Don't reject login with "policy violation" and don't ban IP if auth backend is unreachable

[licaon-kter]

Environment

• ejabberd version: 8ccad7fadadc7ccedc4a4c9004838503d0f1c76d
• Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 11.1.8
• OS: Debian Bullseye arm64
• Installed from: source

Configuration

host_config:
  "mydomain.tld":
    auth_method: sql
    auth_password_format: scram

default_db: sql
sql_type: pgsql
sql_server: "localhost"
sql_database: "mydb"
sql_username: "myuser"
sql_password: "mypass"
new_sql_schema: true
sql_pool_size: 2

Steps

• have sql auth backend
• stop sql server (eg. plain stop or random crash)

Expected result

• unable to login

Actual result

• unable to login
• client rejected with "policy violation"
• server log says 'invalid user or password"
• client IP is banned (this might even be local multiplexer/router IP and not client IP making things odd even if the auth backend is restarted)

[prefiks]

You could try to whitelist ip addresses in fail2ban to make them never be blocked (mod_fail2ban has access option for that).

Now for changing our handling of db error, we only pass boolean with is password good/wrong from password check function, to extend it we will need to change all consumers, and there is quite a bit of them, but if i will have some time i will see what we can do.

[licaon-kter]

Any news? Got bitten by this again :(

You could try to whitelist ip addresses in fail2ban to make them never be blocked (mod_fail2ban has access option for that).

Like so?

access_rules:
  allowlist:
    allow:
      ip: A.A.A.A/32

modules:
  mod_fail2ban:
    access: allowlist

[prefiks]

Should work, or just:

  mod_fail2ban:
    access:
      allow:
        - ip: 127.0.0.1/32