From: Emre B. <em...@bi...> - 2012-10-15 18:43:19
Attachments:
block_by_ip.tar.bz2
|
I ran into a problem with someone trying to hack a vncserver, so it got blocked with too many retries for everyone. I didn't want to go down the path of tcpd, so I modified the 1.3.10 code. Attached are my changes (from Xvnc/program/Xserver/hw/) The idea is each max retry failure adds to a blocklist. The blocklist is in memory and gets put in ~/.vnc/blockip (configurable in rfb.h) The blocklist is reread with a kill -HUP on Xvnc (so you can remove a block without restarting) Once in the blocklist, the client is is refused in socket.c (so the normal timer resets will work). I have only tested in linux. Possible improvements: Also optionally(?) read hosts.deny Make the blockedIPs array dynamic in size (currently static with #define MAX_BLOCK_IP in rfb.h) The blocking in auth.c is done in 2 places, but probably just needs to be in one of them. Cheers, -E. |
From: Emre B. <em...@bi...> - 2012-10-16 00:14:28
|
> Possible improvements: > Also optionally(?) read hosts.deny > Make the blockedIPs array dynamic in size (currently static with > #define MAX_BLOCK_IP in rfb.h) > The blocking in auth.c is done in 2 places, but probably just needs to > be in one of them. > > Additional possible improvements: Could put MAX_BLOCK_IP as a token in the blockip file. Should probably clear "max retries" flag instead of awaiting for the timer, since the ip is immediately blocked. -E. |