mirror of https://github.com/bjdgyc/anylink.git
优化代码,为后续手动管理锁定状态做准备
This commit is contained in:
wsczx
parent
f8685490dc
commit
5f7b11954a
|
|
@ -0,0 +1,391 @@
|
|||
package admin
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/bjdgyc/anylink/base"
|
||||
)
|
||||
|
||||
type LockInfo struct {
|
||||
Description string `json:"description"` // 锁定原因
|
||||
Username string `json:"username"` // 用户名
|
||||
IP string `json:"ip"` // IP 地址
|
||||
State *LockState `json:"state"` // 锁定状态信息
|
||||
}
|
||||
type LockState struct {
|
||||
Locked bool `json:"locked"` // 是否锁定
|
||||
FailureCount int `json:"attempts"` // 失败次数
|
||||
LockTime time.Time `json:"lock_time"` // 锁定截止时间
|
||||
LastAttempt time.Time `json:"lastAttempt"` // 最后一次尝试的时间
|
||||
}
|
||||
type IPWhitelists struct {
|
||||
IP net.IP
|
||||
CIDR *net.IPNet
|
||||
}
|
||||
|
||||
type LockManager struct {
|
||||
mu sync.Mutex
|
||||
LoginStatus sync.Map // 登录状态
|
||||
ipLocks map[string]*LockState // 全局IP锁定状态
|
||||
userLocks map[string]*LockState // 全局用户锁定状态
|
||||
ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
|
||||
ipWhitelists []IPWhitelists // 全局IP白名单,包含IP地址和CIDR范围
|
||||
cleanupTicker *time.Ticker
|
||||
}
|
||||
|
||||
var lockmanager *LockManager
|
||||
var once sync.Once
|
||||
|
||||
func GetLockManager() *LockManager {
|
||||
once.Do(func() {
|
||||
lockmanager = &LockManager{
|
||||
LoginStatus: sync.Map{},
|
||||
ipLocks: make(map[string]*LockState),
|
||||
userLocks: make(map[string]*LockState),
|
||||
ipUserLocks: make(map[string]map[string]*LockState),
|
||||
ipWhitelists: make([]IPWhitelists, 0),
|
||||
}
|
||||
})
|
||||
return lockmanager
|
||||
}
|
||||
|
||||
const defaultGlobalLockStateExpirationTime = 3600
|
||||
|
||||
func InitLockManager() {
|
||||
lm := GetLockManager()
|
||||
if base.Cfg.AntiBruteForce {
|
||||
if base.Cfg.GlobalLockStateExpirationTime <= 0 {
|
||||
base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
|
||||
}
|
||||
lm.StartCleanupTicker()
|
||||
lm.InitIPWhitelist()
|
||||
}
|
||||
}
|
||||
|
||||
func GetLocksInfo(w http.ResponseWriter, r *http.Request) {
|
||||
lm := GetLockManager()
|
||||
locksInfo := lm.GetLocksInfo()
|
||||
|
||||
RespSucess(w, locksInfo)
|
||||
}
|
||||
|
||||
func UnlockUser(w http.ResponseWriter, r *http.Request) {
|
||||
body, err := io.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
RespError(w, RespInternalErr, err)
|
||||
return
|
||||
}
|
||||
lockinfo := LockInfo{}
|
||||
if err := json.Unmarshal(body, &lockinfo); err != nil {
|
||||
RespError(w, RespInternalErr, err)
|
||||
return
|
||||
}
|
||||
|
||||
if lockinfo.State == nil {
|
||||
RespError(w, RespInternalErr, fmt.Errorf("未找到锁定用户!"))
|
||||
return
|
||||
}
|
||||
lm := GetLockManager()
|
||||
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
lm.Unlock(lockinfo.State)
|
||||
base.Info("解锁成功:", lockinfo.Description, lockinfo.Username, lockinfo.IP)
|
||||
|
||||
RespSucess(w, "解锁成功!")
