feat: Implement authentication rate limiting (fail2ban-like)

[inureyes]

Summary

• Add AuthRateLimiter with ban support to protect against brute-force attacks
• Track failed authentication attempts per IP address with automatic banning
• Add configuration options for auth window and IP whitelist
• Integrate rate limiter with SSH handler for both public key and password auth

Changes

New Files

• src/server/security/mod.rs - Security module root
• src/server/security/rate_limit.rs - AuthRateLimiter implementation with 12 unit tests

Modified Files

• src/server/config/types.rs - Add auth_window and whitelist_ips to SecurityConfig
• src/server/handler.rs - Integrate AuthRateLimiter with auth methods
• src/server/mod.rs - Add security module and background cleanup task

Features

• Failure tracking: Counts failed authentication attempts per IP
• Automatic banning: Bans IPs that exceed the configured threshold
• Time-based window: Failures outside the window are not counted
• Configurable ban duration: Bans expire after the configured time
• IP whitelist: Whitelisted IPs are never banned
• Automatic cleanup: Expired records are cleaned up every 60 seconds
• Audit logging: Logs ban events for monitoring

Configuration

security:
  max_auth_attempts: 5    # Maximum failed attempts before ban
  auth_window: 300        # Time window in seconds (default: 5 minutes)
  ban_time: 300           # Ban duration in seconds (default: 5 minutes)
  whitelist_ips:          # IPs exempt from rate limiting
    - 127.0.0.1

Test Plan

• Unit tests for failure counting
• Unit tests for ban after max attempts
• Unit tests for ban expiration
• Unit tests for whitelist IPs
• Unit tests for success resets failures
• Unit tests for cleanup functionality
• All 929 existing tests pass
• Manual testing with SSH client

Closes #140

[inureyes]

PR Finalization Report

Project Structure Discovered

• Project Type: Rust (Cargo.toml)
• Test Framework: cargo test (930 tests)
• Documentation System: Markdown docs in docs/architecture/
• Multi-language Docs: No
• Lint Tools: cargo fmt, cargo clippy

Checklist

Tests

• Analyzed existing test structure (src/server/security/rate_limit.rs)
• Identified test coverage: 13 comprehensive unit tests already present
• Test coverage includes:
  • Failure counting and tracking
  • Ban triggering after max attempts
  • Ban expiration timing
  • IP whitelist functionality
  • Success resets failure counter
  • Time window expiration
  • Cleanup of expired records
  • Manual ban/unban operations
  • Multiple IP isolation
  • Clone shares state (thread safety)
  • Capacity limits for memory safety
  • Configuration accessors
• All 930 tests passing

Documentation

• ARCHITECTURE.md updated with Server Security Module section
• server-configuration.md updated with:
  • auth_window configuration option
  • whitelist_ips configuration option
  • Improved security section documentation

Code Quality

• cargo fmt: Fixed formatting issues (5 files)
• cargo clippy: Clean (no warnings)
• All tests passing

Changes Made

• Fixed code formatting in src/server/mod.rs and src/server/security/rate_limit.rs
• Added Server Security Module documentation to ARCHITECTURE.md
• Added auth_window and whitelist_ips documentation to docs/architecture/server-configuration.md
• Updated SshHandler documentation to mention auth rate limiting with ban support

Summary

The AuthRateLimiter implementation is comprehensive with 13 unit tests covering all major functionality. The code follows Rust best practices with proper async/await patterns, thread-safe data structures, and memory-safe design with capacity limits. Documentation has been updated to reflect the new security features.