search

tty228 / luci-app-wechatpush

A plugin for OpenWRT routers to send various information notifications to a mobile phone via WeChat or Telegram.
GNU General Public License v2.0
1.08k stars 373 forks source link

频繁错误登录-自动封禁-推送的免打扰选项 #287

Closed GOUKI9999 closed 3 months ago

GOUKI9999 commented 3 months ago

image 我这里公网路由有点频繁会被扫描和字典,所以推送非常多。最多的时候一小时内就会有近20条ban ip的通知,实在有点不胜其烦

我现在理解的自动封禁实际是频繁错误登录推送的附属功能,这个我觉得没有问题。 (实际上我已经放弃了其他如fail2ban,beardrop之类的模块,完全依赖您现在的功能实现封禁ip,并视之为一个独立功能模块使用) 但如果遇到这种情况,在免打扰逻辑中是否可以选择完全不推送错误登录警告,类似于普通登录的免打扰设置?

tty228 commented 3 months ago

选择“仅记录到日志”就行了

GOUKI9999 commented 3 months ago

选择“仅记录到日志”就行了 对,现在选择的就是……另外我看到这样一个例子 Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6164]: Exit before auth from <222.91.125.106:55264>: Exited normally Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6258]: Child connection from 222.91.125.106:57084 Fri Jul 12 13:02:36 2024 authpriv.warn dropbear[6258]: Bad password attempt for 'root' from 222.91.125.106:57084 Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6258]: Exit before auth from <222.91.125.106:57084>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6419]: Child connection from 222.91.125.106:58898 Fri Jul 12 13:02:36 2024 authpriv.warn dropbear[6419]: Bad password attempt for 'root' from 222.91.125.106:58898 Fri Jul 12 13:02:37 2024 authpriv.info dropbear[6419]: Exit before auth from <222.91.125.106:58898>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:37 2024 authpriv.info dropbear[6420]: Child connection from 222.91.125.106:32890 Fri Jul 12 13:02:37 2024 authpriv.warn dropbear[6420]: Bad password attempt for 'root' from 222.91.125.106:32890 Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6420]: Exit before auth from <222.91.125.106:32890>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6427]: Child connection from 222.91.125.106:35084 Fri Jul 12 13:02:38 2024 authpriv.warn dropbear[6427]: Bad password attempt for 'root' from 222.91.125.106:35084 Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6427]: Exit before auth from <222.91.125.106:35084>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6440]: Child connection from 222.91.125.106:37442 Fri Jul 12 13:02:39 2024 authpriv.warn dropbear[6440]: Bad password attempt for 'root' from 222.91.125.106:37442 Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6501]: Child connection from 222.91.125.106:39302 Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6440]: Exit before auth from <222.91.125.106:37442>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:39 2024 authpriv.warn dropbear[6501]: Bad password attempt for 'root' from 222.91.125.106:39302 Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6501]: Exit before auth from <222.91.125.106:39302>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6738]: Child connection from 222.91.125.106:40598 Fri Jul 12 13:02:40 2024 authpriv.warn dropbear[6738]: Bad password attempt for 'root' from 222.91.125.106:40598 Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6738]: Exit before auth from <222.91.125.106:40598>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6740]: Child connection from 222.91.125.106:41900 Fri Jul 12 13:02:40 2024 authpriv.warn dropbear[6740]: Bad password attempt for 'root' from 222.91.125.106:41900 Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6740]: Exit before auth from <222.91.125.106:41900>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6749]: Child connection from 222.91.125.106:43148 Fri Jul 12 13:02:41 2024 authpriv.warn dropbear[6749]: Login attempt for nonexistent user Fri Jul 12 13:02:41 2024 authpriv.info dropbear[6756]: Child connection from 222.91.125.106:45130 Fri Jul 12 13:02:41 2024 authpriv.info dropbear[6749]: Exit before auth from <222.91.125.106:43148>: Exited normally Fri Jul 12 13:02:41 2024 authpriv.warn dropbear[6756]: Bad password attempt for 'root' from 222.91.125.106:45130 Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6757]: Child connection from 222.91.125.106:47034 Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6756]: Exit before auth from <222.91.125.106:45130>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:42 2024 authpriv.warn dropbear[6757]: Bad password attempt for 'root' from 222.91.125.106:47034 Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6757]: Exit before auth from <222.91.125.106:47034>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6764]: Child connection from 222.91.125.106:48732 Fri Jul 12 13:02:42 2024 authpriv.warn dropbear[6764]: Bad password attempt for 'root' from 222.91.125.106:48732 Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6813]: Child connection from 222.91.125.106:50544 Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6764]: Exit before auth from <222.91.125.106:48732>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:43 2024 authpriv.warn dropbear[6813]: Bad password attempt for 'root' from 222.91.125.106:50544 Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6813]: Exit before auth from <222.91.125.106:50544>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6900]: Child connection from 222.91.125.106:51964 Fri Jul 12 13:02:43 2024 authpriv.warn dropbear[6900]: Bad password attempt for 'root' from 222.91.125.106:51964 Fri Jul 12 13:02:44 2024 authpriv.info dropbear[6900]: Exit before auth from <222.91.125.106:51964>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:44 2024 authpriv.info dropbear[7024]: Child connection from 222.91.125.106:53664 Fri Jul 12 13:02:44 2024 authpriv.warn dropbear[7024]: Bad password attempt for 'root' from 222.91.125.106:53664 Fri Jul 12 13:02:44 2024 authpriv.info dropbear[7024]: Exit before auth from <222.91.125.106:53664>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:44 2024 authpriv.info dropbear[7031]: Child connection from 222.91.125.106:55094 Fri Jul 12 13:02:45 2024 authpriv.warn dropbear[7031]: Bad password attempt for 'root' from 222.91.125.106:55094 Fri Jul 12 13:02:45 2024 authpriv.info dropbear[7032]: Child connection from 222.91.125.106:56970 Fri Jul 12 13:02:45 2024 authpriv.info dropbear[7031]: Exit before auth from <222.91.125.106:55094>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:45 2024 authpriv.warn dropbear[7032]: Bad password attempt for 'root' from 222.91.125.106:56970 Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7039]: Child connection from 222.91.125.106:58450 Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7032]: Exit before auth from <222.91.125.106:56970>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:46 2024 authpriv.warn dropbear[7039]: Login attempt for nonexistent user Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7039]: Exit before auth from <222.91.125.106:58450>: Exited normally Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7044]: Child connection from 222.91.125.106:60022 Fri Jul 12 13:02:46 2024 authpriv.warn dropbear[7044]: Login attempt for nonexistent user Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7044]: Exit before auth from <222.91.125.106:60022>: Exited normally Fri Jul 12 13:02:47 2024 authpriv.info dropbear[7051]: Child connection from 222.91.125.106:33126 Fri Jul 12 13:02:47 2024 authpriv.warn dropbear[7051]: Login attempt for nonexistent user Fri Jul 12 13:02:47 2024 authpriv.info dropbear[7051]: Exit before auth from <222.91.125.106:33126>: Exited normally Fri Jul 12 13:02:47 2024 authpriv.info dropbear[7067]: Child connection from 222.91.125.106:35085 Fri Jul 12 13:02:47 2024 authpriv.warn dropbear[7067]: Login attempt for nonexistent user Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7074]: Child connection from 222.91.125.106:36780 Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7067]: Exit before auth from <222.91.125.106:35085>: Exited normally Fri Jul 12 13:02:48 2024 authpriv.warn dropbear[7074]: Login attempt for nonexistent user Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7083]: Child connection from 222.91.125.106:38596 Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7074]: Exit before auth from <222.91.125.106:36780>: Exited normally Fri Jul 12 13:02:49 2024 authpriv.warn dropbear[7083]: Login attempt for nonexistent user Fri Jul 12 13:02:49 2024 authpriv.info dropbear[7083]: Exit before auth from <222.91.125.106:38596>: Exited normally Fri Jul 12 13:02:49 2024 authpriv.info dropbear[7086]: Child connection from 222.91.125.106:40352 Fri Jul 12 13:02:49 2024 authpriv.warn dropbear[7086]: Login attempt for nonexistent user Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7093]: Child connection from 222.91.125.106:42634 Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7086]: Exit before auth from <222.91.125.106:40352>: Exited normally Fri Jul 12 13:02:50 2024 authpriv.warn dropbear[7093]: Login attempt for nonexistent user Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7093]: Exit before auth from <222.91.125.106:42634>: Exited normally Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7100]: Child connection from 222.91.125.106:44112 Fri Jul 12 13:02:50 2024 authpriv.warn dropbear[7100]: Bad password attempt for 'root' from 222.91.125.106:44112 Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7148]: Child connection from 222.91.125.106:45824 Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7100]: Exit before auth from <222.91.125.106:44112>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:51 2024 authpriv.warn dropbear[7148]: Bad password attempt for 'root' from 222.91.125.106:45824 Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7148]: Exit before auth from <222.91.125.106:45824>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7247]: Child connection from 222.91.125.106:47214 Fri Jul 12 13:02:52 2024 authpriv.warn dropbear[7247]: Bad password attempt for 'root' from 222.91.125.106:47214 Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7357]: Child connection from 222.91.125.106:49090 Fri Jul 12 13:02:52 2024 authpriv.warn dropbear[7357]: Bad password attempt for 'root' from 222.91.125.106:49090 Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7247]: Exit before auth from <222.91.125.106:47214>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7357]: Exit before auth from <222.91.125.106:49090>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7367]: Child connection from 222.91.125.106:50576 Fri Jul 12 13:02:53 2024 authpriv.warn dropbear[7367]: Bad password attempt for 'root' from 222.91.125.106:50576 Fri Jul 12 13:02:53 2024 authpriv.info dropbear[7367]: Exit before auth from <222.91.125.106:50576>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:53 2024 authpriv.info dropbear[7374]: Child connection from 222.91.125.106:52080 Fri Jul 12 13:02:53 2024 authpriv.warn dropbear[7374]: Login attempt for nonexistent user Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7374]: Exit before auth from <222.91.125.106:52080>: Exited normally Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7381]: Child connection from 222.91.125.106:53948 Fri Jul 12 13:02:54 2024 authpriv.warn dropbear[7381]: Login attempt for nonexistent user Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7388]: Child connection from 222.91.125.106:55766 Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7381]: Exit before auth from <222.91.125.106:53948>: Exited normally Fri Jul 12 13:02:54 2024 authpriv.warn dropbear[7388]: Bad password attempt for 'root' from 222.91.125.106:55766 Fri Jul 12 13:02:55 2024 authpriv.info dropbear[7388]: Exit before auth from <222.91.125.106:55766>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:55 2024 authpriv.info dropbear[7389]: Child connection from 222.91.125.106:57106 Fri Jul 12 13:02:55 2024 authpriv.warn dropbear[7389]: Bad password attempt for 'root' from 222.91.125.106:57106 Fri Jul 12 13:02:56 2024 authpriv.info dropbear[7427]: Child connection from 222.91.125.106:59592 Fri Jul 12 13:02:56 2024 authpriv.info dropbear[7389]: Exit before auth from <222.91.125.106:57106>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:02:56 2024 authpriv.warn dropbear[7427]: Bad password attempt for 'root' from 222.91.125.106:59592 Fri Jul 12 13:02:56 2024 authpriv.info dropbear[7427]: Exit before auth from <222.91.125.106:59592>: (user 'root', 1 fails): Exited normally Fri Jul 12 13:18:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.206 88:66:5a:58:5d:d7 这个ip的提示信息被重复提示了6-7次 image 是否应该考虑同一个ip只推送一次?

