aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPéter Szilágyi <peterke@gmail.com>2017-08-18 17:39:48 +0800
committerGitHub <noreply@github.com>2017-08-18 17:39:48 +0800
commit998abb910776f61fcea1d9350b157994abf5224b (patch)
tree1cbcce71bd2933d1e4ac1be7270d61f661cb20ba
parent104375f398bdfca88183010cc3693e377ea74163 (diff)
parent059c767adf4956d6d7bae16066a798d02a367f01 (diff)
downloaddexon-998abb910776f61fcea1d9350b157994abf5224b.tar
dexon-998abb910776f61fcea1d9350b157994abf5224b.tar.gz
dexon-998abb910776f61fcea1d9350b157994abf5224b.tar.bz2
dexon-998abb910776f61fcea1d9350b157994abf5224b.tar.lz
dexon-998abb910776f61fcea1d9350b157994abf5224b.tar.xz
dexon-998abb910776f61fcea1d9350b157994abf5224b.tar.zst
dexon-998abb910776f61fcea1d9350b157994abf5224b.zip
Merge pull request #14999 from karalabe/puppeth-ethstats-blacklist
cmd/puppeth: support blacklisting malicious IPs on ethstats
-rw-r--r--cmd/puppeth/module_ethstats.go25
-rw-r--r--cmd/puppeth/wizard.go24
-rw-r--r--cmd/puppeth/wizard_ethstats.go18
3 files changed, 60 insertions, 7 deletions
diff --git a/cmd/puppeth/module_ethstats.go b/cmd/puppeth/module_ethstats.go
index da34acb3b..5d3fa5fc0 100644
--- a/cmd/puppeth/module_ethstats.go
+++ b/cmd/puppeth/module_ethstats.go
@@ -42,7 +42,7 @@ RUN \
WORKDIR /eth-netstats
EXPOSE 3000
-RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: []};' > lib/utils/config.js
+RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: [{{.Banned}}]};' > lib/utils/config.js
CMD ["npm", "start"]
`
@@ -59,7 +59,8 @@ services:
- "{{.Port}}:3000"{{end}}
environment:
- WS_SECRET={{.Secret}}{{if .VHost}}
- - VIRTUAL_HOST={{.VHost}}{{end}}
+ - VIRTUAL_HOST={{.VHost}}{{end}}{{if .Banned}}
+ - BANNED={{.Banned}}{{end}}
logging:
driver: "json-file"
options:
@@ -71,18 +72,24 @@ services:
// deployEthstats deploys a new ethstats container to a remote machine via SSH,
// docker and docker-compose. If an instance with the specified network name
// already exists there, it will be overwritten!
-func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string) ([]byte, error) {
+func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string, banned []string) ([]byte, error) {
// Generate the content to upload to the server
workdir := fmt.Sprintf("%d", rand.Int63())
files := make(map[string][]byte)
+ trustedLabels := make([]string, len(trusted))
for i, address := range trusted {
- trusted[i] = fmt.Sprintf("\"%s\"", address)
+ trustedLabels[i] = fmt.Sprintf("\"%s\"", address)
+ }
+ bannedLabels := make([]string, len(banned))
+ for i, address := range banned {
+ bannedLabels[i] = fmt.Sprintf("\"%s\"", address)
}
dockerfile := new(bytes.Buffer)
template.Must(template.New("").Parse(ethstatsDockerfile)).Execute(dockerfile, map[string]interface{}{
- "Trusted": strings.Join(trusted, ", "),
+ "Trusted": strings.Join(trustedLabels, ", "),
+ "Banned": strings.Join(bannedLabels, ", "),
})
files[filepath.Join(workdir, "Dockerfile")] = dockerfile.Bytes()
@@ -92,6 +99,7 @@ func deployEthstats(client *sshClient, network string, port int, secret string,
"Port": port,
"Secret": secret,
"VHost": vhost,
+ "Banned": strings.Join(banned, ","),
})
files[filepath.Join(workdir, "docker-compose.yaml")] = composefile.Bytes()
@@ -112,11 +120,12 @@ type ethstatsInfos struct {
port int
secret string
config string
+ banned []string
}
// String implements the stringer interface.
