Compare commits
16 Commits
2e9b307194
...
v0.5.2
| Author | SHA1 | Date | |
|---|---|---|---|
|
aef2647a82 | ||
|
|
c3b6708a98 | ||
|
|
3acd0b899c | ||
|
|
3ac1250bfc | ||
|
|
7bba444522 | ||
|
|
97eb626237 | ||
|
|
b7a1ac06d4 | ||
|
|
49f0acb777 | ||
|
|
a602207369 | ||
|
|
8c0cfcdbe7 | ||
|
|
35a1a89baf | ||
|
|
f3387b169a | ||
|
|
5782072f91 | ||
|
|
7918b3efe6 | ||
|
|
f628e24f58 | ||
|
|
7f54db0cd4 |
@@ -30,6 +30,11 @@ var DaemonCmd = &cobra.Command{
|
|||||||
log.Error("Failed to create request writer", "error", err)
|
log.Error("Failed to create request writer", "error", err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
reqDb_r, err := storage.NewRequestsRd()
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Failed to create request reader", "error", err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
banDb_r, err := storage.NewBanReader()
|
banDb_r, err := storage.NewBanReader()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Failed to create ban reader", "error", err)
|
log.Error("Failed to create ban reader", "error", err)
|
||||||
@@ -55,6 +60,11 @@ var DaemonCmd = &cobra.Command{
|
|||||||
log.Error("Failed to load config", "error", err)
|
log.Error("Failed to load config", "error", err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
_, err = config.LoadMetricsConfig()
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Failed to load metrics config", "error", err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
var b blocker.BlockerEngine
|
var b blocker.BlockerEngine
|
||||||
fw := cfg.Firewall.Name
|
fw := cfg.Firewall.Name
|
||||||
b = blocker.GetBlocker(fw, cfg.Firewall.Config)
|
b = blocker.GetBlocker(fw, cfg.Firewall.Config)
|
||||||
@@ -63,7 +73,7 @@ var DaemonCmd = &cobra.Command{
|
|||||||
log.Error("Failed to load rules", "error", err)
|
log.Error("Failed to load rules", "error", err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
j := judge.New(banDb_r, banDb_w, b, resultCh, entryCh)
|
j := judge.New(banDb_r, banDb_w, reqDb_r, b, resultCh, entryCh)
|
||||||
j.LoadRules(r)
|
j.LoadRules(r)
|
||||||
go j.UnbanChecker()
|
go j.UnbanChecker()
|
||||||
go j.Tribunal()
|
go j.Tribunal()
|
||||||
|
|||||||
@@ -9,12 +9,13 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
name string
|
name string
|
||||||
service string
|
service string
|
||||||
path string
|
path string
|
||||||
status string
|
status string
|
||||||
method string
|
method string
|
||||||
ttl string
|
ttl string
|
||||||
|
max_retry int
|
||||||
)
|
)
|
||||||
|
|
||||||
var RuleCmd = &cobra.Command{
|
var RuleCmd = &cobra.Command{
|
||||||
@@ -41,7 +42,7 @@ var AddCmd = &cobra.Command{
|
|||||||
if ttl == "" {
|
if ttl == "" {
|
||||||
ttl = "1y"
|
ttl = "1y"
|
||||||
}
|
}
|
||||||
err := config.NewRule(name, service, path, status, method, ttl)
|
err := config.NewRule(name, service, path, status, method, ttl, max_retry)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
@@ -61,11 +62,12 @@ var ListCmd = &cobra.Command{
|
|||||||
}
|
