Uploaded image for project: 'ejabberd development'
  1. ejabberd development
  2. EJAB-1074

Restrict In-Band Registration in default configuration

    Details

      Description

      ejabberd 2.1.0 and all previous versions support In-Band Registration, enabled in the default configuration provided both in source code package, in binary installers and many third-party packages. This configuration allows anybody in a remote machine to create accounts in the ejabberd server.

      Currently the only restriction enabled in the default configuration is

      {registration_timeout, 600}.
      

      which limits the frequency of registration from a given IP address to 10 minutes.

      However, that restriction is not enough in the long term to prevent abuse from spam-farms, which can have a list of 1000 different ejabberd servers and create one account in each one every 10 minutes.

      Some ideas for solutions:

      A) The quickest solution would be to disable In-Band Registration completely in the default configuration. But quitoing Alexey Shchepin:

      disabling registration can be quite confusing for new users (newbie ejabberd administrators)

      B) Implement and enforce CAPTCHA in In-Band Registration, with support for web submission for those Jabber clients that may not support this feature.

      C) Implement a new option in mod_register like

      {allow_only, 1}

      , which acts as a conditional restriction: if there isn't any Jabber account registered yet, then allow to register one account. Cases:

      • When the first account is registered, send a message to the admin explaining him that no more accounts will be allowed to register, and explain how he can enable registration.
      • If no configuration change was done, the second registration fails with a specific message explaining that the admin didn't enable registration.
      • If more than two accounts exist, then the registration is rejected as usual.

      D) Allow registrations only from localhost (127.0.0.1), and when each account is registered send a message indicating that only accounts from localhost are allowed until the configuration is modified.

        Issue Links

          Activity

          Hide
          dsiemon Dan Siemon added a comment -

          "disabling registration can be quite confusing for new users (newbie ejabberd administrators)"

          I don't understand how the above is an issue. No administrator of an email, FTP or any other server for that matter would expect to not have to create accounts. Having the default configuration allow remote account creation violates the principle of least surprise and will eventually lead to someone getting into trouble.

          I strongly vote for A.

          Show
          dsiemon Dan Siemon added a comment - "disabling registration can be quite confusing for new users (newbie ejabberd administrators)" I don't understand how the above is an issue. No administrator of an email, FTP or any other server for that matter would expect to not have to create accounts. Having the default configuration allow remote account creation violates the principle of least surprise and will eventually lead to someone getting into trouble. I strongly vote for A.
          Hide
          ekhramtsov ekhramtsov added a comment -

          +1 for A.

          Show
          ekhramtsov ekhramtsov added a comment - +1 for A.
          Hide
          badlop Badlop added a comment -

          EJAB-915 adds the new option ip_access to mod_register, and ejabberd.cfg.example was modified to implement:

          Dsimple) Allow registrations only from localhost (127.0.0.1).

          Show
          badlop Badlop added a comment - EJAB-915 adds the new option ip_access to mod_register, and ejabberd.cfg.example was modified to implement: Dsimple) Allow registrations only from localhost (127.0.0.1).

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development