chore: finalize auth rate limiter with docs and formatting fixes

inureyes · inureyes · commit 082ffc649b78 · 2026-01-24T12:38:24.000+09:00
- Fix code formatting (cargo fmt)
- Update ARCHITECTURE.md with Server Security Module documentation
- Update server-configuration.md with auth_window and whitelist_ips options
- All 930 tests passing, clippy clean
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
@@ -189,6 +189,20 @@ Common utilities for code reuse between bssh client and server implementations:
 
 The `security` and `jump::rate_limiter` modules re-export from shared for backward compatibility.
 
+### Server Security Module
+
+Security features for the SSH server (`src/server/security/`):
+
+- **AuthRateLimiter**: Fail2ban-like authentication rate limiting
+  - Tracks failed authentication attempts per IP address
+  - Automatic banning after exceeding configurable threshold
+  - Time-windowed failure counting (failures outside window not counted)
+  - Configurable ban duration with automatic expiration
+  - IP whitelist for exempting trusted addresses from banning
+  - Memory-safe with configurable maximum tracked IPs
+  - Automatic cleanup of expired records via background task
+  - Thread-safe async implementation with `Arc<RwLock<>>`
+
 ### Server CLI Binary
 **Binary**: `bssh-server`
 
@@ -284,7 +298,8 @@ SSH server implementation using the russh library for accepting incoming connect
 
 - **SshHandler**: Per-connection handler for SSH protocol events
   - Public key authentication via AuthProvider trait
-  - Rate limiting for authentication attempts
+  - Rate limiting for authentication attempts (token bucket)
+  - Auth rate limiting with ban support (fail2ban-like)
   - Channel operations (open, close, EOF, data)
   - PTY, exec, shell, and subsystem request handling
   - Command execution with stdout/stderr streaming
diff --git a/docs/architecture/server-configuration.md b/docs/architecture/server-configuration.md
@@ -173,9 +173,19 @@ security:
   # Max auth attempts before banning IP
   max_auth_attempts: 5         # Default: 5
 
+  # Time window for counting auth attempts (seconds)
+  # Failed attempts outside this window are not counted
+  auth_window: 300             # Default: 300 (5 minutes)
+
   # Ban duration after exceeding max attempts (seconds)
   ban_time: 300                # Default: 300 (5 minutes)
 
+  # IPs that are never banned (whitelist)
+  # These IPs are exempt from rate limiting and banning
+  whitelist_ips:
+    - "127.0.0.1"
+    - "::1"
+
   # Max concurrent sessions per user
   max_sessions_per_user: 10    # Default: 10
 
diff --git a/src/server/mod.rs b/src/server/mod.rs
@@ -234,7 +234,8 @@ impl BsshServer {
             self.config.max_auth_attempts,
             self.config.auth_window_secs,
             self.config.ban_time_secs,
-        ).with_whitelist(whitelist_ips);
+        )
+        .with_whitelist(whitelist_ips);
 
         let auth_rate_limiter = AuthRateLimiter::new(auth_config);
 
diff --git a/src/server/security/rate_limit.rs b/src/server/security/rate_limit.rs
@@ -51,7 +51,7 @@ impl Default for AuthRateLimitConfig {
     fn default() -> Self {
         Self {
             max_attempts: 5,
-            window: Duration::from_secs(300),      // 5 minutes
+            window: Duration::from_secs(300),       // 5 minutes
             ban_duration: Duration::from_secs(300), // 5 minutes
             whitelist: HashSet::new(),
             max_tracked_ips: 10000, // Limit memory usage
@@ -324,9 +324,8 @@ impl AuthRateLimiter {
         {
             let mut failures = self.failures.write().await;
             let before = failures.len();
-            failures.retain(|_, record| {
-                now.duration_since(record.last_failure) < self.config.window
-            });
+            failures
+                .retain(|_, record| now.duration_since(record.last_failure) < self.config.window);
             let after = failures.len();
             if before > after {
                 tracing::debug!(
@@ -458,8 +457,7 @@ mod tests {
 
     #[tokio::test]
     async fn test_whitelist_ips() {
-        let config = AuthRateLimitConfig::new(1, 300, 300)
-            .with_whitelist(vec![localhost()]);
+        let config = AuthRateLimitConfig::new(1, 300, 300).with_whitelist(vec![localhost()]);
         let limiter = AuthRateLimiter::new(config);
 
         let whitelisted = localhost();
@@ -550,7 +548,7 @@ mod tests {
         limiter.record_failure(ip2).await; // This triggers ban
 
         assert_eq!(limiter.tracked_count().await, 1); // ip1 still tracked
-        assert_eq!(limiter.banned_count().await, 1);  // ip2 banned
+        assert_eq!(limiter.banned_count().await, 1); // ip2 banned
 
         // Wait for records to expire
         tokio::time::sleep(Duration::from_millis(20)).await;