}
|
||||||
for _, rule := range r {
|
for _, rule := range r {
|
||||||
fmt.Printf(
|
fmt.Printf(
|
||||||
"Name: %s\nService: %s\nPath: %s\nStatus: %s\nMethod: %s\n\n",
|
"Name: %s\nService: %s\nPath: %s\nStatus: %s\n MaxRetry: %d\nMethod: %s\n\n",
|
||||||
rule.Name,
|
rule.Name,
|
||||||
rule.ServiceName,
|
rule.ServiceName,
|
||||||
rule.Path,
|
rule.Path,
|
||||||
rule.Status,
|
rule.Status,
|
||||||
|
rule.MaxRetry,
|
||||||
rule.Method,
|
rule.Method,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
@@ -81,4 +83,5 @@ func RuleRegister() {
|
|||||||
AddCmd.Flags().StringVarP(&status, "status", "c", "", "status code")
|
AddCmd.Flags().StringVarP(&status, "status", "c", "", "status code")
|
||||||
AddCmd.Flags().StringVarP(&method, "method", "m", "", "method")
|
AddCmd.Flags().StringVarP(&method, "method", "m", "", "method")
|
||||||
AddCmd.Flags().StringVarP(&ttl, "ttl", "t", "", "ban time")
|
AddCmd.Flags().StringVarP(&ttl, "ttl", "t", "", "ban time")
|
||||||
|
AddCmd.Flags().IntVarP(&max_retry, "max_retry", "r", 0, "max retry")
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ import (
|
|||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
)
|
)
|
||||||
|
|
||||||
var version = "0.4.3"
|
var version = "0.5.2"
|
||||||
|
|
||||||
var VersionCmd = &cobra.Command{
|
var VersionCmd = &cobra.Command{
|
||||||
Use: "version",
|
Use: "version",
|
||||||
|
|||||||
@@ -79,5 +79,6 @@ These command help you to create and manage detection rules in CLI interface.
|
|||||||
| -m -method | - |
|
| -m -method | - |
|
||||||
| -c -status | - |
|
| -c -status | - |
|
||||||
| -t -ttl | -(if not used default ban 1 year) |
|
| -t -ttl | -(if not used default ban 1 year) |
|
||||||
|
| -r -max_retry | - |
|
||||||
|
|
||||||
You must specify at least 1 of the optional flags to create a rule.
|
You must specify at least 1 of the optional flags to create a rule.
|
||||||
|
|||||||
@@ -40,10 +40,12 @@ Example:
|
|||||||
service = "nginx"
|
service = "nginx"
|
||||||
path = ""
|
path = ""
|
||||||
status = "304"
|
status = "304"
|
||||||
|
max_retry = 3
|
||||||
method = ""
|
method = ""
|
||||||
ban_time = "1m"
|
ban_time = "1m"
|
||||||
```
|
```
|
||||||
**Description**
|
**Description**
|
||||||
The [[rule]] section require name and one of the following parameters: service, path, status, method. To add a rule, create a [[rule]] block and specify the parameters.
|
The [[rule]] section require name and one of the following parameters: service, path, status, method. To add a rule, create a [[rule]] block and specify the parameters.
|
||||||
ban_time require in format "1m", "1h", "1d", "1M", "1y".
|
ban_time require in format "1m", "1h", "1d", "1M", "1y".
|
||||||
If you want to ban all requests to PHP files (e.g., path = "*.php") or requests to the admin panel (e.g., path = "/admin/*")
|
If you want to ban all requests to PHP files (e.g., path = "*.php") or requests to the admin panel (e.g., path = "/admin/*").
|
||||||
|
If max_retry = 0 ban on first request.