|
||||
}
|
||||
|
||||
func (lm *LockManager) GetLocksInfo() []LockInfo {
|
||||
var locksInfo []LockInfo
|
||||
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
for ip, state := range lm.ipLocks {
|
||||
if state.Locked {
|
||||
info := LockInfo{
|
||||
Description: "全局 IP 锁定",
|
||||
Username: "",
|
||||
IP: ip,
|
||||
State: &LockState{
|
||||
Locked: state.Locked,
|
||||
FailureCount: state.FailureCount,
|
||||
LockTime: state.LockTime,
|
||||
LastAttempt: state.LastAttempt,
|
||||
},
|
||||
}
|
||||
locksInfo = append(locksInfo, info)
|
||||
}
|
||||
}
|
||||
|
||||
for username, state := range lm.userLocks {
|
||||
if state.Locked {
|
||||
info := LockInfo{
|
||||
Description: "全局用户锁定",
|
||||
Username: username,
|
||||
IP: "",
|
||||
State: &LockState{
|
||||
Locked: state.Locked,
|
||||
FailureCount: state.FailureCount,
|
||||
LockTime: state.LockTime,
|
||||
LastAttempt: state.LastAttempt,
|
||||
},
|
||||
}
|
||||
locksInfo = append(locksInfo, info)
|
||||
}
|
||||
}
|
||||
|
||||
for username, ipStates := range lm.ipUserLocks {
|
||||
for ip, state := range ipStates {
|
||||
if state.Locked {
|
||||
info := LockInfo{
|
||||
Description: "单用户 IP 锁定",
|
||||
Username: username,
|
||||
IP: ip,
|
||||
State: &LockState{
|
||||
Locked: state.Locked,
|
||||
FailureCount: state.FailureCount,
|
||||
LockTime: state.LockTime,
|
||||
LastAttempt: state.LastAttempt,
|
||||
},
|
||||
}
|
||||
locksInfo = append(locksInfo, info)
|
||||
}
|
||||
}
|
||||
}
|
||||
return locksInfo
|
||||
}
|
||||
|
||||
// 初始化IP白名单
|
||||
func (lm *LockManager) InitIPWhitelist() {
|
||||
ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
|
||||
for _, ipWhitelist := range ipWhitelist {
|
||||
ipWhitelist = strings.TrimSpace(ipWhitelist)
|
||||
if ipWhitelist == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
_, ipNet, err := net.ParseCIDR(ipWhitelist)
|
||||
if err == nil {
|
||||
lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
|
||||
continue
|
||||
}
|
||||
|
||||
ip := net.ParseIP(ipWhitelist)
|
||||
if ip != nil {
|
||||
lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// 检查 IP 是否在白名单中
|
||||
func (lm *LockManager) IsWhitelisted(ip string) bool {
|
||||
clientIP := net.ParseIP(ip)
|
||||
if clientIP == nil {
|
||||
return false
|
||||
}
|
||||
for _, ipWhitelist := range lm.ipWhitelists {
|
||||
if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
|
||||
return true
|
||||
}
|
||||
if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (lm *LockManager) StartCleanupTicker() {
|
||||
lm.cleanupTicker = time.NewTicker(5 * time.Minute)
|
||||
go func() {
|
||||
for range lm.cleanupTicker.C {
|
||||
lm.CleanupExpiredLocks()
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
// 定期清理过期的锁定
|
||||
func (lm *LockManager) CleanupExpiredLocks() {
|
||||
now := time.Now()
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
for ip, state := range lm.ipLocks {
|
||||
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
|
||||
delete(lm.ipLocks, ip)
|
||||
}
|
||||
}
|
||||
|
||||
for user, state := range lm.userLocks {
|
||||
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
|
||||
delete(lm.userLocks, user)
|
||||
}
|
||||
}
|
||||
|
||||
for user, ipMap := range lm.ipUserLocks {
|
||||
for ip, state := range ipMap {
|
||||
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
|
||||
delete(ipMap, ip)
|
||||
if len(ipMap) == 0 {
|
||||
delete(lm.ipUserLocks, user)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// 检查全局 IP 锁定
|
||||
func (lm *LockManager) CheckGlobalIPLock(ip string, now time.Time) bool {
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.ipLocks[ip]
|
||||
if !exists {
|
||||
return false
|
||||
}
|
||||
|
||||
return lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime)
|
||||
}
|
||||
|
||||
// 检查全局用户锁定
|
||||
func (lm *LockManager) CheckGlobalUserLock(username string, now time.Time) bool {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return false
