made the ban points configurable

doc/sample.config

@@ -222,6 +222,11 @@ max-ban-score = 50
 # The time (in seconds) that all score kept for a client is reset.
 ban-reset-time = 300
 
+# In case you'd like to change the default points.
+#ban-points-wrong-password = 10
+#ban-points-connection = 1
+#ban-points-kkdcp = 1
+
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. That cookie will be invalided if not

src/config.c

@@ -80,6 +80,9 @@ static struct cfg_options available_options[] = {
 	{ .name = "no-compress-limit", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "tcp-port", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "max-ban-score", .type = OPTION_NUMERIC, .mandatory = 0 },
+	{ .name = "ban-points-wrong-password", .type = OPTION_NUMERIC, .mandatory = 0 },
+	{ .name = "ban-connection", .type = OPTION_NUMERIC, .mandatory = 0 },
+	{ .name = "ban-points-kkdcp", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "udp-port", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "keepalive", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "dpd", .type = OPTION_NUMERIC, .mandatory = 0 },
@@ -827,6 +830,13 @@ unsigned urlfw_size = 0;
 	if (config->max_ban_score == -1)
 		config->max_ban_score = DEFAULT_MAX_BAN_SCORE;
 
+	config->ban_points_wrong_password = DEFAULT_PASSWORD_POINTS;
+	READ_NUMERIC("ban-points-wrong-password", config->ban_points_wrong_password);
+	config->ban_points_connect = DEFAULT_CONNECT_POINTS;
+	READ_NUMERIC("ban-points-connection", config->ban_points_connect);
+	config->ban_points_kkdcp = DEFAULT_KKDCP_POINTS;
+	READ_NUMERIC("ban-points-kkdcp", config->ban_points_kkdcp);
+
 	READ_NUMERIC("max-same-clients", config->max_same_clients);
 
 	val = get_option("run-as-user", NULL);

src/main-ban.c

@@ -194,7 +194,7 @@ unsigned check_if_banned(main_server_st *s, struct sockaddr_storage *addr, sockl
 
 	if (human_addr2((struct sockaddr*)addr, addr_size, t.ip, sizeof(t.ip), 0) != NULL) {
 		/* add its current connection points */
-		add_ip_to_ban_list(s, t.ip, CONNECT_POINTS);
+		add_ip_to_ban_list(s, t.ip, s->config->ban_points_connect);
 
 		now = time(0);
 		e = htable_get(db, rehash(&t, NULL), ban_entry_cmp, &t);

src/ocserv-args.def

@@ -297,6 +297,11 @@ max-ban-score = 50
 # The time (in seconds) that all score kept for a client is reset.
 ban-reset-time = 300
 
+# In case you'd like to change the default points.
+#ban-points-wrong-password = 10
+#ban-points-connection = 1
+#ban-points-kkdcp = 1
+
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. That cookie will be invalided if not

src/sec-mod-auth.c

@@ -322,7 +322,7 @@ int handle_sec_auth_res(int cfd, sec_mod_st * sec, client_entry_st * e, int resu
 	if (result == ERR_AUTH_CONTINUE) {
 		/* if the module allows multiple retries for the password */
 		if (e->status != PS_AUTH_INIT && e->module && e->module->allows_retries) {
-			ret = sec_mod_add_score_to_ip(sec, e, e->auth_info.remote_ip, PASSWORD_POINTS);
+			ret = sec_mod_add_score_to_ip(sec, e, e->auth_info.remote_ip, sec->config->ban_points_wrong_password);
 			if (ret < 0) {
 				e->status = PS_AUTH_FAILED;
 				return send_sec_auth_reply(cfd, sec, e, AUTH__REP__FAILED);
@@ -355,7 +355,7 @@ int handle_sec_auth_res(int cfd, sec_mod_st * sec, client_entry_st * e, int resu
 	} else {
 		e->status = PS_AUTH_FAILED;
 
-		sec_mod_add_score_to_ip(sec, e, e->auth_info.remote_ip, PASSWORD_POINTS);
+		sec_mod_add_score_to_ip(sec, e, e->auth_info.remote_ip, sec->config->ban_points_wrong_password);
 
 		ret = send_sec_auth_reply(cfd, sec, e, AUTH__REP__FAILED);
 		if (ret < 0) {

src/vpn.h

@@ -61,10 +61,10 @@ typedef enum {
  * attempt gives you PASSWORD_POINTS, and you are banned
  * when the maximum ban score is reached.
  */
-#define PASSWORD_POINTS 10
-#define CONNECT_POINTS 1
-#define KKDCP_POINTS 1
-#define DEFAULT_MAX_BAN_SCORE (MAX_PASSWORD_TRIES*PASSWORD_POINTS)
+#define DEFAULT_PASSWORD_POINTS 10
+#define DEFAULT_CONNECT_POINTS 1
+#define DEFAULT_KKDCP_POINTS 1
+#define DEFAULT_MAX_BAN_SCORE (MAX_PASSWORD_TRIES*DEFAULT_PASSWORD_POINTS)
 #define DEFAULT_BAN_RESET_TIME 300
 
 #define MIN_NO_COMPRESS_LIMIT 64
@@ -327,6 +327,10 @@ struct cfg_st {
 	int max_ban_score;	/* the score allowed before a user is banned (see vpn.h) */
 	int ban_reset_time;
 
+	unsigned ban_points_wrong_password;
+	unsigned ban_points_connect;
+	unsigned ban_points_kkdcp;
+
 	unsigned isolate; /* whether seccomp should be enabled or not */
 
 	unsigned auth_timeout; /* timeout of HTTP auth */
@@ -364,7 +368,7 @@ struct cfg_st {
 
 	char *connect_script;
 	char *disconnect_script;
-	
+
 	char *cgroup;
 	char *proxy_url;
 
@@ -384,7 +388,7 @@ struct cfg_st {
 	char *default_user_conf;
 
 	bool gssapi_no_local_user_map;
-	
+
 	/* the tun network */
 	struct vpn_st network;
 };

src/worker-kkdcp.c

@@ -140,7 +140,7 @@ int post_kkdcp_handler(worker_st *ws, unsigned http_ver)
 		return -1;
 	}
 
-	ws_add_score_to_ip(ws, KKDCP_POINTS, 0);
+	ws_add_score_to_ip(ws, ws->config->ban_points_kkdcp, 0);
 	oclog(ws, LOG_HTTP_DEBUG, "HTTP processing kkdcp framed request: %u bytes", (unsigned)req->body_length);
 
 	ret = der_decode((uint8_t*)req->body, req->body_length, buf, &length, realm, sizeof(realm), &e);

src/worker-vpn.c

@@ -251,7 +251,7 @@ void ws_add_score_to_ip(worker_st *ws, unsigned points, unsigned final)
 	if (final == 0) {
 		ws->ban_points += points;
 		/* do not use IPC for small values */
-		if (points < PASSWORD_POINTS)
+		if (points < ws->config->ban_points_wrong_password)
 			return;
 	}