频繁错误登录-自动封禁-推送的免打扰选项

[GOUKI9999]

我这里公网路由有点频繁会被扫描和字典，所以推送非常多。最多的时候一小时内就会有近20条ban ip的通知，实在有点不胜其烦

我现在理解的自动封禁实际是频繁错误登录推送的附属功能，这个我觉得没有问题。
（实际上我已经放弃了其他如fail2ban，beardrop之类的模块，完全依赖您现在的功能实现封禁ip，并视之为一个独立功能模块使用）
但如果遇到这种情况，在免打扰逻辑中是否可以选择完全不推送错误登录警告，类似于普通登录的免打扰设置？

[tty228]

选择“仅记录到日志”就行了

[GOUKI9999]

选择“仅记录到日志”就行了
对，现在选择的就是……另外我看到这样一个例子
Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6164]: Exit before auth from <222.91.125.106:55264>: Exited normally
Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6258]: Child connection from 222.91.125.106:57084
Fri Jul 12 13:02:36 2024 authpriv.warn dropbear[6258]: Bad password attempt for 'root' from 222.91.125.106:57084
Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6258]: Exit before auth from <222.91.125.106:57084>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:36 2024 authpriv.info dropbear[6419]: Child connection from 222.91.125.106:58898
Fri Jul 12 13:02:36 2024 authpriv.warn dropbear[6419]: Bad password attempt for 'root' from 222.91.125.106:58898
Fri Jul 12 13:02:37 2024 authpriv.info dropbear[6419]: Exit before auth from <222.91.125.106:58898>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:37 2024 authpriv.info dropbear[6420]: Child connection from 222.91.125.106:32890
Fri Jul 12 13:02:37 2024 authpriv.warn dropbear[6420]: Bad password attempt for 'root' from 222.91.125.106:32890
Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6420]: Exit before auth from <222.91.125.106:32890>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6427]: Child connection from 222.91.125.106:35084
Fri Jul 12 13:02:38 2024 authpriv.warn dropbear[6427]: Bad password attempt for 'root' from 222.91.125.106:35084
Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6427]: Exit before auth from <222.91.125.106:35084>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:38 2024 authpriv.info dropbear[6440]: Child connection from 222.91.125.106:37442
Fri Jul 12 13:02:39 2024 authpriv.warn dropbear[6440]: Bad password attempt for 'root' from 222.91.125.106:37442
Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6501]: Child connection from 222.91.125.106:39302
Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6440]: Exit before auth from <222.91.125.106:37442>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:39 2024 authpriv.warn dropbear[6501]: Bad password attempt for 'root' from 222.91.125.106:39302
Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6501]: Exit before auth from <222.91.125.106:39302>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:39 2024 authpriv.info dropbear[6738]: Child connection from 222.91.125.106:40598
Fri Jul 12 13:02:40 2024 authpriv.warn dropbear[6738]: Bad password attempt for 'root' from 222.91.125.106:40598
Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6738]: Exit before auth from <222.91.125.106:40598>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6740]: Child connection from 222.91.125.106:41900
Fri Jul 12 13:02:40 2024 authpriv.warn dropbear[6740]: Bad password attempt for 'root' from 222.91.125.106:41900
Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6740]: Exit before auth from <222.91.125.106:41900>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:40 2024 authpriv.info dropbear[6749]: Child connection from 222.91.125.106:43148
Fri Jul 12 13:02:41 2024 authpriv.warn dropbear[6749]: Login attempt for nonexistent user
Fri Jul 12 13:02:41 2024 authpriv.info dropbear[6756]: Child connection from 222.91.125.106:45130
Fri Jul 12 13:02:41 2024 authpriv.info dropbear[6749]: Exit before auth from <222.91.125.106:43148>: Exited normally
Fri Jul 12 13:02:41 2024 authpriv.warn dropbear[6756]: Bad password attempt for 'root' from 222.91.125.106:45130
Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6757]: Child connection from 222.91.125.106:47034
Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6756]: Exit before auth from <222.91.125.106:45130>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:42 2024 authpriv.warn dropbear[6757]: Bad password attempt for 'root' from 222.91.125.106:47034
Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6757]: Exit before auth from <222.91.125.106:47034>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:42 2024 authpriv.info dropbear[6764]: Child connection from 222.91.125.106:48732
Fri Jul 12 13:02:42 2024 authpriv.warn dropbear[6764]: Bad password attempt for 'root' from 222.91.125.106:48732
Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6813]: Child connection from 222.91.125.106:50544
Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6764]: Exit before auth from <222.91.125.106:48732>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:43 2024 authpriv.warn dropbear[6813]: Bad password attempt for 'root' from 222.91.125.106:50544
Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6813]: Exit before auth from <222.91.125.106:50544>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:43 2024 authpriv.info dropbear[6900]: Child connection from 222.91.125.106:51964
Fri Jul 12 13:02:43 2024 authpriv.warn dropbear[6900]: Bad password attempt for 'root' from 222.91.125.106:51964
Fri Jul 12 13:02:44 2024 authpriv.info dropbear[6900]: Exit before auth from <222.91.125.106:51964>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:44 2024 authpriv.info dropbear[7024]: Child connection from 222.91.125.106:53664
Fri Jul 12 13:02:44 2024 authpriv.warn dropbear[7024]: Bad password attempt for 'root' from 222.91.125.106:53664
Fri Jul 12 13:02:44 2024 authpriv.info dropbear[7024]: Exit before auth from <222.91.125.106:53664>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:44 2024 authpriv.info dropbear[7031]: Child connection from 222.91.125.106:55094
Fri Jul 12 13:02:45 2024 authpriv.warn dropbear[7031]: Bad password attempt for 'root' from 222.91.125.106:55094
Fri Jul 12 13:02:45 2024 authpriv.info dropbear[7032]: Child connection from 222.91.125.106:56970
Fri Jul 12 13:02:45 2024 authpriv.info dropbear[7031]: Exit before auth from <222.91.125.106:55094>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:45 2024 authpriv.warn dropbear[7032]: Bad password attempt for 'root' from 222.91.125.106:56970
Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7039]: Child connection from 222.91.125.106:58450
Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7032]: Exit before auth from <222.91.125.106:56970>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:46 2024 authpriv.warn dropbear[7039]: Login attempt for nonexistent user
Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7039]: Exit before auth from <222.91.125.106:58450>: Exited normally
Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7044]: Child connection from 222.91.125.106:60022
Fri Jul 12 13:02:46 2024 authpriv.warn dropbear[7044]: Login attempt for nonexistent user
Fri Jul 12 13:02:46 2024 authpriv.info dropbear[7044]: Exit before auth from <222.91.125.106:60022>: Exited normally
Fri Jul 12 13:02:47 2024 authpriv.info dropbear[7051]: Child connection from 222.91.125.106:33126
Fri Jul 12 13:02:47 2024 authpriv.warn dropbear[7051]: Login attempt for nonexistent user
Fri Jul 12 13:02:47 2024 authpriv.info dropbear[7051]: Exit before auth from <222.91.125.106:33126>: Exited normally
Fri Jul 12 13:02:47 2024 authpriv.info dropbear[7067]: Child connection from 222.91.125.106:35085
Fri Jul 12 13:02:47 2024 authpriv.warn dropbear[7067]: Login attempt for nonexistent user
Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7074]: Child connection from 222.91.125.106:36780
Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7067]: Exit before auth from <222.91.125.106:35085>: Exited normally
Fri Jul 12 13:02:48 2024 authpriv.warn dropbear[7074]: Login attempt for nonexistent user
Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7083]: Child connection from 222.91.125.106:38596
Fri Jul 12 13:02:48 2024 authpriv.info dropbear[7074]: Exit before auth from <222.91.125.106:36780>: Exited normally
Fri Jul 12 13:02:49 2024 authpriv.warn dropbear[7083]: Login attempt for nonexistent user
Fri Jul 12 13:02:49 2024 authpriv.info dropbear[7083]: Exit before auth from <222.91.125.106:38596>: Exited normally
