public void TestKeyBlacklistingAndWhitelisting() { var ip = GetRandomIP(); var key = GetRandomKey(); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip).Run(), string.Format("Allow traffic on {0} from {1}", key, ip)); Hacker.BlacklistKeyAsync(key, TimeSpan.FromMinutes(5)).Run(); Assert.AreEqual( Hacker.Result.KeyBlocked, Hacker.DefendAsync(key, ip).Run(), string.Format("Block traffic on {0} from {1}", key, ip)); Assert.AreEqual( Hacker.Result.KeyBlocked, Hacker.DefendAsync(key, GetRandomIP()).Run(), string.Format("Allow any traffic from {1}", key, ip)); Hacker.WhitelistKeyAsync(key).Run(); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip).Run(), string.Format("Allow traffic on {0} from {1} after whitelist", key, ip)); }
public void ClearAllHits() { Func <string> keyGenerator = () => { return("ClearAllHits" + GetRandomKey()); }; var keys = new List <string>(); var random = new Random((int)DateTime.Now.Ticks); var startTime = DateTime.Now; Parallel.For(0, 10, hit => { var key = keyGenerator(); keys.Add(key); var hits = 1 + random.Next(Hacker.Config.MaxHitsPerKey - 1); for (var i = 0; i < hits; i++) { Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, GetRandomIP()).Run(), "Request must be allowed for a hit on a key"); } Assert.AreEqual(hits, Hacker.GetHitsForKey(key).Run(), "Number of hits must be " + hits + " for key: " + key); }); Hacker.ClearAllHitsAsync().Run(); foreach (var key in keys) { Assert.AreEqual(0, Hacker.GetHitsForKey(key).Run(), "After clearing hits Number of hits must be 0 for key: " + key); } }
public void TestOriginBlaclistingAndWhitelisting() { var ip = GetRandomIP(); var key = GetRandomKey(); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip).Run(), string.Format("Allow traffic on {0} from {1}", key, ip)); Hacker.BlacklistOriginAsync(ip).Run(); Assert.AreEqual( Hacker.Result.OriginBlocked, Hacker.DefendAsync(key, ip).Run(), string.Format("Block traffic on {0} from {1}", key, ip)); Assert.AreEqual( Hacker.Result.OriginBlocked, Hacker.DefendAsync(GetRandomKey(), ip).Run(), string.Format("Allow any traffic from {1}", key, ip)); Hacker.WhitelistOriginAsync(ip).Run(); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip).Run(), string.Format("Allow traffic on {0} from {1} after whitelist", key, ip)); }
public void TestKeyCustomHitLimit() { Hacker.Config.MaxHitsPerKey = 100; Hacker.Config.MaxHitsPerOrigin = 100; Hacker.Config.MaxHitsPerKeyPerOrigin = 100; var key = "InvalidLogin-" + GetRandomKey(); var ip = GetRandomIP(); var interval = TimeSpan.FromMinutes(1); var maxHits = 10; var startTime = DateTime.Now; Parallel.For(0, maxHits, hit => { Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip, interval, maxHits, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue).Run(), "Allow hits on key for custom interval"); }); Assert.AreEqual( Hacker.Result.TooManyHitsOnKey, Hacker.DefendAsync(key, ip, interval, maxHits, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue).Run(), "Must not allow hits on key after custom interval"); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync("InvalidLogin-" + GetRandomKey(), ip, interval, maxHits, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue).Run(), "Allow hits on different key from same IP"); WaitForIntervalToElapse(interval, startTime); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip, interval, maxHits, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue).Run(), "Allow hits on key for after interval has passed."); }