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.userLocks[username]
|
||||
if !exists {
|
||||
return false
|
||||
}
|
||||
return lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime)
|
||||
}
|
||||
|
||||
// 检查单个用户的 IP 锁定
|
||||
func (lm *LockManager) CheckUserIPLock(username, ip string, now time.Time) bool {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return false
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
userIPMap, userExists := lm.ipUserLocks[username]
|
||||
if !userExists {
|
||||
return false
|
||||
}
|
||||
|
||||
state, ipExists := userIPMap[ip]
|
||||
if !ipExists {
|
||||
return false
|
||||
}
|
||||
|
||||
return lm.CheckLockState(state, now, base.Cfg.BanResetTime)
|
||||
}
|
||||
|
||||
// 更新全局 IP 锁定状态
|
||||
func (lm *LockManager) UpdateGlobalIPLock(ip string, now time.Time, success bool) {
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.ipLocks[ip]
|
||||
if !exists {
|
||||
state = &LockState{}
|
||||
lm.ipLocks[ip] = state
|
||||
}
|
||||
|
||||
lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
|
||||
}
|
||||
|
||||
// 更新全局用户锁定状态
|
||||
func (lm *LockManager) UpdateGlobalUserLock(username string, now time.Time, success bool) {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.userLocks[username]
|
||||
if !exists {
|
||||
state = &LockState{}
|
||||
lm.userLocks[username] = state
|
||||
}
|
||||
|
||||
lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
|
||||
}
|
||||
|
||||
// 更新单个用户的 IP 锁定状态
|
||||
func (lm *LockManager) UpdateUserIPLock(username, ip string, now time.Time, success bool) {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
userIPMap, userExists := lm.ipUserLocks[username]
|
||||
if !userExists {
|
||||
userIPMap = make(map[string]*LockState)
|
||||
lm.ipUserLocks[username] = userIPMap
|
||||
}
|
||||
|
||||
state, ipExists := userIPMap[ip]
|
||||
if !ipExists {
|
||||
state = &LockState{}
|
||||
userIPMap[ip] = state
|
||||
}
|
||||
|
||||
lm.UpdateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
|
||||
}
|
||||
|
||||
// 更新锁定状态
|
||||
func (lm *LockManager) UpdateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
|
||||
if success {
|
||||
lm.Unlock(state) // 成功登录后解锁
|
||||
} else {
|
||||
state.FailureCount++
|
||||
if state.FailureCount >= maxBanCount {
|
||||
state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
|
||||
state.Locked = true // 超过阈值时锁定
|
||||
}
|
||||
}
|
||||
state.LastAttempt = now
|
||||
}
|
||||
|
||||
// 检查锁定状态
|
||||
func (lm *LockManager) CheckLockState(state *LockState, now time.Time, resetTime int) bool {
|
||||
if state == nil || state.LastAttempt.IsZero() {
|
||||
return false
|
||||
}
|
||||
|
||||
// 如果超过锁定时间,重置锁定状态
|
||||
if !state.LockTime.IsZero() && now.After(state.LockTime) {
|
||||
lm.Unlock(state) // 锁定期过后解锁
|
||||
return false
|
||||
}
|
||||
// 如果超过窗口时间,重置失败计数
|
||||
if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
|
||||
state.FailureCount = 0
|
||||
return false
|
||||
}
|
||||
return state.Locked
|
||||
}
|
||||
|
||||
// 解锁
|
||||
func (lm *LockManager) Unlock(state *LockState) {
|
||||
state.FailureCount = 0
|
||||
state.LockTime = time.Time{}
|
||||
state.Locked = false
|
||||
}
|
||||
|
|
@ -87,6 +87,7 @@ func StartAdmin() {
|
|||
r.HandleFunc("/group/auth_login", GroupAuthLogin)
|
||||
|
||||
r.HandleFunc("/statsinfo/list", StatsInfoList)
|
||||
r.HandleFunc("/locksinfo/list", GetLocksInfo)
|
||||
|
||||
// pprof
|
||||
if base.Cfg.Pprof {
|
||||
|
|
|
|||
|
|
@ -6,24 +6,15 @@ import (
|
|||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/bjdgyc/anylink/admin"
|
||||
"github.com/bjdgyc/anylink/base"
|
||||
)
|
||||
|
||||
const loginStatusKey = "login_status"
|
||||
const defaultGlobalLockStateExpirationTime = 3600
|
||||
var lockManager = admin.GetLockManager()
|
||||
|
||||
func initAntiBruteForce() {
|
||||
if base.Cfg.AntiBruteForce {
|
||||
if base.Cfg.GlobalLockStateExpirationTime <= 0 {
|
||||
base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
