pimhwang
/
mediamtx
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

srt: wait some seconds before returning authentication errors (#2918) 

this allows to mitigate brute force attacks and is possible thanks to
https://github.com/datarhei/gosrt/pull/43
pull/2920/head
Alessandro Ros 2 years ago committed by GitHub
parent
84333dc304
commit
dd7d7c6c5d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 26 additions and 25 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      internal/servers/hls/http_server.go
  2. 10
      internal/servers/rtmp/conn.go
  3. 6
      internal/servers/rtsp/conn.go
  4. 14
      internal/servers/srt/conn.go
  5. 4
      internal/servers/webrtc/http_server.go
  6. 2
      internal/servers/webrtc/server.go
  7. 9
      internal/servers/webrtc/session.go

6
internal/servers/hls/http_server.go
Unescape View File

@ -20,7 +20,7 @@ import (
) )
const ( const (
hlsPauseAfterAuthError = 2 * time.Second pauseAfterAuthError = 2 * time.Second
) )
//go:embed index.html //go:embed index.html
@ -173,8 +173,8 @@ func (s *httpServer) onRequest(ctx *gin.Context) {
s.Log(logger.Info, "connection %v failed to authenticate: %v", remoteAddr, terr.Message) s.Log(logger.Info, "connection %v failed to authenticate: %v", remoteAddr, terr.Message)
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(hlsPauseAfterAuthError) <-time.After(pauseAfterAuthError)
ctx.Writer.WriteHeader(http.StatusUnauthorized) ctx.Writer.WriteHeader(http.StatusUnauthorized)
return return

10
internal/servers/rtmp/conn.go
Unescape View File

@ -29,7 +29,7 @@ import (
) )
const ( const (
rtmpPauseAfterAuthError = 2 * time.Second pauseAfterAuthError = 2 * time.Second
) )
func pathNameAndQuery(inURL *url.URL) (string, url.Values, string) { func pathNameAndQuery(inURL *url.URL) (string, url.Values, string) {
@ -181,8 +181,8 @@ func (c *conn) runRead(conn *rtmp.Conn, u *url.URL) error {
if res.Err != nil { if res.Err != nil {
var terr defs.AuthenticationError var terr defs.AuthenticationError
if errors.As(res.Err, &terr) { if errors.As(res.Err, &terr) {
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(rtmpPauseAfterAuthError) <-time.After(pauseAfterAuthError)
return terr return terr
} }
return res.Err return res.Err
@ -413,8 +413,8 @@ func (c *conn) runPublish(conn *rtmp.Conn, u *url.URL) error {
if res.Err != nil { if res.Err != nil {
var terr defs.AuthenticationError var terr defs.AuthenticationError
if errors.As(res.Err, &terr) { if errors.As(res.Err, &terr) {
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(rtmpPauseAfterAuthError) <-time.After(pauseAfterAuthError)
return terr return terr
} }
return res.Err return res.Err

6
internal/servers/rtsp/conn.go
Unescape View File

@ -20,7 +20,7 @@ import (
) )
const ( const (
rtspPauseAfterAuthError = 2 * time.Second pauseAfterAuthError = 2 * time.Second
) )
type conn struct { type conn struct {
@ -196,8 +196,8 @@ func (c *conn) handleAuthError(authErr error) (*base.Response, error) {
}, nil }, nil
} }
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(rtspPauseAfterAuthError) <-time.After(pauseAfterAuthError)
return &base.Response{ return &base.Response{
StatusCode: base.StatusUnauthorized, StatusCode: base.StatusUnauthorized,

14
internal/servers/srt/conn.go
Unescape View File

@ -25,6 +25,10 @@ import (
"github.com/bluenviron/mediamtx/internal/stream" "github.com/bluenviron/mediamtx/internal/stream"
) )
const (
pauseAfterAuthError = 2 * time.Second
)
func srtCheckPassphrase(connReq srt.ConnRequest, passphrase string) error { func srtCheckPassphrase(connReq srt.ConnRequest, passphrase string) error {
if passphrase == "" { if passphrase == "" {
return nil return nil
@ -197,9 +201,8 @@ func (c *conn) runPublish(req srtNewConnReq, pathName string, user string, pass
if res.Err != nil { if res.Err != nil {
var terr defs.AuthenticationError var terr defs.AuthenticationError
if errors.As(res.Err, &terr) { if errors.As(res.Err, &terr) {
// TODO: re-enable. Currently this freezes the listener. // wait some seconds to mitigate brute force attacks
// wait some seconds to stop brute force attacks <-time.After(pauseAfterAuthError)
// <-time.After(srtPauseAfterAuthError)
return false, terr return false, terr
} }
return false, res.Err return false, res.Err
@ -297,9 +300,8 @@ func (c *conn) runRead(req srtNewConnReq, pathName string, user string, pass str
if res.Err != nil { if res.Err != nil {
var terr defs.AuthenticationError var terr defs.AuthenticationError
if errors.As(res.Err, &terr) { if errors.As(res.Err, &terr) {
// TODO: re-enable. Currently this freezes the listener. // wait some seconds to mitigate brute force attacks
// wait some seconds to stop brute force attacks <-time.After(pauseAfterAuthError)
// <-time.After(srtPauseAfterAuthError)
return false, res.Err return false, res.Err
} }
return false, res.Err return false, res.Err

4
internal/servers/webrtc/http_server.go
Unescape View File

@ -134,8 +134,8 @@ func (s *httpServer) checkAuthOutsideSession(ctx *gin.Context, path string, publ
s.Log(logger.Info, "connection %v failed to authenticate: %v", remoteAddr, terr.Message) s.Log(logger.Info, "connection %v failed to authenticate: %v", remoteAddr, terr.Message)
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(webrtcPauseAfterAuthError) <-time.After(pauseAfterAuthError)
writeError(ctx, http.StatusUnauthorized, terr) writeError(ctx, http.StatusUnauthorized, terr)
return false return false

2
internal/servers/webrtc/server.go
Unescape View File

@ -28,7 +28,7 @@ import (
) )
const ( const (
webrtcPauseAfterAuthError = 2 * time.Second pauseAfterAuthError = 2 * time.Second
webrtcTurnSecretExpiration = 24 * 3600 * time.Second webrtcTurnSecretExpiration = 24 * 3600 * time.Second
webrtcPayloadMaxSize = 1188 // 1200 - 12 (RTP header) webrtcPayloadMaxSize = 1188 // 1200 - 12 (RTP header)
) )

9
internal/servers/webrtc/session.go
Unescape View File

@ -379,8 +379,8 @@ func (s *session) runPublish() (int, error) {
if res.Err != nil { if res.Err != nil {
var terr defs.AuthenticationError var terr defs.AuthenticationError
if errors.As(res.Err, &terr) { if errors.As(res.Err, &terr) {
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(webrtcPauseAfterAuthError) <-time.After(pauseAfterAuthError)
return http.StatusUnauthorized, res.Err return http.StatusUnauthorized, res.Err
} }
@ -510,9 +510,8 @@ func (s *session) runRead() (int, error) {
if res.Err != nil { if res.Err != nil {
var terr defs.AuthenticationError var terr defs.AuthenticationError
if errors.As(res.Err, &terr) { if errors.As(res.Err, &terr) {
// wait some seconds to stop brute force attacks // wait some seconds to mitigate brute force attacks
<-time.After(webrtcPauseAfterAuthError) <-time.After(pauseAfterAuthError)
return http.StatusUnauthorized, res.Err return http.StatusUnauthorized, res.Err
} }

Write Preview
Loading…
Cancel
Save