public void TestMaxHitsPerOrigin() { Hacker.Config.MaxHitsPerKey = 20; Hacker.Config.MaxHitsPerOrigin = 10; Hacker.Config.MaxHitsPerKeyPerOrigin = 20; var ip = GetRandomIP(); Func <string> keyGenerator = () => { return("TestMaxHitsPerOrigin" + GetRandomKey()); }; var startTime = DateTime.Now; var result = Parallel.For(0, Hacker.Config.MaxHitsPerOrigin, hit => { Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(keyGenerator(), ip).Run() ); }); while (!result.IsCompleted) { Thread.Sleep(100); } Assert.AreEqual( Hacker.Config.MaxHitsPerOrigin, Hacker.GetHitsFromOrigin(ip).Run(), "Number of hits recorded must match"); // No more requests from same IP Assert.AreEqual( Hacker.Result.TooManyHitsFromOrigin, Hacker.DefendAsync(keyGenerator(), ip).Run() ); // Allow requests from other IPs Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(keyGenerator(), GetRandomIP()).Run()); WaitForIntervalToElapse(Hacker.Config.MaxHitsPerOriginInterval, startTime); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(keyGenerator(), ip).Run(), "Allow hits from same origin after expiration time." ); }
//[ValidateAntiForgeryToken] public async Task <IActionResult> Login(LoginViewModel model, string returnUrl = null) { var clientIP = Request.HttpContext.Connection.RemoteIpAddress.MapToIPv4(); return(await Hacker.DefendAsync <IActionResult>(async (success, fail) => { // Don't forget to do this check! We use model.Email for key. if (string.IsNullOrWhiteSpace(model.Email) || string.IsNullOrWhiteSpace(model.Password)) { return await fail(View(model)); } ViewData["ReturnUrl"] = returnUrl; if (ModelState.IsValid) { // This doesn't count login failures towards account lockout // To enable password failures to trigger account lockout, set lockoutOnFailure: true var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false); if (result.Succeeded) { _logger.LogInformation(1, "User logged in."); return await success(RedirectToLocal(returnUrl)); } if (result.RequiresTwoFactor) { return await success(RedirectToAction(nameof(SendCode), new { ReturnUrl = returnUrl, RememberMe = model.RememberMe })); } if (result.IsLockedOut) { _logger.LogWarning(2, "User account locked out."); return await fail(View("Lockout")); } else { ModelState.AddModelError(string.Empty, "Invalid login attempt."); return await fail(View(model)); } } // If we got this far, something failed, redisplay form return await fail(View(model)); }, blocked => { _logger.LogWarning("Blocked: " + clientIP + " " + model.Email); return new StatusCodeResult((int)HttpStatusCode.Forbidden); }, "ValidLogin:"******"InvalidLogin:" + model.Email, 3, TimeSpan.FromMinutes(15), clientIP)); }
public void TestMaxHitsOnKeyPerOrigin() { Hacker.Config.MaxHitsPerKey = 20; Hacker.Config.MaxHitsPerOrigin = 20; Hacker.Config.MaxHitsPerKeyPerOrigin = 10; Func <string> keyGenerator = () => { return("TestMaxHitsOnKeyPerOrigin" + GetRandomKey()); }; var key = keyGenerator(); var ip = GetRandomIP(); var startTime = DateTime.Now; Parallel.For(0, Hacker.Config.MaxHitsPerKeyPerOrigin, hit => { Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip).Run(), "Allow hits on same key and IP"); }); Assert.AreEqual( Hacker.Config.MaxHitsPerKeyPerOrigin, Hacker.GetHitsForKey(key).Run(), "Number of hits recorded must match"); // No more requests from same key and IP Assert.AreEqual( Hacker.Result.TooManyHitsOnKeyFromOrigin, Hacker.DefendAsync(key, ip).Run()); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(keyGenerator(), ip).Run(), "From different key, same IP, allow"); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, GetRandomIP()).Run(), "From different IP, same key, allow"); WaitForIntervalToElapse(Hacker.Config.MaxHitsPerOriginInterval, startTime); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(key, ip).Run(), "Allow hits on same key and IP after expiration"); }
