bivashy/Blitz-Proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f7f7debacd6666813aeb81733ee69e8dab612dfb
Blitz-Proxy/core/scripts/hysteria2/limit.sh

285 lines
8.3 KiB
Bash
Raw Blame History

#!/bin/bash
source /etc/hysteria/core/scripts/path.sh
SERVICE_NAME="hysteria-ip-limit.service"
DB_NAME="blitz_panel"
CONNECTIONS_COLLECTION="active_connections"
if [ -f "$CONFIG_ENV" ]; then
source "$CONFIG_ENV"
BLOCK_DURATION="${BLOCK_DURATION:-60}" # Default to 60 seconds
MAX_IPS="${MAX_IPS:-1}" # Default to 1 IP
grep -q "^BLOCK_DURATION=" "$CONFIG_ENV" || echo -e "\nBLOCK_DURATION=$BLOCK_DURATION" >> "$CONFIG_ENV"
grep -q "^MAX_IPS=" "$CONFIG_ENV" || echo "MAX_IPS=$MAX_IPS" >> "$CONFIG_ENV"
else
echo -e "BLOCK_DURATION=240\nMAX_IPS=5" > "$CONFIG_ENV"
fi
[ ! -f "$BLOCK_LIST" ] && touch "$BLOCK_LIST"
log_message() {
local level="$1"
local message="$2"
echo "[$(date +"%Y-%m-%d %H:%M:%S")] [$level] $message"
}
add_ip_to_db() {
local username="$1"
local ip_address="$2"
mongosh "$DB_NAME" --quiet --eval "
db.getCollection('$CONNECTIONS_COLLECTION').updateOne(
{ _id: '$username' },
{ \$addToSet: { ips: '$ip_address' } },
{ upsert: true }
);
"
log_message "INFO" "DB Update: Added $ip_address for user $username"
}
remove_ip_from_db() {
local username="$1"
local ip_address="$2"
mongosh "$DB_NAME" --quiet --eval "
db.getCollection('$CONNECTIONS_COLLECTION').updateOne(
{ _id: '$username' },
{ \$pull: { ips: '$ip_address' } }
);
db.getCollection('$CONNECTIONS_COLLECTION').deleteMany(
{ _id: '$username', ips: { \$size: 0 } }
);
"
log_message "INFO" "DB Update: Removed $ip_address for user $username"
}
block_ip() {
local ip_address="$1"
local username="$2"
local unblock_time=$(( $(date +%s) + BLOCK_DURATION ))
if iptables -C INPUT -s "$ip_address" -j DROP 2>/dev/null; then
log_message "INFO" "IP $ip_address is already blocked"
return
fi
iptables -I INPUT -s "$ip_address" -j DROP
echo "$ip_address,$username,$unblock_time" >> "$BLOCK_LIST"
log_message "WARN" "Blocked IP $ip_address for user $username for $BLOCK_DURATION seconds"
}
unblock_ip() {
local ip_address="$1"
if iptables -C INPUT -s "$ip_address" -j DROP 2>/dev/null; then
iptables -D INPUT -s "$ip_address" -j DROP
log_message "INFO" "Unblocked IP $ip_address"
fi
sed -i "/$ip_address,/d" "$BLOCK_LIST"
}
block_all_user_ips() {
local username="$1"
local ips_json
ips_json=$(mongosh "$DB_NAME" --quiet --eval "
JSON.stringify(db.getCollection('$CONNECTIONS_COLLECTION').findOne({_id: '$username'}, {_id: 0, ips: 1}))
")
if [[ -z "$ips_json" || "$ips_json" == "null" ]]; then
log_message "INFO" "No IPs to block for user $username"
return
fi
local ips
readarray -t ips < <(echo "$ips_json" | jq -r '.ips[]')
for ip in "${ips[@]}"; do
if [[ -n "$ip" ]]; then
block_ip "$ip" "$username"
fi
done
log_message "WARN" "User $username has been completely blocked for $BLOCK_DURATION seconds"
}
check_expired_blocks() {
local current_time=$(date +%s)
local ip username expiry
while IFS=, read -r ip username expiry || [ -n "$ip" ]; do
if [[ -n "$ip" && -n "$expiry" ]]; then
if (( current_time >= expiry )); then
unblock_ip "$ip"
log_message "INFO" "Auto-unblocked IP $ip for user $username (block expired)"
fi
fi
done < "$BLOCK_LIST"
}
check_ip_limit() {
local username="$1"
local is_unlimited
is_unlimited=$(mongosh "$DB_NAME" --quiet --eval "
db.users.findOne({_id: '$username'}, {_id: 0, unlimited_user: 1})?.unlimited_user || false;
")
if [ "$is_unlimited" == "true" ]; then
log_message "INFO" "User $username is exempt from IP limit. Skipping check."