Fri Jul 12 13:02:49 2024 authpriv.info dropbear[7086]: Child connection from 222.91.125.106:40352
Fri Jul 12 13:02:49 2024 authpriv.warn dropbear[7086]: Login attempt for nonexistent user
Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7093]: Child connection from 222.91.125.106:42634
Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7086]: Exit before auth from <222.91.125.106:40352>: Exited normally
Fri Jul 12 13:02:50 2024 authpriv.warn dropbear[7093]: Login attempt for nonexistent user
Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7093]: Exit before auth from <222.91.125.106:42634>: Exited normally
Fri Jul 12 13:02:50 2024 authpriv.info dropbear[7100]: Child connection from 222.91.125.106:44112
Fri Jul 12 13:02:50 2024 authpriv.warn dropbear[7100]: Bad password attempt for 'root' from 222.91.125.106:44112
Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7148]: Child connection from 222.91.125.106:45824
Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7100]: Exit before auth from <222.91.125.106:44112>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:51 2024 authpriv.warn dropbear[7148]: Bad password attempt for 'root' from 222.91.125.106:45824
Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7148]: Exit before auth from <222.91.125.106:45824>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:51 2024 authpriv.info dropbear[7247]: Child connection from 222.91.125.106:47214
Fri Jul 12 13:02:52 2024 authpriv.warn dropbear[7247]: Bad password attempt for 'root' from 222.91.125.106:47214
Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7357]: Child connection from 222.91.125.106:49090
Fri Jul 12 13:02:52 2024 authpriv.warn dropbear[7357]: Bad password attempt for 'root' from 222.91.125.106:49090
Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7247]: Exit before auth from <222.91.125.106:47214>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7357]: Exit before auth from <222.91.125.106:49090>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:52 2024 authpriv.info dropbear[7367]: Child connection from 222.91.125.106:50576
Fri Jul 12 13:02:53 2024 authpriv.warn dropbear[7367]: Bad password attempt for 'root' from 222.91.125.106:50576
Fri Jul 12 13:02:53 2024 authpriv.info dropbear[7367]: Exit before auth from <222.91.125.106:50576>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:53 2024 authpriv.info dropbear[7374]: Child connection from 222.91.125.106:52080
Fri Jul 12 13:02:53 2024 authpriv.warn dropbear[7374]: Login attempt for nonexistent user
Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7374]: Exit before auth from <222.91.125.106:52080>: Exited normally
Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7381]: Child connection from 222.91.125.106:53948
Fri Jul 12 13:02:54 2024 authpriv.warn dropbear[7381]: Login attempt for nonexistent user
Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7388]: Child connection from 222.91.125.106:55766
Fri Jul 12 13:02:54 2024 authpriv.info dropbear[7381]: Exit before auth from <222.91.125.106:53948>: Exited normally
Fri Jul 12 13:02:54 2024 authpriv.warn dropbear[7388]: Bad password attempt for 'root' from 222.91.125.106:55766
Fri Jul 12 13:02:55 2024 authpriv.info dropbear[7388]: Exit before auth from <222.91.125.106:55766>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:55 2024 authpriv.info dropbear[7389]: Child connection from 222.91.125.106:57106
Fri Jul 12 13:02:55 2024 authpriv.warn dropbear[7389]: Bad password attempt for 'root' from 222.91.125.106:57106
Fri Jul 12 13:02:56 2024 authpriv.info dropbear[7427]: Child connection from 222.91.125.106:59592
Fri Jul 12 13:02:56 2024 authpriv.info dropbear[7389]: Exit before auth from <222.91.125.106:57106>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:02:56 2024 authpriv.warn dropbear[7427]: Bad password attempt for 'root' from 222.91.125.106:59592
Fri Jul 12 13:02:56 2024 authpriv.info dropbear[7427]: Exit before auth from <222.91.125.106:59592>: (user 'root', 1 fails): Exited normally
Fri Jul 12 13:18:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.206 88:66:5a:58:5d:d7
这个ip的提示信息被重复提示了6-7次

