From 8189ca025640e565fac4e96dd85f231fddae28d3 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Wed, 13 Oct 2021 17:15:26 -0700
Subject: [PATCH] Added exclusion to MaxInvalidLogin. #3192

---
 meshcentral-config-schema.json | 8 +++++---
 webserver.js                   | 9 +++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index 8cd4994d..d5174133 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -228,10 +228,12 @@
         "maxInvalidLogin": {
           "type": "object",
           "additionalProperties": false,
+          "description": "This section described a policy for how many times an IP address is allowed to attempt to login incorrectly. By default it's 10 times in 10 minutes, but this can be changed here.",
           "properties": {
-            "time": { "type": "integer" },
-            "count": { "type": "integer" },
-            "coolofftime": { "type": "integer" }
+            "exclude": { "type": "string", "default": null, "description": "Ranges of IP addresses that are not subject to invalid login limitations. For example: 192.168.1.0/24,172.16.0.1"},
+            "time": { "type": "integer", "default": 10, "description": "Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address." },
+            "count": { "type": "integer", "default": 10, "description": "Maximum number of invalid login attempts from an IP address in the time period." },
+            "coolofftime": { "type": "integer", "default": null, "description": "Additional time in minute that login attempts will be denied once the invalid login limit is reached." }
           }
         },
         "amtProvisioningServer": {
diff --git a/webserver.js b/webserver.js
index dbd654bc..1353e6a1 100644
--- a/webserver.js
+++ b/webserver.js
@@ -7665,6 +7665,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     obj.setbadLogin = function (ip) { // Set an IP address that just did a bad login request
         if (parent.config.settings.maxinvalidlogin === false) return;
         if (typeof ip == 'object') { ip = ip.clientIp; }
+        if (parent.config.settings.maxinvalidlogin != null) {
+            if (typeof parent.config.settings.maxinvalidlogin.exclude == 'string') {
+                const excludeSplit = parent.config.settings.maxinvalidlogin.exclude.split(',');
+                for (var i in excludeSplit) { if (require('ipcheck').match(ip, excludeSplit[i])) return; }
+            } else if (Array.isArray(parent.config.settings.maxinvalidlogin.exclude)) {
+                for (var i in parent.config.settings.maxinvalidlogin.exclude) { if (require('ipcheck').match(ip, parent.config.settings.maxinvalidlogin.exclude[i])) return; }
+            }
+            return;
+        }
         var splitip = ip.split('.');
         if (splitip.length == 4) { ip = (splitip[0] + '.' + splitip[1] + '.' + splitip[2] + '.*'); }
         if (++obj.badLoginTableLastClean > 100) { obj.cleanBadLoginTable(); }