public void TestMaxHitsPerKey() { Hacker.Config.MaxHitsPerKey = 10; Hacker.Config.MaxHitsPerOrigin = 20; Hacker.Config.MaxHitsPerKeyPerOrigin = 20; Func <string> keyGenerator = () => { return("TestMaxHitsPerKey" + GetRandomKey()); }; var fixedKey = keyGenerator(); var startTime = DateTime.Now; Parallel.For(0, Hacker.Config.MaxHitsPerKey, hit => { Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(fixedKey, GetRandomIP()).Run()); }); Assert.AreEqual( Hacker.Config.MaxHitsPerKey, Hacker.GetHitsForKey(fixedKey).Run(), "Number of hits recorded must match"); Assert.AreEqual( Hacker.Result.TooManyHitsOnKey, Hacker.DefendAsync(fixedKey, GetRandomIP()).Run()); var ip = GetRandomIP(); Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(keyGenerator(), ip).Run(), "Allow traffic from aonther key on same IP"); WaitForIntervalToElapse(Hacker.Config.MaxHitsPerKeyInterval, startTime); // Hit from another IP using same key should be allowed Assert.AreEqual( Hacker.Result.Allowed, Hacker.DefendAsync(fixedKey, GetRandomIP()).Run(), "After expiration time, key must be unblocked"); }
public async Task <ActionResult> LogOn(string username, string password) { // This handles load balancers passing the original client IP // through this header. // WARNING: If you load balancer is not passing original client IP // through this header, then you will be blocking your load balancer, // causing a total outage. Also ensure this Header cannot be spoofed. var originIP = Request.GetClientIp(); // Don't forget to do this check! if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password)) { TempData[TempDataConstants.ERROR_MESSAGE] = "Invalid username or password"; return(View("~/Views/Account/LogOn.cshtml")); } return(await Hacker.DefendAsync <ActionResult>(async (success, fail) => { var user = DataStore.Users.Where(u => u.Username == username && u.Password == password).FirstOrDefault(); if (user != null) { Session[SessionConstants.USER] = user; return await success(RedirectToAction("Index", "Home")); } else { TempData[TempDataConstants.ERROR_MESSAGE] = "Invalid username or password"; return await fail(View("~/Views/Account/LogOn.cshtml")); } }, blocked => new HttpStatusCodeResult(HttpStatusCode.Forbidden), "ValidLogin:"******"InvalidLogin:" + username, MaxInvalidLogin, MaxInvalidLoginInterval, originIP )); }
// GET api/values/5 public async Task <IHttpActionResult> Get(int id) { var originIP = "0.0.0.1"; var ip = IPAddress.Parse(originIP); return(await Hacker.DefendAsync <IHttpActionResult>( async (success, fail) => { if (id == 5) { return await success(Ok($"sms for id {id}")); } else { return await fail(BadRequest($"bad request for id {id}")); } }, blocked => new ResponseMessageResult(new HttpResponseMessage(HttpStatusCode.Forbidden)), validActionKey : "ValidLogin:"******"InvalidLogin:" + id, maxInvalidAttempt : MaxInvalidLogin, invalidAttemptInterval : MaxInvalidLoginInterval, origin : ip )); }