|
||||
}
|
||||
lockManager.startCleanupTicker()
|
||||
lockManager.initIPWhitelist()
|
||||
}
|
||||
}
|
||||
const loginStatusKey = "login_status"
|
||||
|
||||
// 防爆破中间件
|
||||
func antiBruteForce(next http.Handler) http.Handler {
|
||||
|
|
@ -71,43 +62,28 @@ func antiBruteForce(next http.Handler) http.Handler {
|
|||
|
||||
now := time.Now()
|
||||
// 检查IP是否在白名单中
|
||||
if lockManager.isWhitelisted(ip) {
|
||||
if lockManager.IsWhitelisted(ip) {
|
||||
r.Body = io.NopCloser(strings.NewReader(string(body)))
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// // 速率限制
|
||||
// lockManager.mu.RLock()
|
||||
// limiter, exists := lockManager.rateLimiter[ip]
|
||||
// if !exists {
|
||||
// limiter = rate.NewLimiter(rate.Limit(base.Cfg.RateLimit), base.Cfg.Burst)
|
||||
// lockManager.rateLimiter[ip] = limiter
|
||||
// }
|
||||
// lockManager.mu.RUnlock()
|
||||
|
||||
// if !limiter.Allow() {
|
||||
// log.Printf("Rate limit exceeded for IP %s. Try again later.", ip)
|
||||
// http.Error(w, "Rate limit exceeded. Try again later.", http.StatusTooManyRequests)
|
||||
// return
|
||||
// }
|
||||
|
||||
// 检查全局 IP 锁定
|
||||
if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.checkGlobalIPLock(ip, now) {
|
||||
if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.CheckGlobalIPLock(ip, now) {
|
||||
base.Warn("IP", ip, "is globally locked. Try again later.")
|
||||
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
|
||||
return
|
||||
}
|
||||
|
||||
// 检查全局用户锁定
|
||||
if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.checkGlobalUserLock(username, now) {
|
||||
if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.CheckGlobalUserLock(username, now) {
|
||||
base.Warn("User", username, "is globally locked. Try again later.")
|
||||
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
|
||||
return
|
||||
}
|
||||
|
||||
// 检查单个用户的 IP 锁定
|
||||
if base.Cfg.MaxBanCount > 0 && lockManager.checkUserIPLock(username, ip, now) {
|
||||
if base.Cfg.MaxBanCount > 0 && lockManager.CheckUserIPLock(username, ip, now) {
|
||||
base.Warn("IP", ip, "is locked for user", username, "Try again later.")
|
||||
http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
|
||||
return
|
||||
|
|
@ -120,285 +96,15 @@ func antiBruteForce(next http.Handler) http.Handler {
|
|||
next.ServeHTTP(w, r)
|
||||
|
||||
// 检查登录状态
|
||||
Status, _ := lockManager.loginStatus.Load(loginStatusKey)
|
||||
Status, _ := lockManager.LoginStatus.Load(loginStatusKey)
|
||||
loginStatus, _ := Status.(bool)
|
||||
|
||||
// 更新用户登录状态
|
||||
lockManager.updateGlobalIPLock(ip, now, loginStatus)
|
||||
lockManager.updateGlobalUserLock(username, now, loginStatus)
|
||||
lockManager.updateUserIPLock(username, ip, now, loginStatus)
|
||||
lockManager.UpdateGlobalIPLock(ip, now, loginStatus)
|
||||
lockManager.UpdateGlobalUserLock(username, now, loginStatus)
|
||||
lockManager.UpdateUserIPLock(username, ip, now, loginStatus)
|
||||
|
||||
// 清除登录状态
|
||||
lockManager.loginStatus.Delete(loginStatusKey)
|
||||
lockManager.LoginStatus.Delete(loginStatusKey)
|
||||
})
|
||||
}
|
||||
|
||||
type LockState struct {
|
||||
FailureCount int
|
||||
LockTime time.Time
|
||||
LastAttempt time.Time
|
||||
}
|
||||
type IPWhitelists struct {
|
||||
IP net.IP
|
||||
CIDR *net.IPNet
|
||||
}
|
||||
|
||||
type LockManager struct {
|
||||
mu sync.Mutex
|
||||
loginStatus sync.Map // 登录状态
|
||||
ipLocks map[string]*LockState // 全局IP锁定状态
|
||||
userLocks map[string]*LockState // 全局用户锁定状态
|
||||
ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
|
||||
ipWhitelists []IPWhitelists // 全局IP白名单,包含IP地址和CIDR范围
|
||||
// rateLimiter map[string]*rate.Limiter // 速率限制器
|
||||
cleanupTicker *time.Ticker
|
||||
}
|
||||
|
||||
var lockManager = &LockManager{
|
||||
loginStatus: sync.Map{},
|
||||
ipLocks: make(map[string]*LockState),
|
||||
userLocks: make(map[string]*LockState),
|
||||
ipUserLocks: make(map[string]map[string]*LockState),