|
||||||
|
|||||||
14
go.mod
14
go.mod
@@ -7,23 +7,23 @@ require (
|
|||||||
github.com/jedib0t/go-pretty/v6 v6.7.8
|
github.com/jedib0t/go-pretty/v6 v6.7.8
|
||||||
github.com/spf13/cobra v1.10.2
|
github.com/spf13/cobra v1.10.2
|
||||||
gopkg.in/natefinch/lumberjack.v2 v2.2.1
|
gopkg.in/natefinch/lumberjack.v2 v2.2.1
|
||||||
modernc.org/sqlite v1.44.3
|
modernc.org/sqlite v1.46.1
|
||||||
)
|
)
|
||||||
|
|
||||||
require (
|
require (
|
||||||
|
github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
|
||||||
github.com/dustin/go-humanize v1.0.1 // indirect
|
github.com/dustin/go-humanize v1.0.1 // indirect
|
||||||
github.com/google/uuid v1.6.0 // indirect
|
github.com/google/uuid v1.6.0 // indirect
|
||||||
github.com/inconshreveable/mousetrap v1.1.0 // indirect
|
github.com/inconshreveable/mousetrap v1.1.0 // indirect
|
||||||
github.com/mattn/go-isatty v0.0.20 // indirect
|
github.com/mattn/go-isatty v0.0.20 // indirect
|
||||||
github.com/mattn/go-runewidth v0.0.16 // indirect
|
github.com/mattn/go-runewidth v0.0.20 // indirect
|
||||||
github.com/ncruces/go-strftime v1.0.0 // indirect
|
github.com/ncruces/go-strftime v1.0.0 // indirect
|
||||||
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
|
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
|
||||||
github.com/rivo/uniseg v0.4.7 // indirect
|
|
||||||
github.com/spf13/pflag v1.0.10 // indirect
|
github.com/spf13/pflag v1.0.10 // indirect
|
||||||
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
|
golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
|
||||||
golang.org/x/sys v0.40.0 // indirect
|
golang.org/x/sys v0.41.0 // indirect
|
||||||
golang.org/x/text v0.32.0 // indirect
|
golang.org/x/text v0.34.0 // indirect
|
||||||
modernc.org/libc v1.67.6 // indirect
|
modernc.org/libc v1.68.0 // indirect
|
||||||
modernc.org/mathutil v1.7.1 // indirect
|
modernc.org/mathutil v1.7.1 // indirect
|
||||||
modernc.org/memory v1.11.0 // indirect
|
modernc.org/memory v1.11.0 // indirect
|
||||||
)
|
)
|
||||||
|
|||||||
45
go.sum
45
go.sum
@@ -1,5 +1,7 @@
|
|||||||
github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
|
github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
|
||||||
github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
|
github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
|
||||||
|
github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
|
||||||
|
github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
|
||||||
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
|
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
|
||||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
@@ -17,17 +19,14 @@ github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc
|
|||||||
github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
|
github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
|
||||||
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
|
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
|
||||||
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||||
github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
|
github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ=
|
||||||
github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
|
github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
|
||||||
github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
|
github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
|
||||||
github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
|
github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
|
||||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
|
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
|
||||||
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
|
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
|
||||||
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
|
|
||||||
github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
|
|
||||||
github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
|
|
||||||
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||||
github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
|
github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
|
||||||
github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
|
github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
|
||||||
@@ -37,19 +36,19 @@ github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3A
|
|||||||
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
|
