feat: Implement authentication rate limiting (fail2ban-like)

Add AuthRateLimiter with ban support to protect against brute-force attacks:

- Track failed authentication attempts per IP address
- Automatically ban IPs that exceed max attempts within time window
- Configurable max attempts, time window, and ban duration
- IP whitelist support for trusted addresses
- Automatic cleanup of expired bans and failure records
- Background cleanup task running every 60 seconds

Configuration options added to SecurityConfig:
- auth_window: Time window for counting attempts (default: 300s)
- whitelist_ips: IPs exempt from rate limiting

Integration with SSH handler:
- Check if IP is banned before authentication
- Record failures and trigger bans on threshold
- Record success to reset failure counter
- Logging for ban events

Closes #140

Author: inureyes

src/server/config/types.rs

@@ -368,12 +368,28 @@ pub struct SecurityConfig {
     #[serde(default = "default_max_auth_attempts")]
     pub max_auth_attempts: u32,
 
+    /// Time window in seconds for counting authentication attempts.
+    ///
+    /// Failed attempts outside this window are not counted toward the ban threshold.
+    ///
+    /// Default: 300 (5 minutes)
+    #[serde(default = "default_auth_window")]
+    pub auth_window: u64,
+
     /// Ban duration in seconds after exceeding max auth attempts.
     ///
     /// Default: 300 (5 minutes)
     #[serde(default = "default_ban_time")]
     pub ban_time: u64,
 
+    /// IP addresses that are never banned (whitelist).
+    ///
+    /// These IPs are exempt from rate limiting and banning.
+    ///
+    /// Example: ["127.0.0.1", "::1"]
+    #[serde(default)]
+    pub whitelist_ips: Vec<String>,
+
     /// Maximum number of concurrent sessions per user.
     ///
     /// Default: 10
@@ -449,6 +465,10 @@ fn default_max_auth_attempts() -> u32 {
     5
 }
 
+fn default_auth_window() -> u64 {
+    300
+}
+
 fn default_ban_time() -> u64 {
     300
 }
@@ -517,7 +537,9 @@ impl Default for SecurityConfig {
     fn default() -> Self {
         Self {
             max_auth_attempts: default_max_auth_attempts(),
+            auth_window: default_auth_window(),
             ban_time: default_ban_time(),
+            whitelist_ips: Vec::new(),
             max_sessions_per_user: default_max_sessions(),
             idle_timeout: default_idle_timeout(),
             allowed_ips: Vec::new(),

src/server/handler.rs

@@ -32,6 +32,7 @@ use super::auth::AuthProvider;
 use super::config::ServerConfig;
 use super::exec::CommandExecutor;
 use super::pty::PtyConfig as PtyMasterConfig;
+use super::security::AuthRateLimiter;
 use super::session::{ChannelState, PtyConfig, SessionId, SessionInfo, SessionManager};
 use super::sftp::SftpHandler;
 use super::shell::ShellSession;
@@ -57,6 +58,9 @@ pub struct SshHandler {
     /// Rate limiter for authentication attempts.
     rate_limiter: RateLimiter<String>,
 
+    /// Auth rate limiter with ban support (fail2ban-like).
+    auth_rate_limiter: Option<AuthRateLimiter>,
+
     /// Session information for this connection.
     session_info: Option<SessionInfo>,
 
