From 660388889a8378916ff484dee9a6c2dbd94a2e19 Mon Sep 17 00:00:00 2001 From: crn4 Date: Thu, 19 Jun 2025 19:40:17 +0200 Subject: [PATCH] removed macs from hash, added 3 attempts for the same keys --- management/server/loginfilter.go | 33 ++++++++++++------------- management/server/loginfilter_test.go | 35 ++++++++------------------- 2 files changed, 25 insertions(+), 43 deletions(-) diff --git a/management/server/loginfilter.go b/management/server/loginfilter.go index da7656c09..6c6d369c8 100644 --- a/management/server/loginfilter.go +++ b/management/server/loginfilter.go @@ -11,16 +11,18 @@ import ( const ( filterTimeout = 5 * time.Minute // Duration to secure the previous login information in the filter - reconnThreshold = 5 * time.Minute - blockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit - reconnLimitForBan = 30 // Number of reconnections within the reconnTreshold that triggers a ban + reconnThreshold = 5 * time.Minute + blockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit + reconnLimitForBan = 30 // Number of reconnections within the reconnTreshold that triggers a ban + differentMetaReconnects = 3 // Number of reconnections with different metadata that triggers a ban of one peer ) type config struct { - filterTimeout time.Duration - reconnThreshold time.Duration - blockDuration time.Duration - reconnLimitForBan int + filterTimeout time.Duration + reconnThreshold time.Duration + blockDuration time.Duration + reconnLimitForBan int + differentMetaReconnects int } type loginFilter struct { @@ -39,10 +41,11 @@ type metahash struct { func initCfg() *config { return &config{ - filterTimeout: filterTimeout, - reconnThreshold: reconnThreshold, - blockDuration: blockDuration, - reconnLimitForBan: reconnLimitForBan, + filterTimeout: filterTimeout, + reconnThreshold: reconnThreshold, + blockDuration: blockDuration, + reconnLimitForBan: reconnLimitForBan, + differentMetaReconnects: differentMetaReconnects, } } @@ -86,7 +89,7 @@ func (l *loginFilter) allowLogin(wgPubKey string, metaHash uint64) bool { if mh.banned && time.Since(mh.lastSeen) < l.cfg.blockDuration { return false } - if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout { + if mh.hash != metaHash && time.Since(mh.lastSeen) < l.cfg.filterTimeout && mh.counter > l.cfg.differentMetaReconnects { return false } return true @@ -101,12 +104,6 @@ func (l *loginFilter) removeLogin(wgPubKey string) { func metaHash(meta nbpeer.PeerSystemMeta, pubip string) uint64 { h := fnv.New64a() - if len(meta.NetworkAddresses) != 0 { - for _, na := range meta.NetworkAddresses { - h.Write([]byte(na.Mac)) - } - } - h.Write([]byte(meta.WtVersion)) h.Write([]byte(meta.OSVersion)) h.Write([]byte(meta.KernelVersion)) diff --git a/management/server/loginfilter_test.go b/management/server/loginfilter_test.go index 21a2673aa..4c2694ec1 100644 --- a/management/server/loginfilter_test.go +++ b/management/server/loginfilter_test.go @@ -14,10 +14,11 @@ import ( func testCfg() *config { return &config{ - filterTimeout: 20 * time.Millisecond, - reconnThreshold: 50 * time.Millisecond, - blockDuration: 100 * time.Millisecond, - reconnLimitForBan: 3, + filterTimeout: 20 * time.Millisecond, + reconnThreshold: 50 * time.Millisecond, + blockDuration: 100 * time.Millisecond, + reconnLimitForBan: 3, + differentMetaReconnects: 1, } } @@ -99,6 +100,10 @@ func (s *LoginFilterTestSuite) TestDifferentHashIsBlockedWhenActive() { meta1 := uint64(23424223423) meta2 := uint64(99878798987987) + for range s.filter.cfg.differentMetaReconnects { + s.filter.addLogin(pubKey, meta1) + } + s.filter.addLogin(pubKey, meta1) s.False(s.filter.allowLogin(pubKey, meta2)) @@ -177,12 +182,6 @@ func BenchmarkHashingMethods(b *testing.B) { func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string { h := fnv.New64a() - if len(meta.NetworkAddresses) != 0 { - for _, na := range meta.NetworkAddresses { - h.Write([]byte(na.Mac)) - } - } - h.Write([]byte(meta.WtVersion)) h.Write([]byte(meta.OSVersion)) h.Write([]byte(meta.KernelVersion)) @@ -194,9 +193,8 @@ func fnvHashToString(meta nbpeer.PeerSystemMeta, pubip string) string { } func builderString(meta nbpeer.PeerSystemMeta, pubip string) string { - mac := getMacAddress(meta.NetworkAddresses) estimatedSize := len(meta.WtVersion) + len(meta.OSVersion) + len(meta.KernelVersion) + len(meta.Hostname) + len(meta.SystemSerialNumber) + - len(pubip) + len(mac) + 6 + len(pubip) + 5 var b strings.Builder b.Grow(estimatedSize) @@ -212,19 +210,6 @@ func builderString(meta nbpeer.PeerSystemMeta, pubip string) string { b.WriteString(meta.SystemSerialNumber) b.WriteByte('|') b.WriteString(pubip) - b.WriteByte('|') - b.WriteString(mac) return b.String() } - -func getMacAddress(nas []nbpeer.NetworkAddress) string { - if len(nas) == 0 { - return "" - } - macs := make([]string, 0, len(nas)) - for _, na := range nas { - macs = append(macs, na.Mac) - } - return strings.Join(macs, "/") -}