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
|
||||||
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
||||||
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
|
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
|
||||||
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
|
golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa h1:Zt3DZoOFFYkKhDT3v7Lm9FDMEV06GpzjG2jrqW+QTE0=
|
||||||
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
|
golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa/go.mod h1:K79w1Vqn7PoiZn+TkNpx3BUWUQksGO3JcVX6qIjytmA=
|
||||||
golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
|
golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
|
||||||
golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
|
golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
|
||||||
golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
|
golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
|
||||||
golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
|
golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
|
||||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
|
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
|
||||||
golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||||
golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
|
golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
|
||||||
golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
|
golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
|
||||||
golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
|
golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
|
||||||
golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
|
golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
|
||||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
|
gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
|
||||||
gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
|
gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
|
||||||
@@ -57,18 +56,18 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
|||||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
|
modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
|
||||||
modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
|
modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
|
||||||
modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
|
modernc.org/ccgo/v4 v4.30.2 h1:4yPaaq9dXYXZ2V8s1UgrC3KIj580l2N4ClrLwnbv2so=
|
||||||
modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
|
modernc.org/ccgo/v4 v4.30.2/go.mod h1:yZMnhWEdW0qw3EtCndG1+ldRrVGS+bIwyWmAWzS0XEw=
|
||||||
modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
|
modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
|
||||||
modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
|
modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
|
||||||
modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
|
modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
|
||||||
modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
|
modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
|
||||||
modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
|
modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
|
||||||
modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
|
modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
|
||||||
modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
|
modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
|
||||||
modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
|
modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
|
||||||
modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
|
modernc.org/libc v1.68.0 h1:PJ5ikFOV5pwpW+VqCK1hKJuEWsonkIJhhIXyuF/91pQ=
|
||||||
modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
|
modernc.org/libc v1.68.0/go.mod h1:NnKCYeoYgsEqnY3PgvNgAeaJnso968ygU8Z0DxjoEc0=
|
||||||
modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
|
modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
|
||||||
modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
|
modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
|
||||||
modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
|
modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
|
||||||
@@ -77,8 +76,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
|
|||||||
modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
|
modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
|
||||||
modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
