Disclose about automatic bans, and make score rule read from consts.py

Move the TODO about dropping already established connections from server.py
to security.py

4 files changed, 26 insertions, 3 deletions

diff --git a/README.md b/README.md
index ec85fd8..f777f69 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,8 @@ Fail2Ban will block harmful clients which could otherwise DoS your server.
 
 See also their official website: https://www.fail2ban.org
 
+Major auth failures will be sent to syslog.
+
 The server will read (one IP per line) the files called Z-Line, G-Line and K-Line
 in this order during startup, and won't read them again at runtime.
 They will issue "bans", which causes connection to be dropped right after being
@@ -74,12 +76,31 @@ Keep in mind that `kline` console command will write to K-Line.txt so
 autogenerating data for it is not advised. All bans expire when server restarts,
 except if they have been kline'd (or are otherwise listed on a -Line file.)
 
+Do note it do not support zones (eg. /24) nor does it support wildcards. Invalid
+lines will be stored to memory but will never trigger the ruleset. Thus the advise
+for an external properly configured firewall, the built-in measures are minimal,
+and just to act as a _last_ defense line against intruders - not an _only_.
+
 Other suggestions (never tested):
 * [Blocklist DE](blocklist.de) - IP-Addresses who attack other servers/honeypots over SSH, FTP, IMAP, etc.
 * [SORBS NET](sorbs.net) - Open SOCKS proxy servers, etc
 * [Spamhaus ORG](spamhaus.org) - Spamhaus blacklist (spammers, open proxies)
 * [Proxy-List DOWNLOAD](www.proxy-list.download/) - List of SOCKS and HTTP proxies
 
+## Automatic bans
+
+The server has a "score" function in security. Sending invalid packets will cause
+your score to raise, and once it reaches a certain threshold, the connection will
+be killed and the user IP will be banned for a short while (BAN_TIME in consts.py)
+
+Different errors might influence the score differently depending on the severity.
+The threshold fluctuates depending if the user is logged in or not - for instance,
+sending a packet while logged out will most likely trigger the ban rules.
+
+For this reason, server admins are advised to tweak the values to their liking.
+The values are in consts.py and not in configure. Changing the score for each
+invalid operation must be done at the python file of the operations specifically.
+
 # The client
 The client should work out-of-the-box, but a few concerns are to be made.
 
diff --git a/consts.py b/consts.py
index 0446c09..cab36f1 100644
--- a/consts.py
+++ b/consts.py
@@ -94,6 +94,8 @@ CONN_CLEANUP    =900.0
 SQL_PINGTIME    =1200.0
 BL_UPDATETIME   =30.0
 BAN_TIME        =180.0
+BAN_UNAUTHED    =5
+BAN_AUTHED      =30
 CLIENTVERSION   ="2.0.12.15"
 MAX_CLIENTS     =2500
 
diff --git a/security.py b/security.py
index 3e18087..0424712 100644
--- a/security.py
+++ b/security.py
@@ -20,7 +20,7 @@
 # Really basic stuff, still better than nothing, though
 import threading, time, traceback
 from utils import now, stdout, dl_search, ifte
-from consts import BL_UPDATETIME, INT_MAX, BAN_TIME
+from consts import BL_UPDATETIME, INT_MAX, BAN_TIME, BAN_AUTHED, BAN_UNAUTHED
 
 blacklist = []
 
@@ -73,6 +73,7 @@ def ban_ip(ip, until=INT_MAX):
     global blacklist
     blacklist.append([ip, until])
     stdout("%s has been banned until %d." % (ip, until))
+    # TODO: kick users when they are banned or klined
     return
 
 def unban_ip(ip):
@@ -88,7 +89,7 @@ def score(conn, score):
     #print("Score request: %d" % score)
     conn.MS_score += score
 
-    limit = ifte(conn.MS_auth, 30, 5)
+    limit = ifte(conn.MS_auth, BAN_AUTHED, BAN_UNAUTHED)
 
     if (conn.MS_score >= limit):
         stdout("Banning %s (%d/%d lame)" % (conn.address[0], conn.MS_score, limit))
diff --git a/server.py b/server.py
index 2711257..f57f02f 100755
--- a/server.py
+++ b/server.py
@@ -197,7 +197,6 @@ try:
         # TODO: Disconnect a client (kick/dc)
         # kickandban (kb)
         # And grant gems to an user
-        # Also, kick users when they are banned or klined
         elif cmd in ["ddos", "dcall"]:
             totaldc=0
             for c in clients: