去掉r0的hook,增加IP屏蔽记录

2023-11-17 04:06:33 +08:00
parent 49904f5cb5
commit 6bac06d28a
41 changed files with 270150 additions and 48 deletions
--- a/linux_service/events/network.cpp
+++ b/linux_service/events/network.cpp
@@ -0,0 +1,57 @@
+#include "network.h"
+namespace network_event {
+
+auto block_ip(uint32_t ip_address, size_t time_sec) -> bool {
+    client_msg_t msg{0};
+    msg.check_sum = MSG_CHECK_SUM;
+    msg.type = static_cast<int>(_msg_type::SD_MSG_TYPE_CLIENT_BLOCK_IP);
+    msg.u.ip_address.src_ip = ip_address;
+    msg.u.ip_address.block_time = time_sec;
+    return client_msg::call_driver(msg);
+}
+auto on_ip_connect(uint32_t ip_address) -> bool {
+    const auto is_still_in_block_list =
+        global::ip_blacklist_db->selectRecordByIpAndTime(ip_address,
+                                                         MAX_BLOCK_TIME);
+    if (is_still_in_block_list) {
+        LOG("IP %s is still in block list\n",
+            tools::cover_ip(ip_address).c_str());
+        return true;
+    }
+    return false;
+}
+
+auto on_event(_msg_type type, kernel_msg_t msg) -> void {
+    auto ip_address = msg.u.ip_action.src_ip;
+    auto ip_str = tools::cover_ip(ip_address);
+    auto reason = std::string("");
+    bool is_block_ip = false;
+
+    switch (type) {
+        case _msg_type::SD_MSG_TYPE_NEW_IP_CONNECT: {
+            LOG("New IP connection: %s\n", ip_str.c_str());
+            is_block_ip = on_ip_connect(ip_address);
+        } break;
+        case _msg_type::SD_MSG_TYPE_SYN_ATTACK: {
+            LOG("Block ip for syn attack: %s \n", ip_str.c_str());
+            is_block_ip = true;
+            reason = "Syn attack detected";
+        } break;
+        case _msg_type::SD_MSG_TYPE_SSH_BF_ATTACK: {
+            LOG("Block ip for SSH brute force attack: %s \n", ip_str.c_str());
+            is_block_ip = true;
+            reason = "SSH brute force attack detected";
+        } break;
+        default:
+            LOG("Unknown message type: %d\n", msg.type);
+            break;
+    }
+    if (is_block_ip) {
+        block_ip(msg.u.ip_action.src_ip, MAX_BLOCK_TIME);
+        if (reason.size() > 1) {
+            global::ip_blacklist_db->insertRecord(ip_address, reason,
+                                                  std::time(nullptr));
+        }
+    }
+}
+};  // namespace network_event
--- a/linux_service/events/network.h
+++ b/linux_service/events/network.h
@@ -0,0 +1,12 @@
+#pragma once
+#include "../head.h"
+struct client_msg_t;
+struct kernel_msg_t;
+enum class _msg_type;
+namespace client_msg {
+extern auto call_driver(client_msg_t msg) -> bool;
+}  // namespace client_msg
+
+namespace network_event {
+auto on_event(_msg_type type, kernel_msg_t msg) -> void;
+};