equalitie / banjax Goto Github PK

Address Sanitizer (ASAN) an Valgrind are useful tools to detect memory corruption bugs in C and C++ software. ASAN is ~2x slower than the normal execution. It may be reasonable to run Banjax in production with ASAN enabled to give us some defense-in-depth.

https://github.com/google/sanitizers/wiki/AddressSanitizer
http://valgrind.org/

Setting the following rule:

- rule: mywebsite_dos_no_ua
  regex: '^GET\ .*mywebsite\.org\ $'
  interval: 1
  hits_per_interval: 0

is never matched, even though traffic.out reports this:

Examining GET http:/// mywebsite.org  for banned matches

Notice the double space in the log message, indicating a blank user-agent. According to the source, putting a final whitespace and $ should match an empty UA. But the rule never gets matched.

The ability to set a banjax auth page of /wp-admin/ is nice but very broad. It would be very good if we could set /wp-admin/ to use auth but then also exclude /wp-admin/publicthing from auth protection. Not sure how feasible this is internally.

Banjax doesn't log when configuration files are invalid, it just silently fails. Banjax should log when it's successfully loaded, how many rules it has loaded (for example - it could be another metric to indicate that it has successfully loaded the configuration file) and indicate when it has failed to load a log file and, if possible, why and where in the configuration file it has failed.

where is the source code

Hi everybody,
I have a Apache Traffic Server . And now I want to use banjax on it. Now the ATS has been installed on my server (ATS v 8.0.8). I installed banjax based on guide in github. When I installed it from so file all the tests were passed and there is not any error. But there is not any banjax.so file . And when I installed it from source there is an error , how can I fix it ?
OS : Centos
ATS version : 8.0.8
Error :
[ 19%] Building CXX object CMakeFiles/banjax_static.dir/src/banjax.cpp.o
/opt/banjax/src/banjax.cpp:13:10: fatal error: ts/ts.h: No such file or directory
#include <ts/ts.h>
^~~~~~~~~
compilation terminated.
make[2]: *** [CMakeFiles/banjax_static.dir/src/banjax.cpp.o] Error 1
make[1]: *** [CMakeFiles/banjax_static.dir/all] Error 2
make: *** [all] Error 2

When ATS receives an ERR_CONNECT_FAIL from the origin server, Banjax does not return a 400 or 500 error, it simply hangs leaving the user with an unterminated connection. On a really bad day this could increase server load, but it at the very least leaves users annoyed and blaming Deflect because the spinning logo may stick around instead of loading a blank page (which also happens in some browsers).

This is to allow for semi-whitelisting of proxies and so on - rules will still stop dangerous accesses and so on (say ban POSTs to a particular host for example) but not block them via swabber (so we don't ban Tor for example).

Reproduction steps

1. Enable sha_inv challenge for a website.
2. Prevent that website from setting cookies by disabling them in browser (e.g. CSLite plugin).
3. Visit the website.

Current behaviour

The browser solves the sha_inv challenge and returns the result, but banjax bans the IP anyway, as it can't set a cookie. The user receives a 504 error and cannot access the website.

Proposal

Detect whether cookies are enabled, and if they are not but the browser solves the sha_inv successfully, inform the user that cookies are required instead of banning them (at least the first time).

We currently need to restart Banjax in order for new rules to take effect - is there a way that Banjax could add a handler for reloading the config? I'd like to think that ATS implements a way of plugins being notified of a traffic_line -x.

Currently Banjax Auth send this cookie which has an invalid expiry time: "Set-Cookie: deflect=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly". The presence of this specific time makes me think that the expiry is not being set within Banjax itself at all, and so is being automatically populated.

Simple PCRE ones, so that we can say "^/mysecretpage" and so that we can avoid matching "news/story-about-mysecretpage".

Make the ban_ip_list.log path configurable.

We received an email from a client who thought Challenger was a broken captcha when in fact they needed to submit the password they set through Dashboard. Why do we have no copy on this page to explain what users need to do?

If it's to stop robots from figuring out it's a password field, and attempting to brute-force it, are we sure:

• that's a real problem? (Where's our evidence?)
• it's more serious than users being confused (which is a real problem)?
• there isn't a better solution, such as gradually-increasing retry delays, banning IPs that retry too often, etc?

I think we should include text on this page to remind users what they need to do. The current page is pretty bad UX and worse for accessibility.

The sha_inverse challenge is very efficient against bots but may block some legitimate traffic too (e.g. simple RSS readers and text-based browsers).

In some cases, only a specific path is attacked by bots: to avoid impacting legitimate users on other paths when setting up the challenge, it would be great to be able to restrict this challenge to a specific path.

To be more specifc, a recent attack was carried by a botnet comprising ~1400 IP addresses, all of them requesting the exact same path on the attacked website.

libconfig isn't very well supported (no good python lib, messy perl lib deps) and is a bit too formless for my taste. I'd like to replace it with YAML, INI or JSON. Anything really.

https://www.gnu.org/philosophy/javascript-trap.html

Until we upgrade across the Deflect network, banjax must be buildable on Debian 7. At the moment building Banjax fails with this error:

libtool: Version mismatch error.  This is libtool 2.4.6, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6
libtool: and run autoconf again.

traffic.out is written to by ATS (not by any plugins) so you can't do it directly. but you can log the value of some http header to traffic.out and write to that header from a plugin.

copy/pasting from mattermost:

ok, re: adding a banjax-set field to the trafficserver-written deflect.log:

• patching trafficserver: looks like a bit of work
• adding some uuid to each document in deflect.log and banjax.log and doing a join somewhere in the ELK stack: doesn't seem possible in elasticsearch or kibana
• easiest solution: the would-be-nice thing i mentioned was some kind of key-value store you could assign to in banjax and then retrieve from in the ATS logging config -- turns out there's this thing called http headers which is such a store.
  our current deflect.log config looks like:

deflect_log = format {
  Format = '%<chi> %<caun> [%<cqtn>] \"%<cqhm> /%<cqup> %<cqhv>\" %<cqus> %<{Host}cqh> %<pssc> %<pscl> \"%<{User-Agent}cqh>\" %<crc> %<psct> %<pqsn> %<ttms> %<cquc> \"%<{Referer}cqh>\" \"%<{X-Forwarded-For}cqh>\"'
}

%<{X-Forwarded-For}cqh> gets the X-Forwarded-For header from the client's request.
according to https://docs.trafficserver.apache.org/en/latest/admin-guide/logging/formatting.en.html?#admin-logging-fields-headers
you can get a header from ATS's response to the client with %<{X-Some-Banjax-Header}psh>.
are we ok with returning a X-Some-Banjax-Header: banned header to clients when they get banned? (we can omit it for non-banned requests). what about encoding the reason for banning?

While bcrypt should be used primarily, support for sha-style hashes should be kept in order to allow migrations.

The new config should allow the specification of both auth and challenge for the same host but is not functioning correctly. The regex banner should also function in the same configuration.

Last week, I saw this assert trigger sometimes in ChallengeManager::base64_decode()

https://github.com/equalitie/banjax/blob/oschaaf-sanitize/src/challenge_manager.cpp#L450

@vmon
Was that known? Is it fixed?
The pull I just made moves this code, but it remains identical AFAICT.
I just want to make sure that I'm not overlooking a minor fix here, and re-introduce the assert.

check from the begining at ATSEventHandler::handle_txn_start and don't hook up to hooks that don't have any filter to be hooked to instead of checking everytime in the handler switch

Much as I like the terse format we're currently using in the ban list log file, it'd be nice to have more details. Preferably at least the Host that the attacker is requesting