For}cqh>
gets the X-Forwarded-For
header from the client's request.
according to https://docs.trafficserver.apache.org/en/latest/admin-guide/logging/formatting.en.html?#admin-logging-fields-headers
you can get a header from ATS's response to the client with %<{X-Some-Banjax-Header}psh>
.
are we ok with returning a X-Some-Banjax-Header: banned
header to clients when they get banned? (we can omit it for non-banned requests). what about encoding the reason for banning?
While bcrypt should be used primarily, support for sha-style hashes should be kept in order to allow migrations.
The new config should allow the specification of both auth and challenge for the same host but is not functioning correctly. The regex banner should also function in the same configuration.
Last week, I saw this assert trigger sometimes in ChallengeManager::base64_decode()
https://github.com/equalitie/banjax/blob/oschaaf-sanitize/src/challenge_manager.cpp#L450
@vmon
Was that known? Is it fixed?
The pull I just made moves this code, but it remains identical AFAICT.
I just want to make sure that I'm not overlooking a minor fix here, and re-introduce the assert.
check from the begining at ATSEventHandler::handle_txn_start and don't hook up to hooks that don't have any filter to be hooked to instead of checking everytime in the handler switch
Much as I like the terse format we're currently using in the ban list log file, it'd be nice to have more details. Preferably at least the Host that the attacker is requesting
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.