|
||||
ipWhitelists: make([]IPWhitelists, 0),
|
||||
// rateLimiter: make(map[string]*rate.Limiter),
|
||||
}
|
||||
|
||||
// 初始化IP白名单
|
||||
func (lm *LockManager) initIPWhitelist() {
|
||||
ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
|
||||
for _, ipWhitelist := range ipWhitelist {
|
||||
ipWhitelist = strings.TrimSpace(ipWhitelist)
|
||||
if ipWhitelist == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
_, ipNet, err := net.ParseCIDR(ipWhitelist)
|
||||
if err == nil {
|
||||
lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
|
||||
continue
|
||||
}
|
||||
|
||||
ip := net.ParseIP(ipWhitelist)
|
||||
if ip != nil {
|
||||
lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// 检查 IP 是否在白名单中
|
||||
func (lm *LockManager) isWhitelisted(ip string) bool {
|
||||
clientIP := net.ParseIP(ip)
|
||||
if clientIP == nil {
|
||||
return false
|
||||
}
|
||||
for _, ipWhitelist := range lm.ipWhitelists {
|
||||
if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
|
||||
return true
|
||||
}
|
||||
if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (lm *LockManager) startCleanupTicker() {
|
||||
lm.cleanupTicker = time.NewTicker(5 * time.Minute)
|
||||
go func() {
|
||||
for range lm.cleanupTicker.C {
|
||||
lm.cleanupExpiredLocks()
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
// 定期清理过期的锁定
|
||||
func (lm *LockManager) cleanupExpiredLocks() {
|
||||
now := time.Now()
|
||||
|
||||
var ipKeys, userKeys []string
|
||||
var IPuserKeys []struct{ user, ip string }
|
||||
|
||||
lm.mu.Lock()
|
||||
for ip, state := range lm.ipLocks {
|
||||
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
|
||||
ipKeys = append(ipKeys, ip)
|
||||
}
|
||||
}
|
||||
|
||||
for user, state := range lm.userLocks {
|
||||
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
|
||||
userKeys = append(userKeys, user)
|
||||
}
|
||||
}
|
||||
|
||||
for user, ipMap := range lm.ipUserLocks {
|
||||
for ip, state := range ipMap {
|
||||
if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
|
||||
IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip})
|
||||
}
|
||||
}
|
||||
}
|
||||
lm.mu.Unlock()
|
||||
|
||||
lm.mu.Lock()
|
||||
for _, ip := range ipKeys {
|
||||
delete(lm.ipLocks, ip)
|
||||
}
|
||||
for _, user := range userKeys {
|
||||
delete(lm.userLocks, user)
|
||||
}
|
||||
for _, key := range IPuserKeys {
|
||||
delete(lm.ipUserLocks[key.user], key.ip)
|
||||
if len(lm.ipUserLocks[key.user]) == 0 {
|
||||
delete(lm.ipUserLocks, key.user)
|
||||
}
|
||||
}
|
||||
lm.mu.Unlock()
|
||||
}
|
||||
|
||||
// 检查全局 IP 锁定
|
||||
func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.ipLocks[ip]
|
||||
if !exists {
|
||||
return false
|
||||
}
|
||||
|
||||
return lm.checkLockState(state, now, base.Cfg.GlobalIPBanResetTime)
|
||||
}
|
||||
|
||||
// 检查全局用户锁定
|
||||
func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return false
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.userLocks[username]
|
||||
if !exists {
|
||||
return false
|
||||
}
|
||||
return lm.checkLockState(state, now, base.Cfg.GlobalUserBanResetTime)
|
||||
}
|
||||
|
||||
// 检查单个用户的 IP 锁定
|
||||
func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return false
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
userIPMap, userExists := lm.ipUserLocks[username]
|
||||
if !userExists {
|
||||
return false
|
||||
}
|
||||
|
||||
state, ipExists := userIPMap[ip]
|
||||
if !ipExists {
|
||||
return false
|
||||
}
|
||||
|
||||
return lm.checkLockState(state, now, base.Cfg.BanResetTime)
|
||||
}
|
||||
|
||||
// 更新全局 IP 锁定状态
|
||||
func (lm *LockManager) updateGlobalIPLock(ip string, now time.Time, success bool) {
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.ipLocks[ip]
|
||||
if !exists {
|
||||
state = &LockState{}
|
||||
lm.ipLocks[ip] = state
|
||||
}
|
||||
|
||||
lm.updateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
|
||||
}
|
||||
|
||||
// 更新全局用户锁定状态
|
||||