tty228 commented 3 months ago

你看一下黑名单里面有没有这个 IP 的封禁记录,如果没有的话,要看看是不是封禁失败产生的问题 如果已经有记录了,应该是短时间内产生了大量记录,导致重复封禁+通知

另外我试了一下,免打扰选项目前只对普通登录有效,是我记错了 当时没做首次免打扰的原因是:觉得理论上封禁了IP之后,日志就不会再出现登录信息了

tty228 commented 3 months ago

怪不得觉得眼熟 https://github.com/tty228/luci-app-wechatpush/issues/232#issuecomment-1582486856

GOUKI9999 commented 3 months ago

你看一下黑名单里面有没有这个 IP 的封禁记录,如果没有的话,要看看是不是封禁失败产生的问题 如果已经有记录了,应该是短时间内产生了大量记录,导致重复封禁+通知

另外我试了一下,免打扰选项目前只对普通登录有效,是我记错了 当时没做首次免打扰的原因是:觉得理论上封禁了IP之后,日志就不会再出现登录信息了

对的……哈哈哈我刚才甚至产生了一个错觉我们是讨论过这个问题的,以及当时发现了一个bug并修复了, 另外补充一点,我确实是查看了wechat-push的luci界面日志,但打开速度异常缓慢 image

可能是删除日志的频次太高了? 上一个版本3.5.3我也更新了,截止上次似乎没有到这个问题的发生中午11点之后我两台opwrt设备升级了本次的更新(3.5.3-3.5.5),出现大量尝试ban推送和打不开日志的都是同一台暴露在公网的。

另及还是得请您考虑一下防打扰的部分关闭频繁尝试登录的推送,以及这么看以前没有推送这个信息本身才是bug?

最后,我看了一下上面那个重复推送,其中不光日志不一样,判断ip来源的信息也不一样,相隔时间也比较长,以及现在日志已经被删了无法判断ban ip是发生在什么时间了

再补充,甚至发现打开日志不仅会有巨大时间的延迟转圈,甚至出现了超过两次的chrome out of memory页面(web崩了) image 1/3概率能转圈后打开日志,但chrome失去响应,1/3转圈无休止(超过3分钟),1/3直接out of memory——因为就测试了三次

tty228 commented 3 months ago

看一下日志有多大,有多少行,因为现在日志的清理规则是删除前 xxx 条,而不是只留下 xxx 条 因为要达到后面的效果的话,想到的命令都需要生成临时文件,所以当时就不太想用 怎么会生成这么多日志的

以前没推送大概是因为系统日志的格式改了,之前的匹配字符串是 "Bad password attempt|Login attempt for nonexistent user from",但我上次怎么都没看到 from,不知道是写错了还是改了

GOUKI9999 commented 3 months ago

看一下日志有多大,有多少行,因为现在日志的清理规则是删除前 xxx 条,而不是只留下 xxx 条 因为要达到后面的效果的话,想到的命令都需要生成临时文件,所以当时就不太想用 怎么会生成这么多日志的

以前没推送大概是因为系统日志的格式改了,之前的匹配字符串是 "Bad password attempt|Login attempt for nonexistent user from",但我上次怎么都没看到 from,不知道是写错了还是改了

找到了,体积有点问题 drwxr-xr-x 2 root root 40 Jul 12 16:39 json_output/ -rw-r--r-- 1 root root 0 Jul 12 16:39 wechatpush.lock -rw-r--r-- 1 root root 90423175 Jul 12 16:39 wechatpush.log

wc -l /tmp/wechatpush/wechatpush.log 781384 /tmp/wechatpush/wechatpush.log 七十八万行? 系统日志也比这个小太多了啊,我看了一下这两天的syslog才1100多行