|
modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
|
||||||
modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
|
modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
|
||||||
modernc.org/sqlite v1.44.3 h1:+39JvV/HWMcYslAwRxHb8067w+2zowvFOUrOWIy9PjY=
|
modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
|
||||||
modernc.org/sqlite v1.44.3/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
|
modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
|
||||||
modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
|
modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
|
||||||
modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
|
modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
|
||||||
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
|
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
|
||||||
|
|||||||
@@ -23,6 +23,7 @@ func (f *Firewalld) Ban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - ip is validated
|
||||||
cmd := exec.Command("firewall-cmd", "--zone=drop", "--add-source", ip, "--permanent")
|
cmd := exec.Command("firewall-cmd", "--zone=drop", "--add-source", ip, "--permanent")
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -44,6 +45,7 @@ func (f *Firewalld) Unban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - ip is validated
|
||||||
cmd := exec.Command("firewall-cmd", "--zone=drop", "--remove-source", ip, "--permanent")
|
cmd := exec.Command("firewall-cmd", "--zone=drop", "--remove-source", ip, "--permanent")
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -61,7 +63,7 @@ func (f *Firewalld) Unban(ip string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (f *Firewalld) PortOpen(port int, protocol string) error {
|
func (f *Firewalld) PortOpen(port int, protocol string) error {
|
||||||
// #nosec G204 - handle is extracted from nftables output and validated
|
// #nosec G204 - handle is extracted from Firewalld output and validated
|
||||||
if port >= 0 && port <= 65535 {
|
if port >= 0 && port <= 65535 {
|
||||||
if protocol != "tcp" && protocol != "udp" {
|
if protocol != "tcp" && protocol != "udp" {
|
||||||
f.logger.Error("invalid protocol")
|
f.logger.Error("invalid protocol")
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ func (f *Iptables) Ban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - f.config is validated above via validateConfigPath()
|
||||||
cmd := exec.Command("iptables", "-A", "INPUT", "-s", ip, "-j", "DROP")
|
cmd := exec.Command("iptables", "-A", "INPUT", "-s", ip, "-j", "DROP")
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -70,6 +71,7 @@ func (f *Iptables) Unban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - f.config is validated above via validateConfigPath()
|
||||||
cmd := exec.Command("iptables", "-D", "INPUT", "-s", ip, "-j", "DROP")
|
cmd := exec.Command("iptables", "-D", "INPUT", "-s", ip, "-j", "DROP")
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -26,7 +26,7 @@ func (n *Nftables) Ban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - ip is validated
|
||||||
cmd := exec.Command("nft", "add", "rule", "inet", "banforge", "banned",
|
cmd := exec.Command("nft", "add", "rule", "inet", "banforge", "banned",
|
||||||
"ip", "saddr", ip, "drop")
|
"ip", "saddr", ip, "drop")
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
@@ -113,6 +113,7 @@ func (n *Nftables) Setup(config string) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
`
|
`
|
||||||
|
// #nosec G204 - config is managed by adminstartor
|
||||||
cmd := exec.Command("tee", config)
|
cmd := exec.Command("tee", config)
|
||||||
stdin, err := cmd.StdinPipe()
|
stdin, err := cmd.StdinPipe()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -135,7 +136,7 @@ func (n *Nftables) Setup(config string) error {
|
|||||||
if err = cmd.Wait(); err != nil {
|
if err = cmd.Wait(); err != nil {
|
||||||
return fmt.Errorf("failed to save config: %w", err)
|
return fmt.Errorf("failed to save config: %w", err)
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - config is managed by adminstartor
|
||||||
cmd = exec.Command("nft", "-f", config)
|
cmd = exec.Command("nft", "-f", config)
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -253,7 +254,7 @@ func saveNftablesConfig(configPath string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to get nftables ruleset: %w", err)
|
return fmt.Errorf("failed to get nftables ruleset: %w", err)
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - managed by system adminstartor