func (lm *LockManager) updateGlobalUserLock(username string, now time.Time, success bool) {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
state, exists := lm.userLocks[username]
|
||||
if !exists {
|
||||
state = &LockState{}
|
||||
lm.userLocks[username] = state
|
||||
}
|
||||
|
||||
lm.updateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
|
||||
}
|
||||
|
||||
// 更新单个用户的 IP 锁定状态
|
||||
func (lm *LockManager) updateUserIPLock(username, ip string, now time.Time, success bool) {
|
||||
// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
|
||||
if username == "" {
|
||||
return
|
||||
}
|
||||
lm.mu.Lock()
|
||||
defer lm.mu.Unlock()
|
||||
|
||||
userIPMap, userExists := lm.ipUserLocks[username]
|
||||
if !userExists {
|
||||
userIPMap = make(map[string]*LockState)
|
||||
lm.ipUserLocks[username] = userIPMap
|
||||
}
|
||||
|
||||
state, ipExists := userIPMap[ip]
|
||||
if !ipExists {
|
||||
state = &LockState{}
|
||||
userIPMap[ip] = state
|
||||
}
|
||||
|
||||
lm.updateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
|
||||
}
|
||||
|
||||
// 更新锁定状态
|
||||
func (lm *LockManager) updateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
|
||||
if success {
|
||||
state.FailureCount = 0
|
||||
state.LockTime = time.Time{}
|
||||
} else {
|
||||
state.FailureCount++
|
||||
if state.FailureCount >= maxBanCount {
|
||||
state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
|
||||
}
|
||||
}
|
||||
state.LastAttempt = now
|
||||
}
|
||||
|
||||
// 检查锁定状态
|
||||
func (lm *LockManager) checkLockState(state *LockState, now time.Time, resetTime int) bool {
|
||||
if state == nil || state.LastAttempt.IsZero() {
|
||||
return false
|
||||
}
|
||||
|
||||
// 如果超过锁定时间,重置锁定状态
|
||||
if !state.LockTime.IsZero() && now.After(state.LockTime) {
|
||||
state.FailureCount = 0
|
||||
state.LockTime = time.Time{}
|
||||
return false
|
||||
}
|
||||
// 如果超过窗口时间,重置失败计数
|
||||
if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
|
||||
state.FailureCount = 0
|
||||
state.LockTime = time.Time{}
|
||||
return false
|
||||
}
|
||||
// 如果锁定时间还在有效期内,继续锁定
|
||||
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
|
|||
// TODO 用户密码校验
|
||||
err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
|
||||
if err != nil {
|
||||
lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
|
||||
lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
|
||||
base.Warn(err, r.RemoteAddr)
|
||||
ua.Info = err.Error()
|
||||
ua.Status = dbdata.UserAuthFail
|
||||
|
|
@ -119,7 +119,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
// 用户otp验证
|
||||
if !v.DisableOtp {
|
||||
lockManager.loginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
|
||||
lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
|
||||
sessionID, err := GenerateSessionID()
|
||||
if err != nil {
|
||||
base.Error("Failed to generate session ID: ", err)
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ func DeleteCookie(w http.ResponseWriter, name string) {
|
|||
http.SetCookie(w, cookie)
|
||||
}
|
||||
func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
|
||||
lockManager.loginStatus.Store(loginStatusKey, true) // 更新登录成功状态
|
||||
lockManager.LoginStatus.Store(loginStatusKey, true) // 更新登录成功状态
|
||||
|
||||
cr := authSession.ClientRequest
|
||||
ua := authSession.UserActLog
|
||||
|
|
@ -202,7 +202,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
|
|||
http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
|
||||
lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
|
||||
|
||||
base.Warn("OTP 动态码错误", username, r.RemoteAddr)
|
||||
ua.Info = "OTP 动态码错误"
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ func Start() {
|
|||
sessdata.Start()
|
||||
cron.Start()
|
||||
|
||||
initAntiBruteForce() //初始化防爆破定时器和IP白名单
|
||||
admin.InitLockManager() //初始化防爆破定时器和IP白名单
|
||||
|
||||
// 开启服务器转发
|
||||
err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})
|
||||
|
|
|
|||
Loading…
Reference in New Issue