add support for a basic built-in defender

It can help to prevent DoS and brute force password guessing
2025-12-07 14:50:55 +03:00 · 2021-01-02 14:05:09 +01:00
parent 30eb3c4a99
commit 037d89a320
23 changed files with 1530 additions and 131 deletions
--- a/docs/defender.md
+++ b/docs/defender.md
@@ -0,0 +1,53 @@
+# Defender
+
+The experimental built-in `defender` allows you to configure an auto-blocking policy for SFTPGo and thus helps to prevent DoS (Denial of Service) and brute force password guessing.
+
+If enabled it will protect SFTP, FTP and WebDAV services and it will automatically block hosts (IP addresses) that continually fail to log in or attempt to connect.
+
+You can configure a score for each event type:
+
+- `score_valid` defines the score for valid login attempts, eg. user accounts that exist. Default `1`.
+- `score_invalid` defines the score for invalid login attempts, eg. non-existent user accounts or client disconnected for inactivity without authentication attempts. Default `2`.
+
+And then you can configure:
+
+- `observation_time` defines the time window, in minutes, for tracking client errors.
+- `threshold` defines the threshold value before banning a host.
+- `ban_time` defines the time to ban a client, as minutes
+
+So a host is banned, for `ban_time` minutes, if it has exceeded the defined threshold during the last observation time minutes.
+
+If an already banned client tries to log in again its ban time will be incremented based on the `ban_time_increment` configuration.
+
+The `ban_time_increment` is calculated as percentage of `ban_time`, so if `ban_time` is 30 minutes and `ban_time_increment` is 50 the host will be banned for additionally 15 minutes. You can specify values greater than 100 for `ban_time_increment`.
+
+The `defender` will keep in memory both the host scores and the banned hosts, you can limit the memory usage using the `entries_soft_limit` and `entries_hard_limit` configuration keys.
+
+The `defender` can also load a permanent block and/or safe list of ip addresses/networks from a file:
+
+- `safelist_file`, string. Path to a file with a list of ip addresses and/or networks to never ban.
+- `blocklist_file`, string. Path to a file with a list of ip addresses and/or networks to always ban.
+
+These list must be stored as JSON with the following schema:
+
+- `addresses`, list of strings. Each string must be a valid IPv4/IPv6 address.
+- `networks`, list of strings. Each string must be a valid IPv4/IPv6 CIDR address.
+
+Here is a small example:
+
+```json
+{
+    "addresses":[
+        "192.0.2.1",
+        "2001:db8::68"
+    ],
+    "networks":[
+        "192.0.2.1/24",
+        "2001:db8:1234::/48"
+    ]
+}
+```
+
+These list will be loaded in memory for faster lookups.
+
+The `defender` is optimized for fast and time constant lookups however as it keeps all the lists and the entries in memory you should carefully measure the memory requirements for your use case.
--- a/docs/full-configuration.md
+++ b/docs/full-configuration.md
@@ -64,6 +64,18 @@ The configuration file contains the following sections:
    - If `proxy_protocol` is set to 2 and we receive a proxy header from an IP that is not in the list then the connection will be rejected
  - `post_connect_hook`, string. Absolute path to the command to execute or HTTP URL to notify. See [Post connect hook](./post-connect-hook.md) for more details. Leave empty to disable
  - `max_total_connections`, integer. Maximum number of concurrent client connections. 0 means unlimited
+  - `defender`, struct containing the defender configuration. See [Defender](./defender.md) for more details.
+    - `enabled`, boolean. Default `false`.
+    - `ban_time`, integer. Ban time in minutes.
+    - `ban_time_increment`, integer. Ban time increment, as a percentage, if a banned host tries to connect again.
+    - `threshold`, integer. Threshold value for banning a client.
+    - `score_invalid`, integer. Score for invalid login attempts, eg. non-existent user accounts or client disconnected for inactivity without authentication attempts.
+    - `score_valid`, integer. Score for valid login attempts, eg. user accounts that exist.
+    - `observation_time`, integer. Defines the time window, in minutes, for tracking client errors. A host is banned if it has exceeded the defined threshold during the last observation time minutes.
+    - `entries_soft_limit`, integer.
+    - `entries_hard_limit`, integer. The number of banned IPs and host scores kept in memory will vary between the soft and hard limit.
+    - `safelist_file`, string. Path to a file with a list of ip addresses and/or networks to never ban.
+    - `blocklist_file`, string. Path to a file with a list of ip addresses and/or networks to always ban.
 - **"sftpd"**, the configuration for the SFTP server
  - `bindings`, list of structs. Each struct has the following fields:
    - `port`, integer. The port used for serving SFTP requests. 0 means disabled. Default: 2022