|
||||||
cmd = exec.Command("tee", configPath)
|
cmd = exec.Command("tee", configPath)
|
||||||
stdin, err := cmd.StdinPipe()
|
stdin, err := cmd.StdinPipe()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ func (u *Ufw) Ban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - ip is validated
|
||||||
cmd := exec.Command("ufw", "--force", "deny", "from", ip)
|
cmd := exec.Command("ufw", "--force", "deny", "from", ip)
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -42,7 +42,7 @@ func (u *Ufw) Unban(ip string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// #nosec G204 - ip is validated
|
||||||
cmd := exec.Command("ufw", "--force", "delete", "deny", "from", ip)
|
cmd := exec.Command("ufw", "--force", "delete", "deny", "from", ip)
|
||||||
output, err := cmd.CombinedOutput()
|
output, err := cmd.CombinedOutput()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -10,8 +10,25 @@ import (
|
|||||||
|
|
||||||
"github.com/BurntSushi/toml"
|
"github.com/BurntSushi/toml"
|
||||||
"github.com/d3m0k1d/BanForge/internal/logger"
|
"github.com/d3m0k1d/BanForge/internal/logger"
|
||||||
|
"github.com/d3m0k1d/BanForge/internal/metrics"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func LoadMetricsConfig() (*Metrics, error) {
|
||||||
|
cfg := &Metrics{}
|
||||||
|
_, err := toml.DecodeFile("/etc/banforge/config.toml", cfg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to decode config: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if cfg.Enabled && cfg.Port > 0 && cfg.Port < 65535 {
|
||||||
|
go metrics.StartMetricsServer(cfg.Port)
|
||||||
|
} else if cfg.Enabled {
|
||||||
|
fmt.Println("Metrics enabled but port invalid, not starting server")
|
||||||
|
}
|
||||||
|
|
||||||
|
return cfg, nil
|
||||||
|
}
|
||||||
|
|
||||||
func LoadRuleConfig() ([]Rule, error) {
|
func LoadRuleConfig() ([]Rule, error) {
|
||||||
log := logger.New(false)
|
log := logger.New(false)
|
||||||
var cfg Rules
|
var cfg Rules
|
||||||
@@ -33,6 +50,7 @@ func NewRule(
|
|||||||
Status string,
|
Status string,
|
||||||
Method string,
|
Method string,
|
||||||
ttl string,
|
ttl string,
|
||||||
|
max_retry int,
|
||||||
) error {
|
) error {
|
||||||
r, err := LoadRuleConfig()
|
r, err := LoadRuleConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -51,6 +69,7 @@ func NewRule(
|
|||||||
Status: Status,
|
Status: Status,
|
||||||
Method: Method,
|
Method: Method,
|
||||||
BanTime: ttl,
|
BanTime: ttl,
|
||||||
|
MaxRetry: max_retry,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
file, err := os.Create("/etc/banforge/rules.toml")
|
file, err := os.Create("/etc/banforge/rules.toml")
|
||||||
|
|||||||
@@ -8,6 +8,10 @@ const Base_config = `
|
|||||||
name = ""
|
name = ""
|
||||||
config = "/etc/nftables.conf"
|
config = "/etc/nftables.conf"
|
||||||
|
|
||||||
|
[metrics]
|
||||||
|
enabled = false
|
||||||
|
port = 2122
|
||||||
|
|
||||||
[[service]]
|
[[service]]
|
||||||
name = "nginx"
|
name = "nginx"
|
||||||
logging = "file"
|
logging = "file"
|
||||||
|
|||||||
@@ -14,6 +14,7 @@ type Service struct {
|
|||||||
|
|
||||||
type Config struct {
|
type Config struct {
|
||||||
Firewall Firewall `toml:"firewall"`
|
Firewall Firewall `toml:"firewall"`
|
||||||
|
Metrics Metrics `toml:"metrics"`
|
||||||
Service []Service `toml:"service"`
|
Service []Service `toml:"service"`
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -28,5 +29,11 @@ type Rule struct {
|
|||||||
Path string `toml:"path"`
|
Path string `toml:"path"`
|
||||||
Status string `toml:"status"`
|
Status string `toml:"status"`
|
||||||
Method string `toml:"method"`
|
Method string `toml:"method"`
|
||||||
|
MaxRetry int `toml:"max_retry"`
|
||||||
BanTime string `toml:"ban_time"`
|
BanTime string `toml:"ban_time"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type Metrics struct {
|
||||||
|
Enabled bool `toml:"enabled"`
|
||||||
|
Port int `toml:"port"`
|
||||||
|
}
|
||||||
|
|||||||
@@ -14,6 +14,7 @@ import (
|
|||||||
type Judge struct {
|
type Judge struct {
|
||||||
db_r *storage.BanReader
|
db_r *storage.BanReader
|
||||||
db_w *storage.BanWriter
|
db_w *storage.BanWriter
|
||||||
|
db_rq *storage.RequestReader
|
||||||
logger *logger.Logger
|
logger *logger.Logger
|
||||||
Blocker blocker.BlockerEngine
|
Blocker blocker.BlockerEngine
|
||||||
rulesByService map[string][]config.Rule
|
rulesByService map[string][]config.Rule
|
||||||
@@ -24,6 +25,7 @@ type Judge struct {
|
|||||||
func New(
|
func New(
|
||||||
db_r *storage.BanReader,
