forked from cerc-io/plugeth
Merge pull request #14999 from karalabe/puppeth-ethstats-blacklist
cmd/puppeth: support blacklisting malicious IPs on ethstats
This commit is contained in:
commit
998abb9107
@ -42,7 +42,7 @@ RUN \
|
|||||||
WORKDIR /eth-netstats
|
WORKDIR /eth-netstats
|
||||||
EXPOSE 3000
|
EXPOSE 3000
|
||||||
|
|
||||||
RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: []};' > lib/utils/config.js
|
RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: [{{.Banned}}]};' > lib/utils/config.js
|
||||||
|
|
||||||
CMD ["npm", "start"]
|
CMD ["npm", "start"]
|
||||||
`
|
`
|
||||||
@ -59,7 +59,8 @@ services:
|
|||||||
- "{{.Port}}:3000"{{end}}
|
- "{{.Port}}:3000"{{end}}
|
||||||
environment:
|
environment:
|
||||||
- WS_SECRET={{.Secret}}{{if .VHost}}
|
- WS_SECRET={{.Secret}}{{if .VHost}}
|
||||||
- VIRTUAL_HOST={{.VHost}}{{end}}
|
- VIRTUAL_HOST={{.VHost}}{{end}}{{if .Banned}}
|
||||||
|
- BANNED={{.Banned}}{{end}}
|
||||||
logging:
|
logging:
|
||||||
driver: "json-file"
|
driver: "json-file"
|
||||||
options:
|
options:
|
||||||
@ -71,18 +72,24 @@ services:
|
|||||||
// deployEthstats deploys a new ethstats container to a remote machine via SSH,
|
// deployEthstats deploys a new ethstats container to a remote machine via SSH,
|
||||||
// docker and docker-compose. If an instance with the specified network name
|
// docker and docker-compose. If an instance with the specified network name
|
||||||
// already exists there, it will be overwritten!
|
// already exists there, it will be overwritten!
|
||||||
func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string) ([]byte, error) {
|
func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string, banned []string) ([]byte, error) {
|
||||||
// Generate the content to upload to the server
|
// Generate the content to upload to the server
|
||||||
workdir := fmt.Sprintf("%d", rand.Int63())
|
workdir := fmt.Sprintf("%d", rand.Int63())
|
||||||
files := make(map[string][]byte)
|
files := make(map[string][]byte)
|
||||||
|
|
||||||
|
trustedLabels := make([]string, len(trusted))
|
||||||
for i, address := range trusted {
|
for i, address := range trusted {
|
||||||
trusted[i] = fmt.Sprintf("\"%s\"", address)
|
trustedLabels[i] = fmt.Sprintf("\"%s\"", address)
|
||||||
|
}
|
||||||
|
bannedLabels := make([]string, len(banned))
|
||||||
|
for i, address := range banned {
|
||||||
|
bannedLabels[i] = fmt.Sprintf("\"%s\"", address)
|
||||||
}
|
}
|
||||||
|
|
||||||
dockerfile := new(bytes.Buffer)
|
dockerfile := new(bytes.Buffer)
|
||||||
template.Must(template.New("").Parse(ethstatsDockerfile)).Execute(dockerfile, map[string]interface{}{
|
template.Must(template.New("").Parse(ethstatsDockerfile)).Execute(dockerfile, map[string]interface{}{
|
||||||
"Trusted": strings.Join(trusted, ", "),
|
"Trusted": strings.Join(trustedLabels, ", "),
|
||||||
|
"Banned": strings.Join(bannedLabels, ", "),
|
||||||
})
|
})
|
||||||
files[filepath.Join(workdir, "Dockerfile")] = dockerfile.Bytes()
|
files[filepath.Join(workdir, "Dockerfile")] = dockerfile.Bytes()
|
||||||
|
|
||||||
@ -92,6 +99,7 @@ func deployEthstats(client *sshClient, network string, port int, secret string,
|
|||||||
"Port": port,
|
"Port": port,
|
||||||
"Secret": secret,
|
"Secret": secret,
|
||||||
"VHost": vhost,
|
"VHost": vhost,
|
||||||
|
"Banned": strings.Join(banned, ","),
|
||||||
})
|
})
|
||||||
files[filepath.Join(workdir, "docker-compose.yaml")] = composefile.Bytes()
|
files[filepath.Join(workdir, "docker-compose.yaml")] = composefile.Bytes()
|
||||||
|
|
||||||
@ -112,11 +120,12 @@ type ethstatsInfos struct {
|
|||||||
port int
|
port int
|
||||||
secret string
|
secret string
|
||||||
config string
|
config string
|
||||||
|
banned []string
|
||||||
}
|
}
|
||||||
|
|
||||||
// String implements the stringer interface.
