From 73a26193bf9e883c11cd4eb32b45539fb78e120e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Wed, 9 Feb 2022 15:09:00 +0100 Subject: [PATCH] Fix DOS using query endpoint Stop using fuzzy search and limit results to 10k. --- honeypot/ssh/store/postgres.go | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/honeypot/ssh/store/postgres.go b/honeypot/ssh/store/postgres.go index 5fdf30b..5a8c311 100644 --- a/honeypot/ssh/store/postgres.go +++ b/honeypot/ssh/store/postgres.go @@ -173,23 +173,23 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error) var stmt string queryString := query.Query + const limit = 10000 + switch query.QueryType { case AttemptQueryTypeIP: stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country - FROM login_attempts WHERE remote_ip = $1` + FROM login_attempts WHERE remote_ip = $1 order by date desc limit $2` case AttemptQueryTypePassword: stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country - FROM login_attempts WHERE password like $1` - queryString = fmt.Sprintf("%%%s%%", queryString) + FROM login_attempts WHERE password = $1 order by date desc limit $2` case AttemptQueryTypeUsername: stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country - FROM login_attempts WHERE username like $1` - queryString = fmt.Sprintf("%%%s%%", queryString) + FROM login_attempts WHERE username = $1 order by date desc limit $2` default: return nil, fmt.Errorf("invalid query type") } - rows, err := s.db.Query(stmt, queryString) + rows, err := s.db.Query(stmt, queryString, limit) if err != nil { return nil, fmt.Errorf("unable to query database: %w", err) } @@ -204,7 +204,6 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error) } la.RemoteIP = net.ParseIP(ipString) results = append(results, la) - } return results, nil