@@ -83,6 +87,7 @@ impl SshHandler {
             sessions,
             auth_provider,
             rate_limiter,
+            auth_rate_limiter: None,
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
         }
@@ -106,6 +111,33 @@ impl SshHandler {
             sessions,
             auth_provider,
             rate_limiter,
+            auth_rate_limiter: None,
+            session_info: Some(SessionInfo::new(peer_addr)),
+            channels: HashMap::new(),
+        }
+    }
+
+    /// Create a new SSH handler with shared rate limiters including auth ban support.
+    ///
+    /// This is the preferred constructor for production use as it shares
+    /// both rate limiters across all handlers, providing server-wide rate limiting
+    /// and fail2ban-like functionality.
+    pub fn with_rate_limiters(
+        peer_addr: Option<SocketAddr>,
+        config: Arc<ServerConfig>,
+        sessions: Arc<RwLock<SessionManager>>,
+        rate_limiter: RateLimiter<String>,
+        auth_rate_limiter: AuthRateLimiter,
+    ) -> Self {
+        let auth_provider = config.create_auth_provider();
+
+        Self {
+            peer_addr,
+            config,
+            sessions,
+            auth_provider,
+            rate_limiter,
+            auth_rate_limiter: Some(auth_rate_limiter),
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
         }
@@ -128,6 +160,7 @@ impl SshHandler {
             sessions,
             auth_provider,
             rate_limiter,
+            auth_rate_limiter: None,
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
         }
@@ -284,6 +317,7 @@ impl russh::server::Handler for SshHandler {
         // Clone what we need for the async block
         let auth_provider = Arc::clone(&self.auth_provider);
         let rate_limiter = self.rate_limiter.clone();
+        let auth_rate_limiter = self.auth_rate_limiter.clone();
         let peer_addr = self.peer_addr;
         let user = user.to_string();
         let public_key = public_key.clone();
@@ -292,6 +326,23 @@ impl russh::server::Handler for SshHandler {
         let session_info = &mut self.session_info;
 
         async move {
+            // Check if IP is banned (fail2ban-like check)
+            if let Some(ref limiter) = auth_rate_limiter {
+                if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                    if limiter.is_banned(&ip).await {
+                        tracing::warn!(
+                            user = %user,
+                            peer = ?peer_addr,
+                            "Rejected auth from banned IP"
+                        );
+                        return Ok(Auth::Reject {
+                            proceed_with_methods: None,
+                            partial_success: false,
+                        });
+                    }
+                }
+            }
+
             if exceeded {
                 tracing::warn!(
                     user = %user,
@@ -349,6 +400,13 @@ impl russh::server::Handler for SshHandler {
                         info.authenticate(&user);
                     }
 
+                    // Record success to reset failure counter
+                    if let Some(ref limiter) = auth_rate_limiter {
+                        if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                            limiter.record_success(&ip).await;
+                        }
+                    }
+
                     Ok(Auth::Accept)
                 }
                 Ok(_) => {
@@ -359,6 +417,20 @@ impl russh::server::Handler for SshHandler {
                         "Public key authentication rejected"
                     );
 
+                    // Record failure for ban tracking
+                    if let Some(ref limiter) = auth_rate_limiter {
+                        if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                            let banned = limiter.record_failure(ip).await;
+                            if banned {
+                                tracing::warn!(
+                                    user = %user,
+                                    peer = ?peer_addr,
+                                    "IP banned due to too many failed auth attempts"
+                                );
+                            }
+                        }
+                    }
+
                     let proceed = if methods.is_empty() {
                         None
                     } else {
@@ -378,6 +450,13 @@ impl russh::server::Handler for SshHandler {
                         "Error during public key verification"
                     );
 
+                    // Record failure for ban tracking
+                    if let Some(ref limiter) = auth_rate_limiter {
+                        if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                            limiter.record_failure(ip).await;
+                        }
+                    }
+
                     let proceed = if methods.is_empty() {
                         None
                     } else {
@@ -421,6 +500,7 @@ impl russh::server::Handler for SshHandler {
         // Clone what we need for the async block
         let auth_provider = Arc::clone(&self.auth_provider);
         let rate_limiter = self.rate_limiter.clone();
+        let auth_rate_limiter = self.auth_rate_limiter.clone();
         let peer_addr = self.peer_addr;
         let user = user.to_string();
         // Use Zeroizing to ensure password is securely cleared from memory when dropped
@@ -431,6 +511,23 @@ impl russh::server::Handler for SshHandler {
         let session_info = &mut self.session_info;
 
         async move {
+            // Check if IP is banned (fail2ban-like check)
+            if let Some(ref limiter) = auth_rate_limiter {
+                if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                    if limiter.is_banned(&ip).await {
+                        tracing::warn!(
+                            user = %user,
+                            peer = ?peer_addr,
+                            "Rejected password auth from banned IP"
+                        );
+                        return Ok(Auth::Reject {
+                            proceed_with_methods: None,
+                            partial_success: false,
+                        });
+                    }
+                }
+            }
+
             // Check if password auth is enabled
             if !allow_password {
                 tracing::debug!(
@@ -504,6 +601,13 @@ impl russh::server::Handler for SshHandler {
                         info.authenticate(&user);
                     }
 
