Bans for RPC connections

Make bans control RPC sessions too. And auto-ban some bad requests.
Drops HTTP connections whenever response code is 500.
This commit is contained in:
Howard Chu 2019-06-13 08:47:06 +01:00
parent 6335509727
commit a182df21d0
No known key found for this signature in database
GPG Key ID: FD2A70B44AB11BA7
5 changed files with 32 additions and 2 deletions

View File

@ -577,6 +577,10 @@ namespace net_utils
if (query_info.m_http_method != http::http_method_options) if (query_info.m_http_method != http::http_method_options)
{ {
res = handle_request(query_info, response); res = handle_request(query_info, response);
if (response.m_response_code == 500)
{
m_want_close = true; // close on all "Internal server error"s
}
} }
else else
{ {

View File

@ -71,7 +71,7 @@
MINFO(m_conn_context << "calling " << s_pattern); \ MINFO(m_conn_context << "calling " << s_pattern); \
if(!callback_f(static_cast<command_type::request&>(req), static_cast<command_type::response&>(resp), &m_conn_context)) \ if(!callback_f(static_cast<command_type::request&>(req), static_cast<command_type::response&>(resp), &m_conn_context)) \
{ \ { \
LOG_ERROR("Failed to " << #callback_f << "()"); \ MERROR(m_conn_context << "Failed to " << #callback_f << "()"); \
response_info.m_response_code = 500; \ response_info.m_response_code = 500; \
response_info.m_response_comment = "Internal Server Error"; \ response_info.m_response_comment = "Internal Server Error"; \
return true; \ return true; \
@ -99,7 +99,7 @@
MINFO(m_conn_context << "calling " << s_pattern); \ MINFO(m_conn_context << "calling " << s_pattern); \
if(!callback_f(static_cast<command_type::request&>(req), static_cast<command_type::response&>(resp), &m_conn_context)) \ if(!callback_f(static_cast<command_type::request&>(req), static_cast<command_type::response&>(resp), &m_conn_context)) \
{ \ { \
LOG_ERROR("Failed to " << #callback_f << "()"); \ MERROR(m_conn_context << "Failed to " << #callback_f << "()"); \
response_info.m_response_code = 500; \ response_info.m_response_code = 500; \
response_info.m_response_comment = "Internal Server Error"; \ response_info.m_response_comment = "Internal Server Error"; \
return true; \ return true; \

View File

@ -128,6 +128,8 @@
#define P2P_SUPPORT_FLAG_FLUFFY_BLOCKS 0x01 #define P2P_SUPPORT_FLAG_FLUFFY_BLOCKS 0x01
#define P2P_SUPPORT_FLAGS P2P_SUPPORT_FLAG_FLUFFY_BLOCKS #define P2P_SUPPORT_FLAGS P2P_SUPPORT_FLAG_FLUFFY_BLOCKS
#define RPC_IP_FAILS_BEFORE_BLOCK 3
#define ALLOW_DEBUG_COMMANDS #define ALLOW_DEBUG_COMMANDS
#define CRYPTONOTE_NAME "bitmonero" #define CRYPTONOTE_NAME "bitmonero"

View File

@ -113,6 +113,7 @@ namespace cryptonote
{ {
m_restricted = restricted; m_restricted = restricted;
m_net_server.set_threads_prefix("RPC"); m_net_server.set_threads_prefix("RPC");
m_net_server.set_connection_filter(&m_p2p);
auto rpc_config = cryptonote::rpc_args::process(vm, true); auto rpc_config = cryptonote::rpc_args::process(vm, true);
if (!rpc_config) if (!rpc_config)
@ -161,6 +162,24 @@ namespace cryptonote
} }
return true; return true;
} }
//------------------------------------------------------------------------------------------------------------------------------
bool core_rpc_server::add_host_fail(const connection_context *ctx)
{
if(!ctx || !ctx->m_remote_address.is_blockable())
return false;
CRITICAL_REGION_LOCAL(m_host_fails_score_lock);
uint64_t fails = ++m_host_fails_score[ctx->m_remote_address.host_str()];
MDEBUG("Host " << ctx->m_remote_address.host_str() << " fail score=" << fails);
if(fails > RPC_IP_FAILS_BEFORE_BLOCK)
{
auto it = m_host_fails_score.find(ctx->m_remote_address.host_str());
CHECK_AND_ASSERT_MES(it != m_host_fails_score.end(), false, "internal error");
it->second = RPC_IP_FAILS_BEFORE_BLOCK/2;
m_p2p.block_host(ctx->m_remote_address);
}
return true;
}
#define CHECK_CORE_READY() do { if(!check_core_ready()){res.status = CORE_RPC_STATUS_BUSY;return true;} } while(0) #define CHECK_CORE_READY() do { if(!check_core_ready()){res.status = CORE_RPC_STATUS_BUSY;return true;} } while(0)
//------------------------------------------------------------------------------------------------------------------------------ //------------------------------------------------------------------------------------------------------------------------------
@ -282,6 +301,7 @@ namespace cryptonote
if(!m_core.find_blockchain_supplement(req.start_height, req.block_ids, bs, res.current_height, res.start_height, req.prune, !req.no_miner_tx, COMMAND_RPC_GET_BLOCKS_FAST_MAX_COUNT)) if(!m_core.find_blockchain_supplement(req.start_height, req.block_ids, bs, res.current_height, res.start_height, req.prune, !req.no_miner_tx, COMMAND_RPC_GET_BLOCKS_FAST_MAX_COUNT))
{ {
res.status = "Failed"; res.status = "Failed";
add_host_fail(ctx);
return false; return false;
} }
@ -405,6 +425,7 @@ namespace cryptonote
if(!m_core.get_blockchain_storage().find_blockchain_supplement(req.block_ids, res.m_block_ids, res.start_height, res.current_height, false)) if(!m_core.get_blockchain_storage().find_blockchain_supplement(req.block_ids, res.m_block_ids, res.start_height, res.current_height, false))
{ {
res.status = "Failed"; res.status = "Failed";
add_host_fail(ctx);
return false; return false;
} }

View File

@ -236,6 +236,7 @@ namespace cryptonote
private: private:
bool check_core_busy(); bool check_core_busy();
bool check_core_ready(); bool check_core_ready();
bool add_host_fail(const connection_context *ctx);
//utils //utils
uint64_t get_block_reward(const block& blk); uint64_t get_block_reward(const block& blk);
@ -254,6 +255,8 @@ private:
bool m_was_bootstrap_ever_used; bool m_was_bootstrap_ever_used;
network_type m_nettype; network_type m_nettype;
bool m_restricted; bool m_restricted;
epee::critical_section m_host_fails_score_lock;
std::map<std::string, uint64_t> m_host_fails_score;
}; };
} }