是否应该考虑同一个ip只推送一次？

[tty228]

你看一下黑名单里面有没有这个 IP 的封禁记录，如果没有的话，要看看是不是封禁失败产生的问题
如果已经有记录了，应该是短时间内产生了大量记录，导致重复封禁+通知

另外我试了一下，免打扰选项目前只对普通登录有效，是我记错了
当时没做首次免打扰的原因是：觉得理论上封禁了IP之后，日志就不会再出现登录信息了

[tty228]

怪不得觉得眼熟
#232 (comment)

[GOUKI9999]

你看一下黑名单里面有没有这个 IP 的封禁记录，如果没有的话，要看看是不是封禁失败产生的问题 如果已经有记录了，应该是短时间内产生了大量记录，导致重复封禁+通知

另外我试了一下，免打扰选项目前只对普通登录有效，是我记错了 当时没做首次免打扰的原因是：觉得理论上封禁了IP之后，日志就不会再出现登录信息了

对的……哈哈哈我刚才甚至产生了一个错觉我们是讨论过这个问题的，以及当时发现了一个bug并修复了，
另外补充一点，我确实是查看了wechat-push的luci界面日志，但打开速度异常缓慢

可能是删除日志的频次太高了？
上一个版本3.5.3我也更新了，截止上次似乎没有到这个问题的发生中午11点之后我两台opwrt设备升级了本次的更新（3.5.3-3.5.5），出现大量尝试ban推送和打不开日志的都是同一台暴露在公网的。

另及还是得请您考虑一下防打扰的部分关闭频繁尝试登录的推送，以及这么看以前没有推送这个信息本身才是bug?

最后，我看了一下上面那个重复推送，其中不光日志不一样，判断ip来源的信息也不一样，相隔时间也比较长，以及现在日志已经被删了无法判断ban ip是发生在什么时间了

再补充，甚至发现打开日志不仅会有巨大时间的延迟转圈，甚至出现了超过两次的chrome out of memory页面（web崩了）

1/3概率能转圈后打开日志，但chrome失去响应，1/3转圈无休止（超过3分钟），1/3直接out of memory——因为就测试了三次

[tty228]

看一下日志有多大，有多少行，因为现在日志的清理规则是删除前 xxx 条，而不是只留下 xxx 条
因为要达到后面的效果的话，想到的命令都需要生成临时文件，所以当时就不太想用
怎么会生成这么多日志的

以前没推送大概是因为系统日志的格式改了，之前的匹配字符串是 "Bad password attempt|Login attempt for nonexistent user from"，但我上次怎么都没看到 from，不知道是写错了还是改了

[GOUKI9999]

看一下日志有多大，有多少行，因为现在日志的清理规则是删除前 xxx 条，而不是只留下 xxx 条 因为要达到后面的效果的话，想到的命令都需要生成临时文件，所以当时就不太想用 怎么会生成这么多日志的

以前没推送大概是因为系统日志的格式改了，之前的匹配字符串是 "Bad password attempt|Login attempt for nonexistent user from"，但我上次怎么都没看到 from，不知道是写错了还是改了