|
db_r *storage.BanReader,
|
||||||
db_w *storage.BanWriter,
|
db_w *storage.BanWriter,
|
||||||
|
db_rq *storage.RequestReader,
|
||||||
b blocker.BlockerEngine,
|
b blocker.BlockerEngine,
|
||||||
resultCh chan *storage.LogEntry,
|
resultCh chan *storage.LogEntry,
|
||||||
entryCh chan *storage.LogEntry,
|
entryCh chan *storage.LogEntry,
|
||||||
@@ -31,6 +33,7 @@ func New(
|
|||||||
return &Judge{
|
return &Judge{
|
||||||
db_w: db_w,
|
db_w: db_w,
|
||||||
db_r: db_r,
|
db_r: db_r,
|
||||||
|
db_rq: db_rq,
|
||||||
logger: logger.New(false),
|
logger: logger.New(false),
|
||||||
rulesByService: make(map[string][]config.Rule),
|
rulesByService: make(map[string][]config.Rule),
|
||||||
Blocker: b,
|
Blocker: b,
|
||||||
@@ -75,31 +78,28 @@ func (j *Judge) Tribunal() {
|
|||||||
methodMatch := rule.Method == "" || entry.Method == rule.Method
|
methodMatch := rule.Method == "" || entry.Method == rule.Method
|
||||||
statusMatch := rule.Status == "" || entry.Status == rule.Status
|
statusMatch := rule.Status == "" || entry.Status == rule.Status
|
||||||
pathMatch := matchPath(entry.Path, rule.Path)
|
pathMatch := matchPath(entry.Path, rule.Path)
|
||||||
|
|
||||||
j.logger.Debug(
|
|
||||||
"Testing rule",
|
|
||||||
"rule", rule.Name,
|
|
||||||
"method_match", methodMatch,
|
|
||||||
"status_match", statusMatch,
|
|
||||||
"path_match", pathMatch,
|
|
||||||
)
|
|
||||||
|
|
||||||
if methodMatch && statusMatch && pathMatch {
|
if methodMatch && statusMatch && pathMatch {
|
||||||
ruleMatched = true
|
ruleMatched = true
|
||||||
j.logger.Info("Rule matched", "rule", rule.Name, "ip", entry.IP)
|
j.logger.Info("Rule matched", "rule", rule.Name, "ip", entry.IP)
|
||||||
|
j.resultCh <- entry
|
||||||
banned, err := j.db_r.IsBanned(entry.IP)
|
banned, err := j.db_r.IsBanned(entry.IP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
j.logger.Error("Failed to check ban status", "ip", entry.IP, "error", err)
|
j.logger.Error("Failed to check ban status", "ip", entry.IP, "error", err)
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
||||||
if banned {
|
if banned {
|
||||||
j.logger.Info("IP already banned", "ip", entry.IP)
|
j.logger.Info("IP already banned", "ip", entry.IP)
|
||||||
j.resultCh <- entry
|
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
exceeded, err := j.db_rq.IsMaxRetryExceeded(entry.IP, rule.MaxRetry)
|
||||||
|
if err != nil {
|
||||||
|
j.logger.Error("Failed to check retry count", "ip", entry.IP, "error", err)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if !exceeded {
|
||||||
|
j.logger.Info("Max retry not exceeded", "ip", entry.IP)
|
||||||
|
break
|
||||||
|
}
|
||||||
err = j.db_w.AddBan(entry.IP, rule.BanTime, rule.Name)
|
err = j.db_w.AddBan(entry.IP, rule.BanTime, rule.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
j.logger.Error(
|
j.logger.Error(
|
||||||
@@ -127,7 +127,6 @@ func (j *Judge) Tribunal() {
|
|||||||
"ban_time",
|
"ban_time",
|
||||||
rule.BanTime,
|
rule.BanTime,
|
||||||
)
|
)
|
||||||
j.resultCh <- entry
|
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
77
internal/metrics/metrics.go
Normal file
77
internal/metrics/metrics.go
Normal file
@@ -0,0 +1,77 @@
|
|||||||
|
package metrics
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"net/http"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
metricsMu sync.RWMutex
|
||||||
|
metrics = make(map[string]int64)
|
||||||
|
)
|
||||||
|
|
||||||
|
func IncBan(service string) {
|
||||||
|
metricsMu.Lock()
|
||||||
|
metrics["ban_count"]++
|
||||||
|
metrics[service+"_bans"]++
|
||||||
|
metricsMu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
func IncUnban(service string) {
|
||||||
|
metricsMu.Lock()
|
||||||
|
metrics["unban_count"]++
|
||||||
|
metrics[service+"_unbans"]++
|
||||||
|
metricsMu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
func IncRuleMatched(rule_name string) {
|
||||||
|
metricsMu.Lock()
|
||||||
|
metrics[rule_name+"_rule_matched"]++
|
||||||
|
metricsMu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
func IncLogParsed() {
|
||||||
|
metricsMu.Lock()
|
||||||
|
metrics["log_parsed"]++
|
||||||
|
metricsMu.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
func MetricsHandler() http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
metricsMu.RLock()
|
||||||
|
snapshot := make(map[string]int64, len(metrics))
|
||||||
|
for k, v := range metrics {
|
||||||
|
snapshot[k] = v
|
||||||
|
}
|
||||||
|
metricsMu.RUnlock()
|
||||||
|
|
||||||
|
