siteadmin:realm_filtering
This is an old revision of the document!
Basic syntax checking can be done with the 'filter_username' policy. From the FreeRADIUS documents:
# Filter the username # # Force some sanity on User-Name. This helps to avoid issues # issues where the back-end database is "forgiving" about # what constitutes a user name.
Example usage:
authorize {
filter_username
loop_prevent
operator-name
suffix
}
To filter out unwanted realms, such as 'hotmail.com' can be done simply by using the 'realm' command:
## Filter out NULL realms e.g. Username = fred
realm NULL {
}
## Filter out realms that aren't every going to be valid Govroam realms e.g. Username = fred@hotmail.com
realm "~hotmail\\.com$" {
}
realm "~hotmail\\.co\\.uk$" {
}
realm "~.*\\.3gppnetworks\\.org$" {
}
realm "~.*\\.3gppnetwork\\.org$" {
}
realm "~gmail\\.com" {
}
realm "~googlemail\\.com" {
}
realm "~live\\.com" {
}
realm "~outlook\\.com" {
}
realm "~yahoo\\.com" {
}
realm "~yahoo\\.cn" {
}
realm "~unimail\\.com" {
}
realm "~yahoo\\.co\\.uk" {
}
realm "~myabc\\.com" {
}
alternatively
check_bad_realms {
if (&User-Name) {
## reject usernames that end with realms that are never going to be govroa
m/eduroam realms
## is there a way to automate this??!
## stuff here will be matched for just eduroam
if (&control:Proxy-To-Realm =~ /^PROXY-JANET-EDUROAM$/)
if (&User-Name =~ /mattstone\.net$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*bathnes/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
}
## stuff here will be matched for just govroam
if (&control:Proxy-To-Realm =~ /^PROXY-JANET-GOVROAM$/)
if (&User-Name =~ /that\.host$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
}
## stuff here will be matched for both govroam and eduroam
if (&User-Name =~ /3gppnetwork\.org$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /gmail\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bath\.ac\.uk.+$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /ac$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /ax.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /sc.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /a[cx].edu$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.[a-z0-9]$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bath$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bath\.a$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bath\.sc$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /ac\.bath\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /unibath\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.[a-z0-9]\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bath\.a[a-z]$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bath\.actually\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /back\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.uk[a-z0-9]$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /ac\.uk\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.acuk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /ba[a-z0-9]\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@ath\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@th\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@h\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.bat[a-gi-z0-9]\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.ba[a-gi-z0-9]\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.b[b-z0-9]th\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bathuni\.co\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bucs\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /ac\.co\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /bucs\.co\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /eis2win\.co\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.ba[a-z0-9]$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*\.[a-z0-9]ac\.uk/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.bath\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@myabc\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*hotmail\.co/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*live\.co$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.local$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /\.guest$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*gmail\.co/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /googlemail\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /outlook\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*yahoo\.c/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /unimail\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /blueyonder\.co\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.ac\.[a-z0-9][a-jl-z0-9]$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@.*bath\.edu/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.ac\.com$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.org$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.ac\.org$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.uk\.ac$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bathuniversity\.co\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.ac[a-z0-9]\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath[a-z0-9]\.ac\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.[b-z0-9][a-z0-9]\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
if (&User-Name =~ /@bath\.[a-z0-9][a-bd-z0-9]\.uk$/) {
update request {
&Module-Failure-Message += 'Rejected: Bad Realm'
}
reject
}
} else {
update request {
&Module-Failure-Message += 'Rejected: erm... WTF?!'
}
reject
}
}
siteadmin/realm_filtering.1575542525.txt.gz · Last modified: 2019/12/05 10:42 by admin