From 59748fe39506b16c35ed01f8d1d3564d485c3836 Mon Sep 17 00:00:00 2001 From: wsczx Date: Fri, 4 Oct 2024 11:55:46 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E9=94=81=E5=AE=9A=E7=8A=B6?= =?UTF-8?q?=E6=80=81=E8=AE=B0=E5=BD=95=E7=94=9F=E5=91=BD=E5=91=A8=E6=9C=9F?= =?UTF-8?q?=E9=85=8D=E7=BD=AE=E9=A1=B9=EF=BC=8C=E4=BC=98=E5=8C=96=E6=B8=85?= =?UTF-8?q?=E7=90=86=E5=86=85=E5=AD=98=E7=9A=84=E5=AE=9A=E6=97=B6=E5=99=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/base/cfg.go | 2 + server/base/config.go | 8 +-- server/conf/server.toml | 7 ++- server/handler/antiBruteForce.go | 86 ++++++++++++++++---------------- 4 files changed, 54 insertions(+), 49 deletions(-) diff --git a/server/base/cfg.go b/server/base/cfg.go index 96dca98..d0afc8f 100644 --- a/server/base/cfg.go +++ b/server/base/cfg.go @@ -98,6 +98,8 @@ type ServerConfig struct { MaxGlobalIPBanCount int `json:"max_global_ip_ban_count"` GlobalIPBanResetTime int `json:"global_ip_ban_reset_time"` GlobalIPLockTime int `json:"global_ip_lock_time"` + + GlobalLockStateExpirationTime int `json:"global_lock_state_expiration_time"` } func initServerCfg() { diff --git a/server/base/config.go b/server/base/config.go index 3fc434f..cd10674 100644 --- a/server/base/config.go +++ b/server/base/config.go @@ -74,17 +74,19 @@ var configs = []config{ {Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true}, - {Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数,0为关闭防爆功能", ValInt: 5}, + {Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数,0为关闭该功能", ValInt: 5}, {Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒),超过则重置计数", ValInt: 10}, {Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300}, - {Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数", ValInt: 20}, + {Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数,0为关闭该功能", ValInt: 20}, {Typ: cfgInt, Name: "global_user_ban_reset_time", Usage: "全局用户设置单位时间(秒)", ValInt: 600}, {Typ: cfgInt, Name: "global_user_lock_time", Usage: "全局用户锁定时间(秒)", ValInt: 300}, - {Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数", ValInt: 40}, + {Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数,0为关闭该功能", ValInt: 40}, {Typ: cfgInt, Name: "global_ip_ban_reset_time", Usage: "全局IP设置单位时间(秒)", ValInt: 1200}, {Typ: cfgInt, Name: "global_ip_lock_time", Usage: "全局IP锁定时间(秒)", ValInt: 300}, + + {Typ: cfgInt, Name: "global_lock_state_expiration_time", Usage: "全局锁定状态的保存生命周期(秒),超过则删除记录", ValInt: 3600}, } var envs = map[string]string{} diff --git a/server/conf/server.toml b/server/conf/server.toml index 418a799..eb8706b 100644 --- a/server/conf/server.toml +++ b/server/conf/server.toml @@ -53,10 +53,10 @@ ipv4_end = "192.168.90.200" #是否自动添加nat iptables_nat = true -#防爆全局开关 +#防爆破全局开关 anti_brute_force = true -#单位时间内最大尝试次数,0为全局关闭防爆功能 +#单位时间内最大尝试次数,0为关闭该功能 max_ban_score = 5 #设置单位时间(秒),超过则重置计数 ban_reset_time = 10 @@ -77,5 +77,8 @@ global_ip_ban_reset_time = 1200 #全局IP锁定时间(秒) global_ip_lock_time = 300 +#全局锁定状态的保存生命周期(秒),超过则删除记录 +global_lock_state_expiration_time = 3600 + #客户端显示详细错误信息(线上环境慎开启) display_error = true diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go index 507856c..8a8a888 100644 --- a/server/handler/antiBruteForce.go +++ b/server/handler/antiBruteForce.go @@ -20,7 +20,9 @@ type contextKey string const loginStatusKey contextKey = "login_status" func init() { - lockManager.startCleanupTicker() + if base.Cfg.AntiBruteForce { + lockManager.startCleanupTicker() + } } // 防爆破中间件 @@ -130,7 +132,7 @@ var lockManager = &LockManager{ } func (lm *LockManager) startCleanupTicker() { - lm.cleanupTicker = time.NewTicker(1 * time.Minute) + lm.cleanupTicker = time.NewTicker(5 * time.Minute) go func() { for range lm.cleanupTicker.C { lm.cleanupExpiredLocks() @@ -140,51 +142,47 @@ func (lm *LockManager) startCleanupTicker() { // 定期清理过期的锁定 func (lm *LockManager) cleanupExpiredLocks() { - go func() { - for range time.Tick(5 * time.Minute) { - now := time.Now() + now := time.Now() - var ipKeys, userKeys []string - var IPuserKeys []struct{ user, ip string } + var ipKeys, userKeys []string + var IPuserKeys []struct{ user, ip string } - lm.mu.Lock() - for ip, state := range lm.ipLocks { - if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second { - ipKeys = append(ipKeys, ip) - } - } - - for user, state := range lm.userLocks { - if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second { - userKeys = append(userKeys, user) - } - } - - for user, ipMap := range lm.ipUserLocks { - for ip, state := range ipMap { - if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second { - IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip}) - } - } - } - lm.mu.Unlock() - - lm.mu.Lock() - for _, ip := range ipKeys { - delete(lm.ipLocks, ip) - } - for _, user := range userKeys { - delete(lm.userLocks, user) - } - for _, key := range IPuserKeys { - delete(lm.ipUserLocks[key.user], key.ip) - if len(lm.ipUserLocks[key.user]) == 0 { - delete(lm.ipUserLocks, key.user) - } - } - lm.mu.Unlock() + lm.mu.Lock() + for ip, state := range lm.ipLocks { + if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second { + ipKeys = append(ipKeys, ip) } - }() + } + + for user, state := range lm.userLocks { + if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second { + userKeys = append(userKeys, user) + } + } + + for user, ipMap := range lm.ipUserLocks { + for ip, state := range ipMap { + if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second { + IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip}) + } + } + } + lm.mu.Unlock() + + lm.mu.Lock() + for _, ip := range ipKeys { + delete(lm.ipLocks, ip) + } + for _, user := range userKeys { + delete(lm.userLocks, user) + } + for _, key := range IPuserKeys { + delete(lm.ipUserLocks[key.user], key.ip) + if len(lm.ipUserLocks[key.user]) == 0 { + delete(lm.ipUserLocks, key.user) + } + } + lm.mu.Unlock() } // 检查全局 IP 锁定