w.Header().Set("Content-Type", "text/plain; version=0.0.4")
|
||||||
|
|
||||||
|
for name, value := range snapshot {
|
||||||
|
metricName := name + "_total"
|
||||||
|
_, _ = fmt.Fprintf(w, "# TYPE %s counter\n", metricName)
|
||||||
|
_, _ = fmt.Fprintf(w, "%s %d\n", metricName, value)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func StartMetricsServer(port int) {
|
||||||
|
mux := http.NewServeMux()
|
||||||
|
mux.Handle("/metrics", MetricsHandler())
|
||||||
|
|
||||||
|
server := &http.Server{
|
||||||
|
Addr: fmt.Sprintf(":%d", port),
|
||||||
|
Handler: mux,
|
||||||
|
ReadTimeout: 5 * time.Second,
|
||||||
|
WriteTimeout: 10 * time.Second,
|
||||||
|
IdleTimeout: 15 * time.Second,
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("Starting metrics server on %s", server.Addr)
|
||||||
|
if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
|
||||||
|
log.Printf("Metrics server error: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -24,6 +24,7 @@ type Scanner struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func NewScannerTail(path string) (*Scanner, error) {
|
func NewScannerTail(path string) (*Scanner, error) {
|
||||||
|
// #nosec G204 - managed by system adminstartor
|
||||||
cmd := exec.Command("tail", "-F", "-n", "10", path)
|
cmd := exec.Command("tail", "-F", "-n", "10", path)
|
||||||
stdout, err := cmd.StdoutPipe()
|
stdout, err := cmd.StdoutPipe()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -46,6 +47,7 @@ func NewScannerTail(path string) (*Scanner, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func NewScannerJournald(unit string) (*Scanner, error) {
|
func NewScannerJournald(unit string) (*Scanner, error) {
|
||||||
|
// #nosec G204 - managed by system adminstartor
|
||||||
cmd := exec.Command("journalctl", "-u", unit, "-f", "-n", "0", "-o", "short", "--no-pager")
|
cmd := exec.Command("journalctl", "-u", unit, "-f", "-n", "0", "-o", "short", "--no-pager")
|
||||||
stdout, err := cmd.StdoutPipe()
|
stdout, err := cmd.StdoutPipe()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -28,3 +28,39 @@ func NewRequestsWr() (*RequestWriter, error) {
|
|||||||
db: db,
|
db: db,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type RequestReader struct {
|
||||||
|
logger *logger.Logger
|
||||||
|
db *sql.DB
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewRequestsRd() (*RequestReader, error) {
|
||||||
|
db, err := sql.Open(
|
||||||
|
"sqlite",
|
||||||
|
buildSqliteDsn(ReqDBPath, pragmas),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
db.SetMaxOpenConns(1)
|
||||||
|
db.SetMaxIdleConns(1)
|
||||||
|
db.SetConnMaxLifetime(0)
|
||||||
|
return &RequestReader{
|
||||||
|
logger: logger.New(false),
|
||||||
|
db: db,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *RequestReader) IsMaxRetryExceeded(ip string, maxRetry int) (bool, error) {
|
||||||
|
var count int
|
||||||
|
if maxRetry == 0 {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
err := r.db.QueryRow("SELECT COUNT(*) FROM requests WHERE ip = ?", ip).Scan(&count)
|
||||||
|
if err != nil {
|
||||||
|
r.logger.Error("error query count: " + err.Error())
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
r.logger.Info("Current request count for IP", "ip", ip, "count", count, "maxRetry", maxRetry)
|
||||||
|
return count >= maxRetry, nil
|
||||||
|
}
|
||||||
|
|||||||
@@ -94,3 +94,13 @@ func WriteReq(db *RequestWriter, resultCh <-chan *LogEntry) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (w *RequestWriter) GetRequestCount() (int, error) {
|
||||||
|
var count int
|
||||||
|
err := w.db.QueryRow("SELECT COUNT(*) FROM requests").Scan(&count)
|
||||||
|
return count, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *RequestWriter) Close() error {
|
||||||
|
return w.db.Close()
|
||||||
|
}
|
||||||
|
|||||||
@@ -299,21 +299,3 @@ func (w *RequestWriter) CreateTable() error {
|
|||||||
w.logger.Info("Created requests table")
|
w.logger.Info("Created requests table")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (w *RequestWriter) Close() error {
|
|
||||||
w.logger.Info("Closing request database connection")
|
|
||||||
err := w.db.Close()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (w *RequestWriter) GetRequestCount() (int, error) {
|
|
||||||
var count int
|
|
||||||
err := w.db.QueryRow("SELECT COUNT(*) FROM requests").Scan(&count)
|
|
||||||
if err != nil {
|
|
||||||
return 0, err
|
|
||||||
}
|
|
||||||
return count, nil
|
|
||||||
}
|
|
||||||
|
|||||||
Reference in New Issue
Block a user