| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 |
- """Background protector: periodically checks protector_list entries and blocks offending dst_addr via advanced_acl.add_ip
- """
- from __future__ import annotations
- import threading
- import time
- from typing import Optional
- import advanced_acl
- from auth_session import load_config
- import protector_list
- from analysis_connections import find_high_connections_for_src_ports
- from log_util import get_logger
- logger = get_logger("protector")
- class ProtectorRunner:
- def __init__(self):
- cfg = load_config()
- self.interval = int(cfg.get("scan_interval", 60))
- self._stop = threading.Event()
- self.last_run_time: Optional[float] = None
- def run_once(self):
- # record start time to help external coordinators avoid duplicate runs
- try:
- self.last_run_time = time.time()
- except Exception:
- pass
- items = protector_list.load_list()
- for entry in items:
- target = entry.get("target_ip")
- src_port = int(entry.get("src_port"))
- threshold = entry.get("threshold")
- try:
- res = find_high_connections_for_src_ports(target, src_port, threshold=threshold)
- except Exception as e:
- logger.exception(f"检查失败 {target}:{src_port} - {e}")
- continue
- matches = res.get("by_src_port", {}).get(int(src_port), [])
- if not matches:
- logger.info(f"{target}:{src_port} - 无异常连接")
- continue
- for m in matches:
- dst = m.get("dst_addr")
- # Call advanced_acl.add_ip to block
- try:
- # Do not pass custom comment here so add_ip will place the IP into Test_* groups
- # (comment was causing new rules to be named AutoBlock_..., not grouped).
- result = advanced_acl.add_ip(dst)
- # Support both legacy (resp, data) tuple and new dict result
- if isinstance(result, dict):
- added = result.get("added")
- rule = result.get("rule")
- row_id = result.get("row_id")
- msg = result.get("message")
- logger.info(f"已尝试阻断 {dst}, added={added}, rule={rule}, row_id={row_id}, msg={msg}")
- else:
- # assume (resp, data)
- resp, data = result
- logger.info(f"已尝试阻断 {dst}, 状态: {resp.status_code}, 返回: {data}")
- except Exception as e:
- logger.exception(f"阻断失败 {dst}: {e}")
- def start(self):
- self._stop.clear()
- def _loop():
- while not self._stop.is_set():
- try:
- self.run_once()
- except Exception:
- logger.exception("运行一次保护检查失败")
- # reload interval in case config changed
- try:
- cfg = load_config()
- self.interval = int(cfg.get("scan_interval", self.interval))
- except Exception:
- pass
- time.sleep(self.interval)
- t = threading.Thread(target=_loop, daemon=True)
- t.start()
- return t
- def stop(self):
- self._stop.set()
- def get_interval(self) -> int:
- """Return current scan interval in seconds."""
- try:
- cfg = load_config()
- return int(cfg.get("scan_interval", self.interval))
- except Exception:
- return self.interval
- def run_protector_blocking_once():
- pr = ProtectorRunner()
- pr.run_once()
- if __name__ == "__main__":
- r = ProtectorRunner()
- r.start()
- try:
- while True:
- time.sleep(1)
- except KeyboardInterrupt:
- r.stop()
|
