ctrl/sbbs.ini src/sbbs3/ratelimit.hpp sbbs_ini.c src/sbbs3/scfg/scfgsr

BBS:      TELESC.NET.BR
Assunto:  ctrl/sbbs.ini src/sbbs3/ratelimit.hpp sbbs_ini.c src/sbbs3/scfg/scfgsr
De:       Rob Swindell (on Windows 11)
Data:     Fri, 22 May 2026 00:13:47 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/64788e721a2fcdfb0c54f202
Modified Files:
	ctrl/sbbs.ini src/sbbs3/ratelimit.hpp sbbs_ini.c src/sbbs3/scfg/scfgsrvr.c src/sbbs3/websrvr.cpp websrvr.h
Log Message:
websrvr: add subnet-aggregated connection rate limiter with auto-filter

Add a connection rate limiter to the web server, enforced at accept()
before a session thread or TLS handshake is spawned, complementing the
existing post-parse request rate limiter. This rejects a connection flood
at the cheapest possible point and counts connections (e.g. aborted TLS
handshakes) that never produce a parseable request.

Both limiters can now optionally aggregate clients by IPv4/IPv6 subnet
prefix, so distributed abuse spread thinly across many addresses in a
hosting provider's range is counted (and filtered) as a single CIDR bucket
rather than slipping under per-host-IP limits.

Repeat offenders that exceed a rate limit RateLimitFilterThreshold times are
auto-filtered: the offending IP or subnet (in CIDR notation) is written to
ip.can, or ip-silent.can (dropped at accept) when RateLimitFilterSilent, with
an optional expiry. The connection and request limiters share one set of
auto-filter/subnet settings (each keeps its own independent denial counter).

New [Web] ini settings, also configurable via SCFG (Web Server Settings ->
Rate Limiting...): MaxConnectsPerPeriod, ConnectRateLimitPeriod,
RateLimitSubnetPrefix4, RateLimitSubnetPrefix6, RateLimitFilterThreshold,
RateLimitFilterDuration, RateLimitFilterSilent.

- ratelimit.hpp: allowRequest() optionally reports a per-key denial count
  (reset when a client goes idle) as an escalation signal for auto-filtering.
- websrvr.cpp: rate_limit_key() masks a client IP to its subnet CIDR;
  rate_limit_filter() writes abusers to the filter file. Connection limiter
  wired in at accept; request limiter updated to share the same machinery.
  Also include the protocol in the accept-time MAXIMUM CLIENTS log message,
  for consistency with the per-request one.
- scfg: new "Rate Limiting..." submenu under Web Server Settings, with a
  status summary on the menu line.
- ctrl/sbbs.ini: document the new [Web] keys (disabled by default).

Co-Authored-By: Claude Opus 4.7 (1M context) 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]