7x31/anylink
1
0
Fork 0
mirror of https://github.com/bjdgyc/anylink.git synced 2025-08-08 13:40:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

1.重构防爆逻辑,基于IP+UserName锁定(单位时间内,锁定相同IP下的相同用户,其它IP和用户不影响)

Browse Source 
2.增加基于用户的全局锁定
3.增加基于IP的全局锁定
4.用户单位时间内的请求频率限制(暂未开放)
This commit is contained in:
wsczx
2024-10-03 23:29:41 +08:00
parent 9e700830be
commit 2fedb281e8
4 changed files with 337 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

368
server/handler/antiBruteForce.go
View File

@@ -3,6 +3,8 @@ package handler
import (
"encoding/xml"
"io"
"log"
"net"
"net/http"
"strings"
"sync"
@@ -11,58 +13,31 @@ import (
"github.com/bjdgyc/anylink/base"
)
// UserState 用于存储用户的登录状态
type UserState struct {
FailureCount int
LastAttempt time.Time
LockTime time.Time
}
// 自定义 contextKey 类型,避免键冲突
type contextKey string
// 定义常量作为上下文的键
const loginStatusKey contextKey = "login_status"
// 用户状态映射
var userStates = make(map[string]*UserState)
var mu sync.Mutex
func init() {
go cleanupUserStates()
}
// 清理过期的登录状态
func cleanupUserStates() {
ticker := time.NewTicker(1 * time.Minute)
defer ticker.Stop()
for range ticker.C {
mu.Lock()
now := time.Now()
for username, state := range userStates {
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.UserStateExpiration)*time.Second {
delete(userStates, username)
}
}
mu.Unlock()
}
lockManager.startCleanupTicker()
}
// 防爆破中间件
func antiBruteForce(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// 如果最大验证失败次数为0则不启用防爆破功能
if base.Cfg.MaxBanCount == 0 {
// 防爆破功能全局开关
if !base.Cfg.AntiBruteForce {
next.ServeHTTP(w, r)
return
}
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
r.Body.Close()
defer r.Body.Close()
cr := ClientRequest{}
err = xml.Unmarshal(body, &cr)
@@ -72,35 +47,49 @@ func antiBruteForce(next http.Handler) http.Handler {
}
username := cr.Auth.Username
// 更新用户登录状态
mu.Lock()
state, exists := userStates[username]
if !exists {
state = &UserState{}
userStates[username] = state
}
// 检查是否已超过锁定时间
if !state.LockTime.IsZero() {
if time.Now().After(state.LockTime) {
// 如果已经超过了锁定时间,重置失败计数和锁定时间
state.FailureCount = 0
state.LockTime = time.Time{}
} else {
// 如果还在锁定时间内,返回错误信息
http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
mu.Unlock()
return
}
ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址,去掉端口号
if err != nil {
http.Error(w, "Unable to parse IP address", http.StatusInternalServerError)
return
}
// 如果超过时间窗口,重置失败计数
if time.Since(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
state.FailureCount = 0
now := time.Now()
// // 速率限制
// lockManager.mu.RLock()
// limiter, exists := lockManager.rateLimiter[ip]
// if !exists {
// limiter = rate.NewLimiter(rate.Limit(base.Cfg.RateLimit), base.Cfg.Burst)
// lockManager.rateLimiter[ip] = limiter
// }
// lockManager.mu.RUnlock()
// if !limiter.Allow() {
// log.Printf("Rate limit exceeded for IP %s. Try again later.", ip)
// http.Error(w, "Rate limit exceeded. Try again later.", http.StatusTooManyRequests)
// return
// }
// 检查全局 IP 锁定
if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.checkGlobalIPLock(ip, now) {
log.Printf("IP %s is globally locked. Try again later.", ip)
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
state.LastAttempt = time.Now()
mu.Unlock()
// 检查全局用户锁定
if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.checkGlobalUserLock(username, now) {
log.Printf("User %s is globally locked. Try again later.", username)
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 检查单个用户的 IP 锁定
if base.Cfg.MaxBanCount > 0 && lockManager.checkUserIPLock(username, ip, now) {
log.Printf("IP %s is locked for user %s. Try again later.", ip, username)
http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 重新设置请求体以便后续处理器可以访问
r.Body = io.NopCloser(strings.NewReader(string(body)))
@@ -109,23 +98,256 @@ func antiBruteForce(next http.Handler) http.Handler {
next.ServeHTTP(w, r)
// 从 context 中获取登录状态
loginStatus, ok := r.Context().Value(loginStatusKey).(bool)
if !ok {
// 如果没有找到登录状态,默认为登录失败
loginStatus = false
}
loginStatus, _ := r.Context().Value(loginStatusKey).(bool)
// 更新用户登录状态
mu.Lock()
defer mu.Unlock()
if !loginStatus {
state.FailureCount++
if state.FailureCount >= base.Cfg.MaxBanCount {
state.LockTime = time.Now().Add(time.Duration(base.Cfg.LockTime) * time.Second)
}
} else {
state.FailureCount = 0 // 成功登录后重置
}
lockManager.updateGlobalIPLock(ip, now, loginStatus)
lockManager.updateGlobalUserLock(username, now, loginStatus)
lockManager.updateUserIPLock(username, ip, now, loginStatus)
})
}
type LockState struct {
FailureCount int
LockTime time.Time
LastAttempt time.Time
}
type LockManager struct {
mu sync.RWMutex
ipLocks map[string]*LockState // 全局IP锁定状态
userLocks map[string]*LockState // 全局用户锁定状态
ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
// rateLimiter map[string]*rate.Limiter // 速率限制器
cleanupTicker *time.Ticker
}
var lockManager = &LockManager{
ipLocks: make(map[string]*LockState),
userLocks: make(map[string]*LockState),
ipUserLocks: make(map[string]map[string]*LockState),
// rateLimiter: make(map[string]*rate.Limiter),
}
func (lm *LockManager) startCleanupTicker() {
lm.cleanupTicker = time.NewTicker(1 * time.Minute)
go func() {
for range lm.cleanupTicker.C {
lm.cleanupExpiredLocks()
}
}()
}
// 定期清理过期的锁定
func (lm *LockManager) cleanupExpiredLocks() {
go func() {
for range time.Tick(5 * time.Minute) {
now := time.Now()
var ipKeys, userKeys []string
var IPuserKeys []struct{ user, ip string }
lm.mu.Lock()
for ip, state := range lm.ipLocks {
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second {
ipKeys = append(ipKeys, ip)
}
}
for user, state := range lm.userLocks {
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second {
userKeys = append(userKeys, user)
}
}
for user, ipMap := range lm.ipUserLocks {
for ip, state := range ipMap {
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip})
}
}
}
lm.mu.Unlock()
lm.mu.Lock()
for _, ip := range ipKeys {
delete(lm.ipLocks, ip)
}
for _, user := range userKeys {
delete(lm.userLocks, user)
}
for _, key := range IPuserKeys {
delete(lm.ipUserLocks[key.user], key.ip)
if len(lm.ipUserLocks[key.user]) == 0 {
delete(lm.ipUserLocks, key.user)
}
}
lm.mu.Unlock()
}
}()
}
// 检查全局 IP 锁定
func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
lm.mu.RLock()
defer lm.mu.RUnlock()
state, exists := lm.ipLocks[ip]
if !exists {
return false
}
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
// 如果超过时间窗口,重置失败计数
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second {
state.FailureCount = 0
state.LockTime = time.Time{}
}
return false
}
// 检查全局用户锁定
func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool {
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
if username == "" {
return false
}
lm.mu.RLock()
defer lm.mu.RUnlock()
state, exists := lm.userLocks[username]
if !exists {
return false
}
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
// 如果超过时间窗口,重置失败计数
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second {
state.FailureCount = 0
state.LockTime = time.Time{}
}
return false
}
// 检查单个用户的 IP 锁定
func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool {
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
if username == "" {
return false
}
lm.mu.RLock()
defer lm.mu.RUnlock()
userIPMap, userExists := lm.ipUserLocks[username]
if !userExists {
return false
}
state, ipExists := userIPMap[ip]
if !ipExists {
return false
}
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
// 如果超过时间窗口,重置失败计数
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
state.FailureCount = 0
state.LockTime = time.Time{}
}
return false
}
// 更新全局 IP 锁定状态
func (lm *LockManager) updateGlobalIPLock(ip string, now time.Time, success bool) {
lm.mu.Lock()
defer lm.mu.Unlock()
state, exists := lm.ipLocks[ip]
if !exists {
state = &LockState{}
lm.ipLocks[ip] = state
}
if success {
state.FailureCount = 0
state.LockTime = time.Time{}
} else {
state.FailureCount++
if state.FailureCount >= base.Cfg.MaxGlobalIPBanCount {
state.LockTime = now.Add(time.Duration(base.Cfg.GlobalIPLockTime) * time.Second)
}
}
state.LastAttempt = now
}
// 更新全局用户锁定状态
func (lm *LockManager) updateGlobalUserLock(username string, now time.Time, success bool) {
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
if username == "" {
return
}
lm.mu.Lock()
defer lm.mu.Unlock()
state, exists := lm.userLocks[username]
if !exists {
state = &LockState{}
lm.userLocks[username] = state
}
if success {
state.FailureCount = 0
state.LockTime = time.Time{}
} else {
state.FailureCount++
if state.FailureCount >= base.Cfg.MaxGlobalUserBanCount {
state.LockTime = now.Add(time.Duration(base.Cfg.GlobalUserLockTime) * time.Second)
}
}
state.LastAttempt = now
}
// 更新单个用户的 IP 锁定状态
func (lm *LockManager) updateUserIPLock(username, ip string, now time.Time, success bool) {
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
if username == "" {
return
}
lm.mu.Lock()
defer lm.mu.Unlock()
userIPMap, userExists := lm.ipUserLocks[username]
if !userExists {
userIPMap = make(map[string]*LockState)
lm.ipUserLocks[username] = userIPMap
}
state, ipExists := userIPMap[ip]
if !ipExists {
state = &LockState{}
userIPMap[ip] = state
}
if success {
state.FailureCount = 0
state.LockTime = time.Time{}
} else {
state.FailureCount++
if state.FailureCount >= base.Cfg.MaxBanCount {
state.LockTime = now.Add(time.Duration(base.Cfg.LockTime) * time.Second)
}
}
state.LastAttempt = now
}