authentication and security

2025-09-28 16:01:27 +01:00
parent f81b0f3c28
commit 22185904be
13 changed files with 1176 additions and 33 deletions
@@ -19,20 +19,20 @@ type Config struct {
    } `json:"web"`

    Services struct {
-        HTTP       bool  `json:"http"`
-        HTTPS      bool  `json:"https"`
-        SSH        bool  `json:"ssh"`
-        FTP        bool  `json:"ftp"`
-        SMTP       bool  `json:"smtp"`
-        IMAP       bool  `json:"imap"`
-        Telnet     bool  `json:"telnet"`
-        MySQL      bool  `json:"mysql"`
-        PostgreSQL bool  `json:"postgresql"`
-        MongoDB    bool  `json:"mongodb"`
-        RDP        bool  `json:"rdp"`
-        SMB        bool  `json:"smb"`
-        SIP        bool  `json:"sip"`
-        VNC        bool  `json:"vnc"`
+        HTTP       bool `json:"http"`
+        HTTPS      bool `json:"https"`
+        SSH        bool `json:"ssh"`
+        FTP        bool `json:"ftp"`
+        SMTP       bool `json:"smtp"`
+        IMAP       bool `json:"imap"`
+        Telnet     bool `json:"telnet"`
+        MySQL      bool `json:"mysql"`
+        PostgreSQL bool `json:"postgresql"`
+        MongoDB    bool `json:"mongodb"`
+        RDP        bool `json:"rdp"`
+        SMB        bool `json:"smb"`
+        SIP        bool `json:"sip"`
+        VNC        bool `json:"vnc"`
        Generic    []int `json:"generic"`
    } `json:"services"`

@@ -53,6 +53,19 @@ type Config struct {
        VNC        int `json:"vnc"`
    } `json:"ports"`

+    Security struct {
+        MaxInputLength      int    `json:"max_input_length"`      // Maximum input length per command
+        MaxConnDuration     string `json:"max_conn_duration"`     // Maximum connection duration (e.g., "5m")
+        MaxCommands         int    `json:"max_commands"`          // Maximum commands per connection
+        RateLimitWindow     string `json:"rate_limit_window"`     // Rate limiting window (e.g., "1m")
+        MaxConnPerIP        int    `json:"max_conn_per_ip"`       // Maximum concurrent connections per IP
+        ReadTimeout         string `json:"read_timeout"`          // Read timeout for each operation
+        WriteTimeout        string `json:"write_timeout"`         // Write timeout for each operation
+        EnableRateLimit     bool   `json:"enable_rate_limit"`     // Enable rate limiting
+        BlockHighThreatIPs  bool   `json:"block_high_threat_ips"` // Automatically block high threat IPs
+        ThreatScoreThreshold int   `json:"threat_score_threshold"` // Threshold for automatic blocking
+    } `json:"security"`
+
    // Certificates allows overriding default certificate/key locations.
    Certificates struct {
        // SSHHostKeyPath points to a PEM-encoded RSA private key to use as SSH host key.
@@ -149,5 +162,17 @@ func defaultConfig() Config {
    c.Ports.SIP = 5060
    c.Ports.VNC = 5900

+    // Security defaults
+    c.Security.MaxInputLength = 4096
+    c.Security.MaxConnDuration = "5m"
+    c.Security.MaxCommands = 100
+    c.Security.RateLimitWindow = "1m"
+    c.Security.MaxConnPerIP = 10
+    c.Security.ReadTimeout = "30s"
+    c.Security.WriteTimeout = "10s"
+    c.Security.EnableRateLimit = true
+    c.Security.BlockHighThreatIPs = false
+    c.Security.ThreatScoreThreshold = 80
+
    return c
 }