projects
/
brisk.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
28be75b
)
add cloud smasher countermeasure
author
Matteo Nastasi (mop)
<nastasi@alternativeoutput.it>
Sun, 1 Feb 2015 15:15:57 +0000
(16:15 +0100)
committer
Matteo Nastasi (mop)
<nastasi@alternativeoutput.it>
Sun, 1 Feb 2015 15:15:57 +0000
(16:15 +0100)
web/Obj/brisk.conf-templ.pho
patch
|
blob
|
history
web/Obj/brisk.phh
patch
|
blob
|
history
web/Obj/sac-a-push.phh
patch
|
blob
|
history
web/index.php
patch
|
blob
|
history
web/spush/brisk-spush.php
patch
|
blob
|
history
diff --git
a/web/Obj/brisk.conf-templ.pho
b/web/Obj/brisk.conf-templ.pho
index
6854d6a
..
90a2dc1
100644
(file)
--- a/
web/Obj/brisk.conf-templ.pho
+++ b/
web/Obj/brisk.conf-templ.pho
@@
-1,4
+1,12
@@
<?php
<?php
+
+if (file_exists("$DOCUMENT_ROOT/Etc/cloud_smasher.phh")) {
+ require_once("$DOCUMENT_ROOT/Etc/cloud_smasher.phh");
+}
+else {
+ $G_cloud_smasher = array();
+}
+
if (file_exists("$DOCUMENT_ROOT/Etc/provider_proxy.phh")) {
require_once("$DOCUMENT_ROOT/Etc/provider_proxy.phh");
}
if (file_exists("$DOCUMENT_ROOT/Etc/provider_proxy.phh")) {
require_once("$DOCUMENT_ROOT/Etc/provider_proxy.phh");
}
diff --git
a/web/Obj/brisk.phh
b/web/Obj/brisk.phh
index
62b80a7
..
e4dd67e
100644
(file)
--- a/
web/Obj/brisk.phh
+++ b/
web/Obj/brisk.phh
@@
-1039,8
+1039,9
@@
class Brisk
var $garbage_timeout;
var $shm_sz;
var $garbage_timeout;
var $shm_sz;
- var $ban_list; // ban list (authized allowed)
- var $black_list; // black list (anti-dos, noone allowed)
+ var $ban_list; // ban list (authized allowed)
+ var $black_list; // black list (anti-dos, noone allowed)
+ var $cloud_smasher; // list of cloud ip ranges to be rejected
var $provider_proxy; // list of provider/browser that offer proxy service
var $ghost_sess;
var $delay_mgr;
var $provider_proxy; // list of provider/browser that offer proxy service
var $ghost_sess;
var $delay_mgr;
@@
-1055,13
+1056,13
@@
class Brisk
}
// constructor
}
// constructor
- static function create($crystal_filename, $ban_list, $black_list, $prov_proxy) {
+ static function create($crystal_filename, $ban_list, $black_list, $
cloud_smasher, $
prov_proxy) {
if (($brisk_ser = @file_get_contents($crystal_filename)) != FALSE) {
if (($brisk = unserialize($brisk_ser)) != FALSE) {
fprintf(STDERR, "ROOM FROM FILE\n");
rename($crystal_filename, $crystal_filename.".old");
if (($brisk_ser = @file_get_contents($crystal_filename)) != FALSE) {
if (($brisk = unserialize($brisk_ser)) != FALSE) {
fprintf(STDERR, "ROOM FROM FILE\n");
rename($crystal_filename, $crystal_filename.".old");
- $brisk->reload(TRUE, $ban_list, $black_list, $prov_proxy);
+ $brisk->reload(TRUE, $ban_list, $black_list, $
cloud_smasher, $
prov_proxy);
return($brisk);
}
return($brisk);
}
@@
-1077,6
+1078,7
@@
class Brisk
$thiz->ban_list = IpClass::create();
$thiz->black_list = IpClass::create();
$thiz->ban_list = IpClass::create();
$thiz->black_list = IpClass::create();
+ $thiz->cloud_smasher = IpClass::create();
$thiz->provider_proxy = ProviderProxy::create();
$thiz->ghost_sess = new GhostSess();
$thiz->provider_proxy = ProviderProxy::create();
$thiz->ghost_sess = new GhostSess();
@@
-1094,14
+1096,15
@@
class Brisk
static::$sess_cur = FALSE;
static::$sess_cur = FALSE;
- $thiz->reload(TRUE, $ban_list, $black_list, $prov_proxy);