|
// String implements the stringer interface.
|
||||||
func (info *ethstatsInfos) String() string {
|
func (info *ethstatsInfos) String() string {
|
||||||
return fmt.Sprintf("host=%s, port=%d, secret=%s", info.host, info.port, info.secret)
|
return fmt.Sprintf("host=%s, port=%d, secret=%s, banned=%v", info.host, info.port, info.secret, info.banned)
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkEthstats does a health-check against an ethstats server to verify whether
|
// checkEthstats does a health-check against an ethstats server to verify whether
|
||||||
@ -150,6 +159,9 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) {
|
|||||||
if port != 80 && port != 443 {
|
if port != 80 && port != 443 {
|
||||||
config += fmt.Sprintf(":%d", port)
|
config += fmt.Sprintf(":%d", port)
|
||||||
}
|
}
|
||||||
|
// Retrieve the IP blacklist
|
||||||
|
banned := strings.Split(infos.envvars["BANNED"], ",")
|
||||||
|
|
||||||
// Run a sanity check to see if the port is reachable
|
// Run a sanity check to see if the port is reachable
|
||||||
if err = checkPort(host, port); err != nil {
|
if err = checkPort(host, port); err != nil {
|
||||||
log.Warn("Ethstats service seems unreachable", "server", host, "port", port, "err", err)
|
log.Warn("Ethstats service seems unreachable", "server", host, "port", port, "err", err)
|
||||||
@ -160,5 +172,6 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) {
|
|||||||
port: port,
|
port: port,
|
||||||
secret: secret,
|
secret: secret,
|
||||||
config: config,
|
config: config,
|
||||||
|
banned: banned,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
@ -22,6 +22,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"math/big"
|
"math/big"
|
||||||
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"sort"
|
"sort"
|
||||||
@ -277,3 +278,26 @@ func (w *wizard) readJSON() string {
|
|||||||
return string(blob)
|
return string(blob)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// readIPAddress reads a single line from stdin, trimming if from spaces and
|
||||||
|
// converts it to a network IP address.
|
||||||
|
func (w *wizard) readIPAddress() net.IP {
|
||||||
|
for {
|
||||||
|
// Read the IP address from the user
|
||||||
|
fmt.Printf("> ")
|
||||||
|
text, err := w.in.ReadString('\n')
|
||||||
|
if err != nil {
|
||||||
|
log.Crit("Failed to read user input", "err", err)
|
||||||
|
}
|
||||||
|
if text = strings.TrimSpace(text); text == "" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
// Make sure it looks ok and return it if so
|
||||||
|
ip := net.ParseIP(text)
|
||||||
|
if ip == nil {
|
||||||
|
log.Error("Invalid IP address, please retry")
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
return ip
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -60,6 +60,22 @@ func (w *wizard) deployEthstats() {
|
|||||||
fmt.Printf("What should be the secret password for the API? (default = %s)\n", infos.secret)
|
fmt.Printf("What should be the secret password for the API? (default = %s)\n", infos.secret)
|
||||||
infos.secret = w.readDefaultString(infos.secret)
|
infos.secret = w.readDefaultString(infos.secret)
|
||||||
}
|
}
|
||||||
|
// Gather any blacklists to ban from reporting
|
||||||
|
fmt.Println()
|
||||||
|
fmt.Printf("Keep existing IP %v blacklist (y/n)? (default = yes)\n", infos.banned)
|
||||||
|
if w.readDefaultString("y") != "y" {
|
||||||
|
infos.banned = nil
|
||||||
|
|
||||||
|
fmt.Println()
|
||||||
|
fmt.Println("Which IP addresses should be blacklisted?")
|
||||||
|
for {
|
||||||
|
if ip := w.readIPAddress(); ip != nil {
|
||||||
|
infos.banned = append(infos.banned, ip.String())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
// Try to deploy the ethstats server on the host
|
// Try to deploy the ethstats server on the host
|
||||||
trusted := make([]string, 0, len(w.servers))
|
trusted := make([]string, 0, len(w.servers))
|
||||||
for _, client := range w.servers {
|
for _, client := range w.servers {
|
||||||
@ -67,7 +83,7 @@ func (w *wizard) deployEthstats() {
|
|||||||
trusted = append(trusted, client.address)
|
trusted = append(trusted, client.address)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted); err != nil {
|
if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted, infos.banned); err != nil {
|
||||||
log.Error("Failed to deploy ethstats container", "err", err)
|
log.Error("Failed to deploy ethstats container", "err", err)
|
||||||
if len(out) > 0 {
|
if len(out) > 0 {
|
||||||
fmt.Printf("%s\n", out)
|
fmt.Printf("%s\n", out)
|
||||||
|
Loading…
Reference in New Issue
Block a user