head /tmp/wechatpush/wechatpush.log Thu Jul 11 10:09:54 2024 authpriv.warn dropbear[30961]: Bad password attempt for 'root' from 223.111.145.48:56106 Thu Jul 11 10:09:54 2024 authpriv.info dropbear[31152]: Child connection from 223.111.145.48:56328 Thu Jul 11 10:09:54 2024 authpriv.info dropbear[30961]: Exit before auth from <223.111.145.48:56106>: (user 'root', 1 fails): Exited normally Thu Jul 11 10:09:55 2024 authpriv.warn dropbear[31152]: Bad password attempt for 'root' from 223.111.145.48:56328 Thu Jul 11 10:09:55 2024 authpriv.info dropbear[31152]: Exit before auth from <223.111.145.48:56328>: (user 'root', 1 fails): Exited normally Thu Jul 11 10:09:55 2024 authpriv.info dropbear[31286]: Child connection from 223.111.145.48:56500 Thu Jul 11 10:09:55 2024 authpriv.warn dropbear[31286]: Bad password attempt for 'root' from 223.111.145.48:56500 Thu Jul 11 10:09:56 2024 authpriv.info dropbear[31286]: Exit before auth from <223.111.145.48:56500>: (user 'root', 1 fails): Exited normally Thu Jul 11 10:09:56 2024 authpriv.info dropbear[31427]: Child connection from 223.111.145.48:56748 Thu Jul 11 10:09:56 2024 authpriv.warn dropbear[31427]: Bad password attempt for 'root' from 223.111.145.48:56748

看了一下不知道是什么bug,它自己重复写入并循环了,其中有一个280多行的部分不断重复了数百次 image

GOUKI9999 commented 3 months ago

看一下日志有多大,有多少行,因为现在日志的清理规则是删除前 xxx 条,而不是只留下 xxx 条 因为要达到后面的效果的话,想到的命令都需要生成临时文件,所以当时就不太想用 怎么会生成这么多日志的

tail -n 200 /tmp/aaa.log | tee /tmp/aaa.log > /dev/null

这种方式是否可行,近乎不产生临时文件,我也有一些定时处理日志的需求,当然用/tmp下的临时文件也还算是个稳妥方法

以前没推送大概是因为系统日志的格式改了,之前的匹配字符串是 "Bad password attempt|Login attempt for nonexistent user from",但我上次怎么都没看到 from,不知道是写错了还是改了

tty228 commented 3 months ago

系统日志怎么会被写到 /tmp/wechatpush/wechatpush.log 里面的,搞不懂 出现系统日志的开始几行或者结束几行发我看一下,我看一下是不是什么变量读取了整个系统日志

GOUKI9999 commented 3 months ago

循环头就是上面head那几行,结束是截图里面中间的部分

tty228 commented 3 months ago

你清空这个文件,再看看会不会这样吧,没遇到过这种情况,看了一下,读取系统日志的几个命令基本上都做了正则,并且只提取第一行,懵逼

tty228 commented 3 months ago

echo "$(date "+%Y-%m-%d") ${login_time} ${disturb_text}设备 ${login_ip} (${login_ip_attribution}) 通过 ${log_type_short} ${login_mode} ${log_message}" >>"${logfile}" 看表现也像是这一行命令造成的,但是 local log_type_short="Web" || local log_type_short="SSH" ${login_mode} 变量都是 tail -n 1 而且如果这个变量有问题的话,推送的内容也会变成很多行

GOUKI9999 commented 3 months ago

清空log之后恢复正常,能提供的信息大概只有 Fri Jul 12 11:10:26 2024 cron.err crond[19783]: crond (busybox 1.35.0) started, log level 5 Fri Jul 12 11:11:53 2024 daemon.info procd: Instance wechatpush::instance1 pid 16709 not stopped on SIGTERM, sending SIGKILL instead 升级wechatpush opkg的时间是11点,日志是从10点开始的,所以不停重写似乎不是升级本身带来的,但可能和新的匹配系统日志的正则有关吧。 升级i18n失败,用了force-overwrite 但我不觉得和这个bug相关。

配置相较之前没有任何修改,不断重写日志过程中推送都基本正常,手动测试也正常。

没法再现,先不管了,等大佬更一下ban ip的防打扰吧,另及可以考虑一下保留日志的最后n行取代删除最前n行?

tty228 commented 3 months ago

你那个命令同时读取和写入一个文件,不通过临时文件的话,会造成保存失败的,实际上保存不了最后200行 我还是老老实实用临时文件吧