From 059c767adf4956d6d7bae16066a798d02a367f01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Szil=C3=A1gyi?= Date: Fri, 18 Aug 2017 11:23:56 +0300 Subject: [PATCH] cmd/puppeth: support blacklisting malicious IPs on ethstats --- cmd/puppeth/module_ethstats.go | 25 +++++++++++++++++++------ cmd/puppeth/wizard.go | 24 ++++++++++++++++++++++++ cmd/puppeth/wizard_ethstats.go | 18 +++++++++++++++++- 3 files changed, 60 insertions(+), 7 deletions(-) diff --git a/cmd/puppeth/module_ethstats.go b/cmd/puppeth/module_ethstats.go index da34acb3b..5d3fa5fc0 100644 --- a/cmd/puppeth/module_ethstats.go +++ b/cmd/puppeth/module_ethstats.go @@ -42,7 +42,7 @@ RUN \ WORKDIR /eth-netstats EXPOSE 3000 -RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: []};' > lib/utils/config.js +RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: [{{.Banned}}]};' > lib/utils/config.js CMD ["npm", "start"] ` @@ -59,7 +59,8 @@ services: - "{{.Port}}:3000"{{end}} environment: - WS_SECRET={{.Secret}}{{if .VHost}} - - VIRTUAL_HOST={{.VHost}}{{end}} + - VIRTUAL_HOST={{.VHost}}{{end}}{{if .Banned}} + - BANNED={{.Banned}}{{end}} logging: driver: "json-file" options: @@ -71,18 +72,24 @@ services: // deployEthstats deploys a new ethstats container to a remote machine via SSH, // docker and docker-compose. If an instance with the specified network name // already exists there, it will be overwritten! -func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string) ([]byte, error) { +func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string, banned []string) ([]byte, error) { // Generate the content to upload to the server workdir := fmt.Sprintf("%d", rand.Int63()) files := make(map[string][]byte) + trustedLabels := make([]string, len(trusted)) for i, address := range trusted { - trusted[i] = fmt.Sprintf("\"%s\"", address) + trustedLabels[i] = fmt.Sprintf("\"%s\"", address) + } + bannedLabels := make([]string, len(banned)) + for i, address := range banned { + bannedLabels[i] = fmt.Sprintf("\"%s\"", address) } dockerfile := new(bytes.Buffer) template.Must(template.New("").Parse(ethstatsDockerfile)).Execute(dockerfile, map[string]interface{}{ - "Trusted": strings.Join(trusted, ", "), + "Trusted": strings.Join(trustedLabels, ", "), + "Banned": strings.Join(bannedLabels, ", "), }) files[filepath.Join(workdir, "Dockerfile")] = dockerfile.Bytes() @@ -92,6 +99,7 @@ func deployEthstats(client *sshClient, network string, port int, secret string, "Port": port, "Secret": secret, "VHost": vhost, + "Banned": strings.Join(banned, ","), }) files[filepath.Join(workdir, "docker-compose.yaml")] = composefile.Bytes() @@ -112,11 +120,12 @@ type ethstatsInfos struct { port int secret string config string + banned []string } // String implements the stringer interface. func (info *ethstatsInfos) String() string { - return fmt.Sprintf("host=%s, port=%d, secret=%s", info.host, info.port, info.secret) + return fmt.Sprintf("host=%s, port=%d, secret=%s, banned=%v", info.host, info.port, info.secret, info.banned) } // checkEthstats does a health-check against an ethstats server to verify whether @@ -150,6 +159,9 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) { if port != 80 && port != 443 { config += fmt.Sprintf(":%d", port) } + // Retrieve the IP blacklist + banned := strings.Split(infos.envvars["BANNED"], ",") + // Run a sanity check to see if the port is reachable if err = checkPort(host, port); err != nil { log.Warn("Ethstats service seems unreachable", "server", host, "port", port, "err", err) @@ -160,5 +172,6 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) { port: port, secret: secret, config: config, + banned: banned, }, nil } diff --git a/cmd/puppeth/wizard.go b/cmd/puppeth/wizard.go index f19bcbbcd..518741279 100644 --- a/cmd/puppeth/wizard.go +++ b/cmd/puppeth/wizard.go @@ -22,6 +22,7 @@ import ( "fmt" "io/ioutil" "math/big" + "net" "os" "path/filepath" "sort" @@ -277,3 +278,26 @@ func (w *wizard) readJSON() string { return string(blob) } } + +// readIPAddress reads a single line from stdin, trimming if from spaces and +// converts it to a network IP address. +func (w *wizard) readIPAddress() net.IP { + for { + // Read the IP address from the user + fmt.Printf("> ") + text, err := w.in.ReadString('\n') + if err != nil { + log.Crit("Failed to read user input", "err", err) + } + if text = strings.TrimSpace(text); text == "" { + return nil + } + // Make sure it looks ok and return it if so + ip := net.ParseIP(text) + if ip == nil { + log.Error("Invalid IP address, please retry") + continue + } + return ip + } +} diff --git a/cmd/puppeth/wizard_ethstats.go b/cmd/puppeth/wizard_ethstats.go index c117a6027..504d8fd9c 100644 --- a/cmd/puppeth/wizard_ethstats.go +++ b/cmd/puppeth/wizard_ethstats.go @@ -60,6 +60,22 @@ func (w *wizard) deployEthstats() { fmt.Printf("What should be the secret password for the API? (default = %s)\n", infos.secret) infos.secret = w.readDefaultString(infos.secret) } + // Gather any blacklists to ban from reporting + fmt.Println() + fmt.Printf("Keep existing IP %v blacklist (y/n)? (default = yes)\n", infos.banned) + if w.readDefaultString("y") != "y" { + infos.banned = nil + + fmt.Println() + fmt.Println("Which IP addresses should be blacklisted?") + for { + if ip := w.readIPAddress(); ip != nil { + infos.banned = append(infos.banned, ip.String()) + continue + } + break + } + } // Try to deploy the ethstats server on the host trusted := make([]string, 0, len(w.servers)) for _, client := range w.servers { @@ -67,7 +83,7 @@ func (w *wizard) deployEthstats() { trusted = append(trusted, client.address) } } - if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted); err != nil { + if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted, infos.banned); err != nil { log.Error("Failed to deploy ethstats container", "err", err) if len(out) > 0 { fmt.Printf("%s\n", out)