func (info *ethstatsInfos) String() string {
- return fmt.Sprintf("host=%s, port=%d, secret=%s", info.host, info.port, info.secret)
+ return fmt.Sprintf("host=%s, port=%d, secret=%s, banned=%v", info.host, info.port, info.secret, info.banned)
}
// checkEthstats does a health-check against an ethstats server to verify whether
@@ -150,6 +159,9 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) {
if port != 80 && port != 443 {
config += fmt.Sprintf(":%d", port)
}
+ // Retrieve the IP blacklist
+ banned := strings.Split(infos.envvars["BANNED"], ",")
+
// Run a sanity check to see if the port is reachable
if err = checkPort(host, port); err != nil {
log.Warn("Ethstats service seems unreachable", "server", host, "port", port, "err", err)
@@ -160,5 +172,6 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) {
port: port,
secret: secret,
config: config,
+ banned: banned,
}, nil
}
diff --git a/cmd/puppeth/wizard.go b/cmd/puppeth/wizard.go
index f19bcbbcd..518741279 100644
--- a/cmd/puppeth/wizard.go
+++ b/cmd/puppeth/wizard.go
@@ -22,6 +22,7 @@ import (
"fmt"
"io/ioutil"
"math/big"
+ "net"
"os"
"path/filepath"
"sort"
@@ -277,3 +278,26 @@ func (w *wizard) readJSON() string {
return string(blob)
}
}
+
+// readIPAddress reads a single line from stdin, trimming if from spaces and
+// converts it to a network IP address.
+func (w *wizard) readIPAddress() net.IP {
+ for {
+ // Read the IP address from the user
+ fmt.Printf("> ")
+ text, err := w.in.ReadString('\n')
+ if err != nil {
+ log.Crit("Failed to read user input", "err", err)
+ }
+ if text = strings.TrimSpace(text); text == "" {
+ return nil
+ }
+ // Make sure it looks ok and return it if so
+ ip := net.ParseIP(text)
+ if ip == nil {
+ log.Error("Invalid IP address, please retry")
+ continue
+ }
+ return ip
+ }
+}
diff --git a/cmd/puppeth/wizard_ethstats.go b/cmd/puppeth/wizard_ethstats.go
index c117a6027..504d8fd9c 100644
--- a/cmd/puppeth/wizard_ethstats.go
+++ b/cmd/puppeth/wizard_ethstats.go
@@ -60,6 +60,22 @@ func (w *wizard) deployEthstats() {
fmt.Printf("What should be the secret password for the API? (default = %s)\n", infos.secret)
infos.secret = w.readDefaultString(infos.secret)
}
+ // Gather any blacklists to ban from reporting
+ fmt.Println()
+ fmt.Printf("Keep existing IP %v blacklist (y/n)? (default = yes)\n", infos.banned)
+ if w.readDefaultString("y") != "y" {
+ infos.banned = nil
+
+ fmt.Println()
+ fmt.Println("Which IP addresses should be blacklisted?")
+ for {
+ if ip := w.readIPAddress(); ip != nil {
+ infos.banned = append(infos.banned, ip.String())
+ continue
+ }
+ break
+ }
+ }
// Try to deploy the ethstats server on the host
trusted := make([]string, 0, len(w.servers))
for _, client := range w.servers {
@@ -67,7 +83,7 @@ func (w *wizard) deployEthstats() {
trusted = append(trusted, client.address)
}
}
- if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted); err != nil {
+ if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted, infos.banned); err != nil {
log.Error("Failed to deploy ethstats container", "err", err)
if len(out) > 0 {
fmt.Printf("%s\n", out)