+ $thiz->reload(TRUE, $ban_list, $black_list, $
cloud_smasher, $
prov_proxy);
return ($thiz);
}
return ($thiz);
}
- function reload($is_first, $ban_list, $black_list, $prov_proxy)
+ function reload($is_first, $ban_list, $black_list, $
cloud_smasher, $
prov_proxy)
{
{
- fprintf(STDERR, "RELOAD STUFF (%d)(%d)(%d)\n", count($ban_list), count($black_list), count($prov_proxy));
+ fprintf(STDERR, "RELOAD STUFF (%d)(%d)(%d)(%d)\n",
+ count($ban_list), count($black_list), count($cloud_smasher), count($prov_proxy));
if (defined('CURL_DE_SAC_VERS')) {
if (brisk_cds_reload($this) == FALSE) {
if (defined('CURL_DE_SAC_VERS')) {
if (brisk_cds_reload($this) == FALSE) {
@@
-1110,6
+1113,7
@@
class Brisk
}
$this->ban_list->update($ban_list);
$this->black_list->update($black_list);
}
$this->ban_list->update($ban_list);
$this->black_list->update($black_list);
+ $this->cloud_smasher->update($cloud_smasher);
$this->provider_proxy->update($prov_proxy);
if (!$is_first) {
$this->provider_proxy->update($prov_proxy);
if (!$is_first) {
@@
-1145,7
+1149,8
@@
class Brisk
continue;
// check if the IP is blacklisted
continue;
// check if the IP is blacklisted
- if ($this->black_check($user_cur->ip)) {
+ if ($this->black_check($user_cur->ip) ||
+ $this->cloud_check($user_cur->ip)) {
$user_cur->lacc = 0;
$is_ban = TRUE;
continue;
$user_cur->lacc = 0;
$is_ban = TRUE;
continue;
@@
-1175,6
+1180,11
@@
class Brisk
return ($this->black_list->check($ip_str));
}
return ($this->black_list->check($ip_str));
}
+ function cloud_check($ip_str)
+ {
+ return ($this->cloud_smasher->check($ip_str));
+ }
+
function pproxy_realip($header, $ip_str)
{
return ($this->provider_proxy->realip($header, $ip_str));
function pproxy_realip($header, $ip_str)
{
return ($this->provider_proxy->realip($header, $ip_str));
@@
-2614,18
+2624,24
@@
class Brisk
function request_mgr(&$s_a_p, $header, &$header_out, &$new_socket, $path, $addr, $get, $post, $cookie)
{
function request_mgr(&$s_a_p, $header, &$header_out, &$new_socket, $path, $addr, $get, $post, $cookie)
{
- GLOBAL $G_ban_list, $G_black_list, $G_provider_proxy;
+ GLOBAL $G_ban_list, $G_black_list, $G_
cloud_smasher, $G_
provider_proxy;
printf("NEW_SOCKET (root): %d PATH [%s]\n", intval($new_socket), $path);
// $remote_addr = addrtoipv4($addr);
$remote_addr = $this->pproxy_realip($header, addrtoipv4($addr));
printf("NEW_SOCKET (root): %d PATH [%s]\n", intval($new_socket), $path);
// $remote_addr = addrtoipv4($addr);
$remote_addr = $this->pproxy_realip($header, addrtoipv4($addr));
- fprintf(STDERR, "\n\n\n PRE_BLACK
_CHECK \n\n\n"
);
+ fprintf(STDERR, "\n\n\n PRE_BLACK
[%s]\n\n\n", $remote_addr
);
if ($this->black_check($remote_addr)) {
// TODO: waiting async 5 sec before close
fprintf(STDERR, "\n\n\n BLACK CHECK\n\n\n");
return (FALSE);
}
if ($this->black_check($remote_addr)) {
// TODO: waiting async 5 sec before close
fprintf(STDERR, "\n\n\n BLACK CHECK\n\n\n");
return (FALSE);
}
+ if ($path != "" && $path != "index.php") {
+ if ($this->cloud_check($remote_addr)) {
+ // TODO: waiting async 5 sec before close
+ return (FALSE);
+ }
+ }
$enc = get_encoding($header);
if (isset($header['User-Agent'])) {
$enc = get_encoding($header);
if (isset($header['User-Agent'])) {
diff --git
a/web/Obj/sac-a-push.phh
b/web/Obj/sac-a-push.phh
index
fdf5541
..
