cmd/puppeth: support blacklisting malicious IPs on ethstats

059c767a · Péter Szilágyi · 104375f3 · 059c767a · 059c767a · 059c767a
Unverified Commit 059c767a authored 7 years ago by Péter Szilágyi
--- a/cmd/puppeth/module_ethstats.go
+++ b/cmd/puppeth/module_ethstats.go
@@ -42,7 +42,7 @@ RUN \
 WORKDIR /eth-netstats
 EXPOSE 3000
-RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: []};' > lib/utils/config.js
+RUN echo 'module.exports = {trusted: [{{.Trusted}}], banned: [{{.Banned}}]};' > lib/utils/config.js
 CMD ["npm", "start"]
 `
@@ -59,7 +59,8 @@ services:
      - "{{.Port}}:3000"{{end}}
    environment:
      - WS_SECRET={{.Secret}}{{if .VHost}}
-      - VIRTUAL_HOST={{.VHost}}{{end}}
+      - VIRTUAL_HOST={{.VHost}}{{end}}{{if .Banned}}
+      - BANNED={{.Banned}}{{end}}
    logging:
      driver: "json-file"
      options:
@@ -71,18 +72,24 @@ services:
 // deployEthstats deploys a new ethstats container to a remote machine via SSH,
 // docker and docker-compose. If an instance with the specified network name
 // already exists there, it will be overwritten!
-func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string) ([]byte, error) {
+func deployEthstats(client *sshClient, network string, port int, secret string, vhost string, trusted []string, banned []string) ([]byte, error) {
 	// Generate the content to upload to the server
 	workdir := fmt.Sprintf("%d", rand.Int63())
 	files := make(map[string][]byte)
+	trustedLabels := make([]string, len(trusted))
 	for i, address := range trusted {
-		trusted[i] = fmt.Sprintf("\"%s\"", address)
+		trustedLabels[i] = fmt.Sprintf("\"%s\"", address)
+	}
+	bannedLabels := make([]string, len(banned))
+	for i, address := range banned {
+		bannedLabels[i] = fmt.Sprintf("\"%s\"", address)
 	}
 	dockerfile := new(bytes.Buffer)
 	template.Must(template.New("").Parse(ethstatsDockerfile)).Execute(dockerfile, map[string]interface{}{
-		"Trusted": strings.Join(trusted, ", "),
+		"Trusted": strings.Join(trustedLabels, ", "),
+		"Banned":  strings.Join(bannedLabels, ", "),
 	})
 	files[filepath.Join(workdir, "Dockerfile")] = dockerfile.Bytes()
@@ -92,6 +99,7 @@ func deployEthstats(client *sshClient, network string, port int, secret string,
 		"Port":    port,
 		"Secret":  secret,
 		"VHost":   vhost,
+		"Banned":  strings.Join(banned, ","),
 	})
 	files[filepath.Join(workdir, "docker-compose.yaml")] = composefile.Bytes()
@@ -112,11 +120,12 @@ type ethstatsInfos struct {
 	port   int
 	secret string
 	config string
+	banned []string
 }
 // String implements the stringer interface.
 func (info *ethstatsInfos) String() string {
-	return fmt.Sprintf("host=%s, port=%d, secret=%s", info.host, info.port, info.secret)
+	return fmt.Sprintf("host=%s, port=%d, secret=%s, banned=%v", info.host, info.port, info.secret, info.banned)
 }
 // checkEthstats does a health-check against an ethstats server to verify whether
@@ -150,6 +159,9 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) {
 	if port != 80 && port != 443 {
 		config += fmt.Sprintf(":%d", port)
 	}
+	// Retrieve the IP blacklist
+	banned := strings.Split(infos.envvars["BANNED"], ",")
 	// Run a sanity check to see if the port is reachable
 	if err = checkPort(host, port); err != nil {
 		log.Warn("Ethstats service seems unreachable", "server", host, "port", port, "err", err)
@@ -160,5 +172,6 @@ func checkEthstats(client *sshClient, network string) (*ethstatsInfos, error) {
 		port:   port,
 		secret: secret,
 		config: config,
+		banned: banned,
 	}, nil
 }
--- a/cmd/puppeth/wizard.go
+++ b/cmd/puppeth/wizard.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"math/big"
+	"net"
 	"os"
 	"path/filepath"
 	"sort"
@@ -277,3 +278,26 @@ func (w *wizard) readJSON() string {
 		return string(blob)
 	}
 }
+// readIPAddress reads a single line from stdin, trimming if from spaces and
+// converts it to a network IP address.
+func (w *wizard) readIPAddress() net.IP {
+	for {
+		// Read the IP address from the user
+		fmt.Printf("> ")
+		text, err := w.in.ReadString('\n')
+		if err != nil {
+			log.Crit("Failed to read user input", "err", err)
+		}
+		if text = strings.TrimSpace(text); text == "" {
+			return nil
+		}
+		// Make sure it looks ok and return it if so
+		ip := net.ParseIP(text)
+		if ip == nil {
+			log.Error("Invalid IP address, please retry")
+			continue
+		}
+		return ip
+	}
+}
--- a/cmd/puppeth/wizard_ethstats.go
+++ b/cmd/puppeth/wizard_ethstats.go
@@ -60,6 +60,22 @@ func (w *wizard) deployEthstats() {
 		fmt.Printf("What should be the secret password for the API? (default = %s)\n", infos.secret)
 		infos.secret = w.readDefaultString(infos.secret)
 	}
+	// Gather any blacklists to ban from reporting
+	fmt.Println()
+	fmt.Printf("Keep existing IP %v blacklist (y/n)? (default = yes)\n", infos.banned)
+	if w.readDefaultString("y") != "y" {
+		infos.banned = nil
+		fmt.Println()
+		fmt.Println("Which IP addresses should be blacklisted?")
+		for {
+			if ip := w.readIPAddress(); ip != nil {
+				infos.banned = append(infos.banned, ip.String())
+				continue
+			}
+			break
+		}
+	}
 	// Try to deploy the ethstats server on the host
 	trusted := make([]string, 0, len(w.servers))
 	for _, client := range w.servers {
@@ -67,7 +83,7 @@ func (w *wizard) deployEthstats() {
 			trusted = append(trusted, client.address)
 		}
 	}
-	if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted); err != nil {
+	if out, err := deployEthstats(client, w.network, infos.port, infos.secret, infos.host, trusted, infos.banned); err != nil {
 		log.Error("Failed to deploy ethstats container", "err", err)
 		if len(out) > 0 {
 			fmt.Printf("%s\n", out)