public static async Task <Hacker.Result> DefendURL(HttpContext context) { Hacker.Result result = Hacker.Result.Allowed; Stopwatch watch = new Stopwatch(); watch.Start(); if (!Initialized) { lock (lockObject) { if (!Initialized) { Hacker.Logger = new TraceLogger(); Hacker.Logger.LogInformation(ClassName + ' ' + "Initialize"); Hacker.Store = new RedisDefenceStore(HackerSprayConfig.Settings.Redis, HackerSprayConfig.Settings.Prefix, Hacker.Config); Hacker.Logger.LogInformation(ClassName + ' ' + " Initialized"); Initialized = true; } } } // This handles load balancers passing the original client IP // through this header. // WARNING: If your load balancer is not passing original client IP // through this header, then you will be blocking your load balancer, // causing a total outage. Also ensure this Header cannot be spoofed. // Your load balancer should be configured in a way that it does not accept // this header from the request, instead it always sets it itself. var originIP = context.Request.GetClientIp(); foreach (var path in HackerSprayConfig.Settings.Paths) { if ((path.Post && context.Request.HttpMethod == "POST") || (!path.Post && context.Request.HttpMethod == "GET") && path.Name == context.Request.Path) { Hacker.Logger.LogDebug(ClassName + ' ' + "Path matched: " + context.Request.Path); if (path.Mode == "key") { result = await Hacker.DefendAsync(context.Request.Path, originIP, path.Interval, path.MaxAttempts, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue); if (result == Hacker.Result.TooManyHitsOnKey) { Hacker.Logger.LogInformation(ClassName + ' ' + "TooManyHitsOnKey Blacklist Path: " + context.Request.Path); await Hacker.BlacklistKeyAsync(path.Name, path.Interval); } } else if (path.Mode == "origin") { result = await Hacker.DefendAsync(context.Request.Path, originIP, TimeSpan.MaxValue, long.MaxValue, path.Interval, path.MaxAttempts, TimeSpan.MaxValue, long.MaxValue); if (result == Hacker.Result.TooManyHitsFromOrigin) { Hacker.Logger.LogInformation(ClassName + ' ' + "TooManyHitsFromOrigin Blacklist origin: " + originIP); await Hacker.BlacklistOriginAsync(originIP, path.Interval); } } else //(path.Mode == "key+origin") { result = await Hacker.DefendAsync(context.Request.Path, originIP, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue, path.Interval, path.MaxAttempts); } break; } } watch.Stop(); Hacker.Logger.LogDebug(ClassName + ' ' + "DefendURL: " + context.Request.Path + " " + watch.ElapsedMilliseconds); return(result); }
public async Task Invoke(HttpContext context) { var path = context.Request.Path; Stopwatch watch = new Stopwatch(); watch.Start(); if (path.HasValue) { Debug("Defend Begin: " + path); // This handles load balancers passing the original client IP // through this header. // WARNING: If your load balancer is not passing original client IP // through this header, then you will be blocking your load balancer, // causing a total outage. Also ensure this Header cannot be spoofed. // Your load balancer should be configured in a way that it does not accept // this header from the request, instead it always sets it itself. var originIP = context.Connection.RemoteIpAddress; //if (context.Request.Headers.ContainsKey(XForwardedForHeader)) // originIP = IPAddress.Parse(context.Request.Headers[XForwardedForHeader]).MapToIPv4(); var result = Hacker.Result.Allowed; foreach (var key in _keys) { if (key.Method == context.Request.Method && key.Key == path) { Debug("Defend: " + path); if (key.Mode == HackerSprayOptionKey.HitCountMode.PerKey) { result = await Hacker.DefendAsync(path, originIP, key.Interval, key.MaxAttempts, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue); if (result == Hacker.Result.TooManyHitsOnKey) { await Hacker.BlacklistKeyAsync(path, key.Interval); } } else if (key.Mode == HackerSprayOptionKey.HitCountMode.PerOrigin) { result = await