240a48a
100644
(file)
--- a/
web/Obj/sac-a-push.phh
+++ b/
web/Obj/sac-a-push.phh
@@
-623,7
+623,7
@@
class Sac_a_push {
{
GLOBAL $DOCUMENT_ROOT, $HTTP_HOST;
{
GLOBAL $DOCUMENT_ROOT, $HTTP_HOST;
- GLOBAL $G_alarm_passwd, $G_ban_list, $G_black_list, $G_provider_proxy;
+ GLOBAL $G_alarm_passwd, $G_ban_list, $G_black_list, $G_
cloud_smasher, $G_
provider_proxy;
GLOBAL $G_btrace_pref_sub, $G_dbauth;
GLOBAL $G_dbpfx, $G_donors_all, $G_donors_cur, $G_is_local, $G_lang;
GLOBAL $G_poll_entries, $G_poll_name, $G_poll_title, $G_proxy_white_list;
GLOBAL $G_btrace_pref_sub, $G_dbauth;
GLOBAL $G_dbpfx, $G_donors_all, $G_donors_cur, $G_is_local, $G_lang;
GLOBAL $G_poll_entries, $G_poll_name, $G_poll_title, $G_proxy_white_list;
@@
-801,7
+801,7
@@
class Sac_a_push {
if ($line == "reload") {
require("$DOCUMENT_ROOT/Etc/".BRISK_CONF);
$this->app->reload(FALSE, $G_ban_list, $G_black_list,
if ($line == "reload") {
require("$DOCUMENT_ROOT/Etc/".BRISK_CONF);
$this->app->reload(FALSE, $G_ban_list, $G_black_list,
- $G_provider_proxy);
+ $G_
cloud_smasher, $G_
provider_proxy);
global_dump();
}
else if ($line == "shutdown" || $line == "sd") {
global_dump();
}
else if ($line == "shutdown" || $line == "sd") {
diff --git
a/web/index.php
b/web/index.php
index
c2c4be1
..
437f454
100644
(file)
--- a/
web/index.php
+++ b/
web/index.php
@@
-377,6
+377,13
@@
function index_main(&$brisk, $transp_type, $header, &$header_out, $remote_addr_f
break;
}
}
break;
}
}
+ if ($brisk->cloud_check($remote_addr)) {
+ // TODO: find a way to add a nonblocking sleep(5) here
+ $banned = TRUE;
+ $last_msg = $mlang_room['reas_cloud'][$G_lang];
+ }
+
+
if (validate_sess($sess)) {
log_main("pre garbage_manager UNO");
$brisk->garbage_manager(TRUE);
if (validate_sess($sess)) {
log_main("pre garbage_manager UNO");
$brisk->garbage_manager(TRUE);
diff --git
a/web/spush/brisk-spush.php
b/web/spush/brisk-spush.php
index
3a43b19
..
93957c8
100755
(executable)
--- a/
web/spush/brisk-spush.php
+++ b/
web/spush/brisk-spush.php
@@
-42,11
+42,11
@@
require_once($G_base."briskin5/index_wr.php");
function main($argv)
{
function main($argv)
{
- GLOBAL $G_ban_list, $G_black_list, $G_provider_proxy;
+ GLOBAL $G_ban_list, $G_black_list, $G_
cloud_smasher, $G_
provider_proxy;
pid_save();
do {
pid_save();
do {
- if (($brisk = Brisk::create(LEGAL_PATH."/brisk-crystal.data", $G_ban_list, $G_black_list, $G_provider_proxy)) == FALSE) {
+ if (($brisk = Brisk::create(LEGAL_PATH."/brisk-crystal.data", $G_ban_list, $G_black_list, $G_
cloud_smasher, $G_
provider_proxy)) == FALSE) {
log_crit("Brisk::create failed");
$ret = 1;
break;
log_crit("Brisk::create failed");
$ret = 1;
break;