+                    // Record success to reset failure counter
+                    if let Some(ref limiter) = auth_rate_limiter {
+                        if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                            limiter.record_success(&ip).await;
+                        }
+                    }
+
                     Ok(Auth::Accept)
                 }
                 Ok(_) => {
@@ -513,6 +617,20 @@ impl russh::server::Handler for SshHandler {
                         "Password authentication rejected"
                     );
 
+                    // Record failure for ban tracking
+                    if let Some(ref limiter) = auth_rate_limiter {
+                        if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                            let banned = limiter.record_failure(ip).await;
+                            if banned {
+                                tracing::warn!(
+                                    user = %user,
+                                    peer = ?peer_addr,
+                                    "IP banned due to too many failed password auth attempts"
+                                );
+                            }
+                        }
+                    }
+
                     let proceed = if methods.is_empty() {
                         None
                     } else {
@@ -532,6 +650,13 @@ impl russh::server::Handler for SshHandler {
                         "Error during password verification"
                     );
 
+                    // Record failure for ban tracking
+                    if let Some(ref limiter) = auth_rate_limiter {
+                        if let Some(ip) = peer_addr.map(|a| a.ip()) {
+                            limiter.record_failure(ip).await;
+                        }
+                    }
+
                     let proceed = if methods.is_empty() {
                         None
                     } else {

src/server/mod.rs

@@ -49,6 +49,7 @@ pub mod config;
 pub mod exec;
 pub mod handler;
 pub mod pty;
+pub mod security;
 pub mod session;
 pub mod sftp;
 pub mod shell;
@@ -69,6 +70,7 @@ pub use self::config::{ServerConfig, ServerConfigBuilder};
 pub use self::exec::{CommandExecutor, ExecConfig};
 pub use self::handler::SshHandler;
 pub use self::pty::{PtyConfig as PtyMasterConfig, PtyMaster};
+pub use self::security::{AuthRateLimitConfig, AuthRateLimiter};
 pub use self::session::{
     ChannelMode, ChannelState, PtyConfig, SessionId, SessionInfo, SessionManager,
 };
@@ -214,10 +216,28 @@ impl BsshServer {
         // This allows rapid testing while still providing protection against brute force
         let rate_limiter = RateLimiter::with_simple_config(100, 10.0);
 
+        // Create auth rate limiter with configuration
+        let auth_rate_limiter = AuthRateLimiter::new(AuthRateLimitConfig::new(
+            self.config.max_auth_attempts,
+            300, // Default 5 minute window
+            300, // Default 5 minute ban
+        ));
+
+        // Start background cleanup task for auth rate limiter
+        let cleanup_limiter = auth_rate_limiter.clone();
+        tokio::spawn(async move {
+            let mut interval = tokio::time::interval(Duration::from_secs(60));
+            loop {
+                interval.tick().await;
+                cleanup_limiter.cleanup().await;
+            }
+        });
+
         let mut server = BsshServerRunner {
             config: Arc::clone(&self.config),
             sessions: Arc::clone(&self.sessions),
             rate_limiter,
+            auth_rate_limiter,
         };
 
         // Use run_on_socket which handles the server loop
@@ -248,6 +268,8 @@ struct BsshServerRunner {
     sessions: Arc<RwLock<SessionManager>>,
     /// Shared rate limiter for authentication attempts across all handlers
     rate_limiter: RateLimiter<String>,
+    /// Auth rate limiter with ban support (fail2ban-like)
+    auth_rate_limiter: AuthRateLimiter,
 }
 
 impl russh::server::Server for BsshServerRunner {
@@ -259,11 +281,12 @@ impl russh::server::Server for BsshServerRunner {
             "New client connection"
         );
 
-        SshHandler::with_rate_limiter(
+        SshHandler::with_rate_limiters(
             peer_addr,
             Arc::clone(&self.config),
             Arc::clone(&self.sessions),
             self.rate_limiter.clone(),
+            self.auth_rate_limiter.clone(),
         )
     }