Hacker.DefendAsync(path, originIP, TimeSpan.MaxValue, long.MaxValue, key.Interval, key.MaxAttempts, TimeSpan.MaxValue, long.MaxValue); if (result == Hacker.Result.TooManyHitsFromOrigin) { await Hacker.BlacklistOriginAsync(originIP, key.Interval); } } else //(key.Item5 == Mode.PerKeyOrigin) { result = await Hacker.DefendAsync(path, originIP, TimeSpan.MaxValue, long.MaxValue, TimeSpan.MaxValue, long.MaxValue, key.Interval, key.MaxAttempts); } Debug("Defend Result: " + Enum.GetName(typeof(Hacker.Result), result)); break; } } watch.Stop(); Debug("Defend End: " + path + " " + watch.ElapsedMilliseconds); if (result == Hacker.Result.Allowed) { await _next.Invoke(context); } else { Info("Blocked: " + path); context.Response.StatusCode = (int)HttpStatusCode.NotAcceptable; await context.Response.WriteAsync(Enum.GetName(typeof(Hacker.Result), result)); } //watch.Stop(); //Debug("Finished: " + path + " " + watch.ElapsedMilliseconds); } else { await _next.Invoke(context); } }
public void TestAllowed() { var result = Hacker.DefendAsync("TestAllowed" + GetRandomKey(), GetRandomIP()).Run(); Assert.AreEqual(Hacker.Result.Allowed, result); }
public void TestOriginRangeBlocking() { Hacker.ClearBlacklistsAsync().Run(); Hacker.ClearAllHitsAsync().Run(); var ipsInRange = new[] { IPAddress.Parse("10.10.10.10"), IPAddress.Parse("10.10.10.11"), IPAddress.Parse("10.10.254.254"), IPAddress.Parse("10.11.10.9"), IPAddress.Parse("10.11.10.10"), IPAddress.Parse("9.1.1.1"), IPAddress.Parse("9.1.1.10"), IPAddress.Parse("9.10.10.9"), IPAddress.Parse("10.11.10.12"), IPAddress.Parse("127.254.254.254"), IPAddress.Parse("100.100.100.100"), IPAddress.Parse("128.10.10.12"), IPAddress.Parse("128.10.10.254"), IPAddress.Parse("128.10.10.128"), }; var ipsOutofRange = new[] { IPAddress.Parse("10.10.10.9"), IPAddress.Parse("9.10.10.10"), IPAddress.Parse("10.11.10.11"), IPAddress.Parse("128.10.10.11"), IPAddress.Parse("200.200.200.200"), IPAddress.Parse("1.1.1.1"), IPAddress.Parse("10.0.0.0") }; Hacker.BlacklistOriginAsync(IPAddress.Parse("10.10.10.10"), IPAddress.Parse("10.11.10.10")).Run(); Hacker.BlacklistOriginAsync(IPAddress.Parse("9.1.1.1"), IPAddress.Parse("9.10.10.9")).Run(); Hacker.BlacklistOriginAsync(IPAddress.Parse("10.11.10.12"), IPAddress.Parse("127.254.254.254")).Run(); Hacker.BlacklistOriginAsync(IPAddress.Parse("128.10.10.12"), IPAddress.Parse("128.10.10.254")).Run(); Array.ForEach(ipsInRange, ip => Assert.AreEqual(Hacker.Result.OriginBlocked, Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(), ip.ToString() + " must be blocked.")); Hacker.ClearAllHitsAsync().Run(); Array.ForEach(ipsOutofRange, ip => Assert.AreEqual(Hacker.Result.Allowed, Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(), ip.ToString() + " must be allowed")); Hacker.WhitelistOriginAsync(IPAddress.Parse("9.1.1.1"), IPAddress.Parse("9.10.10.9")).Run(); Array.ForEach(new[] { IPAddress.Parse("9.1.1.1"), IPAddress.Parse("9.1.1.10"), IPAddress.Parse("9.10.10.9") }, ip => Assert.AreEqual(Hacker.Result.Allowed, Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(), ip.ToString() + " must be allowed")); Hacker.ClearBlacklistsAsync().Run(); Hacker.ClearAllHitsAsync().Run(); Array.ForEach(ipsInRange, ip => Assert.AreEqual(Hacker.Result.Allowed, Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(), ip.ToString() + " must be allowed when there's no blacklisting.")); Hacker.ClearAllHitsAsync().Run(); Array.ForEach(ipsOutofRange, ip => Assert.AreEqual(Hacker.Result.Allowed, Hacker.DefendAsync("TestOriginRangeBlocking", ip).Run(), ip.ToString() + " must be allowed when there's no blacklisting")); }