return
fi
local ip_count
ip_count=$(mongosh "$DB_NAME" --quiet --eval "
db.getCollection('$CONNECTIONS_COLLECTION').findOne({_id: '$username'})?.ips?.length || 0;
")
if (( ip_count > MAX_IPS )); then
log_message "WARN" "User $username has $ip_count IPs (max: $MAX_IPS) - blocking all IPs"
block_all_user_ips "$username"
fi
}
parse_log_line() {
local log_line="$1"
local ip_address
local username
ip_address=$(echo "$log_line" | grep -oP '"addr": "([^:]+)' | cut -d'"' -f4)
username=$(echo "$log_line" | grep -oP '"id": "([^">]+)' | cut -d'"' -f4)
if [[ -n "$username" && -n "$ip_address" ]]; then
if echo "$log_line" | grep -q "client connected"; then
if grep -q "^$ip_address," "$BLOCK_LIST"; then
log_message "WARN" "Rejected connection from blocked IP $ip_address for user $username"
if ! iptables -C INPUT -s "$ip_address" -j DROP 2>/dev/null; then
iptables -I INPUT -s "$ip_address" -j DROP
fi
else
add_ip_to_db "$username" "$ip_address"
check_ip_limit "$username"
fi
elif echo "$log_line" | grep -q "client disconnected"; then
remove_ip_from_db "$username" "$ip_address"
fi
fi
}
install_service() {
cat <<EOF > /etc/systemd/system/${SERVICE_NAME}
[Unit]
Description=Hysteria2 IP Limiter (MongoDB version)
After=network.target hysteria-server.service mongod.service
Requires=hysteria-server.service mongod.service
[Service]
Type=simple
ExecStart=/bin/bash ${SCRIPT_PATH} run
Restart=always
RestartSec=5
User=root
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable ${SERVICE_NAME}
systemctl start ${SERVICE_NAME}
log_message "INFO" "IP Limiter service started"
}
uninstall_service() {
systemctl stop ${SERVICE_NAME} 2>/dev/null
systemctl disable ${SERVICE_NAME} 2>/dev/null
rm -f /etc/systemd/system/${SERVICE_NAME}
systemctl daemon-reload
log_message "INFO" "IP Limiter service stopped and removed"
}
change_config() {
local new_block_duration="$1"
local new_max_ips="$2"
if [[ -n "$new_block_duration" ]]; then
if ! [[ "$new_block_duration" =~ ^[0-9]+$ ]]; then
log_message "ERROR" "Invalid block duration: '$new_block_duration'. Must be a number."
return 1
fi
sed -i "s/^BLOCK_DURATION=.*/BLOCK_DURATION=$new_block_duration/" "$CONFIG_ENV"
BLOCK_DURATION=$new_block_duration
log_message "INFO" "Block duration updated to $BLOCK_DURATION seconds"
fi
if [[ -n "$new_max_ips" ]]; then
if ! [[ "$new_max_ips" =~ ^[0-9]+$ ]]; then
log_message "ERROR" "Invalid max IPs: '$new_max_ips'. Must be a number."
return 1
fi
sed -i "s/^MAX_IPS=.*/MAX_IPS=$new_max_ips/" "$CONFIG_ENV"
MAX_IPS=$new_max_ips
log_message "INFO" "Max IPs per user updated to $MAX_IPS"
fi
if systemctl is-active --quiet ${SERVICE_NAME}; then
systemctl restart ${SERVICE_NAME}
log_message "INFO" "IP Limiter service restarted to apply new configuration"
fi
}
if [[ $EUID -ne 0 ]]; then
echo "Error: This script must be run as root."
exit 1
fi
if ! command -v mongosh &>/dev/null; then
log_message "ERROR" "'mongosh' is not installed or not in PATH. This script requires the MongoDB Shell."
exit 1
fi
if ! command -v jq &>/dev/null; then
log_message "WARN" "'jq' is not installed. JSON parsing for blocking might fail."
fi
case "$1" in
start)
install_service
;;
stop)
uninstall_service
;;
config)
change_config "$2" "$3"
;;
run)
log_message "INFO" "Monitoring Hysteria connections. Max IPs: $MAX_IPS, Block Duration: $BLOCK_DURATION s"
log_message "INFO" "--------------------------------------------------------"
(
while true; do
check_expired_blocks
sleep 10
done
) &
CHECKER_PID=$!
cleanup() {
log_message "INFO" "Stopping IP limiter..."
kill $CHECKER_PID 2>/dev/null
exit 0
}
trap cleanup SIGINT SIGTERM
journalctl -u hysteria-server.service -f | while read -r line; do
if echo "$line" | grep -q "client connected\|client disconnected"; then
parse_log_line "$line"
fi
done
;;
*)
echo "Usage: $0 {start|stop|config|run} [block_duration] [max_ips]"
exit 1
;;
esac
exit 0
Reference in New Issue View Git Blame Copy Permalink