找到了，体积有点问题
drwxr-xr-x 2 root root 40 Jul 12 16:39 json_output/
-rw-r--r-- 1 root root 0 Jul 12 16:39 wechatpush.lock
-rw-r--r-- 1 root root 90423175 Jul 12 16:39 wechatpush.log

wc -l /tmp/wechatpush/wechatpush.log
781384 /tmp/wechatpush/wechatpush.log
七十八万行？
系统日志也比这个小太多了啊，我看了一下这两天的syslog才1100多行

head /tmp/wechatpush/wechatpush.log
Thu Jul 11 10:09:54 2024 authpriv.warn dropbear[30961]: Bad password attempt for 'root' from 223.111.145.48:56106
Thu Jul 11 10:09:54 2024 authpriv.info dropbear[31152]: Child connection from 223.111.145.48:56328
Thu Jul 11 10:09:54 2024 authpriv.info dropbear[30961]: Exit before auth from <223.111.145.48:56106>: (user 'root', 1 fails): Exited normally
Thu Jul 11 10:09:55 2024 authpriv.warn dropbear[31152]: Bad password attempt for 'root' from 223.111.145.48:56328
Thu Jul 11 10:09:55 2024 authpriv.info dropbear[31152]: Exit before auth from <223.111.145.48:56328>: (user 'root', 1 fails): Exited normally
Thu Jul 11 10:09:55 2024 authpriv.info dropbear[31286]: Child connection from 223.111.145.48:56500
Thu Jul 11 10:09:55 2024 authpriv.warn dropbear[31286]: Bad password attempt for 'root' from 223.111.145.48:56500
Thu Jul 11 10:09:56 2024 authpriv.info dropbear[31286]: Exit before auth from <223.111.145.48:56500>: (user 'root', 1 fails): Exited normally
Thu Jul 11 10:09:56 2024 authpriv.info dropbear[31427]: Child connection from 223.111.145.48:56748
Thu Jul 11 10:09:56 2024 authpriv.warn dropbear[31427]: Bad password attempt for 'root' from 223.111.145.48:56748

看了一下不知道是什么bug，它自己重复写入并循环了，其中有一个280多行的部分不断重复了数百次

[GOUKI9999]

看一下日志有多大，有多少行，因为现在日志的清理规则是删除前 xxx 条，而不是只留下 xxx 条 因为要达到后面的效果的话，想到的命令都需要生成临时文件，所以当时就不太想用 怎么会生成这么多日志的

tail -n 200 /tmp/aaa.log | tee /tmp/aaa.log > /dev/null

这种方式是否可行，近乎不产生临时文件，我也有一些定时处理日志的需求，当然用/tmp下的临时文件也还算是个稳妥方法

以前没推送大概是因为系统日志的格式改了，之前的匹配字符串是 "Bad password attempt|Login attempt for nonexistent user from"，但我上次怎么都没看到 from，不知道是写错了还是改了

[tty228]

系统日志怎么会被写到 /tmp/wechatpush/wechatpush.log 里面的，搞不懂
出现系统日志的开始几行或者结束几行发我看一下，我看一下是不是什么变量读取了整个系统日志

[GOUKI9999]

循环头就是上面head那几行，结束是截图里面中间的部分

[tty228]

你清空这个文件，再看看会不会这样吧，没遇到过这种情况，看了一下，读取系统日志的几个命令基本上都做了正则，并且只提取第一行，懵逼

[tty228]

echo "$(date "+%Y-%m-%d") ${login_time} ${disturb_text}设备 ${login_ip} (${login_ip_attribution}) 通过 ${log_type_short} ${login_mode} ${log_message}" >>"${logfile}"
看表现也像是这一行命令造成的，但是
local log_type_short="Web" || local log_type_short="SSH"
${login_mode} 变量都是 tail -n 1
而且如果这个变量有问题的话，推送的内容也会变成很多行

[GOUKI9999]

清空log之后恢复正常，能提供的信息大概只有
Fri Jul 12 11:10:26 2024 cron.err crond[19783]: crond (busybox 1.35.0) started, log level 5
Fri Jul 12 11:11:53 2024 daemon.info procd: Instance wechatpush::instance1 pid 16709 not stopped on SIGTERM, sending SIGKILL instead
升级wechatpush opkg的时间是11点，日志是从10点开始的，所以不停重写似乎不是升级本身带来的，但可能和新的匹配系统日志的正则有关吧。
升级i18n失败，用了force-overwrite
但我不觉得和这个bug相关。

配置相较之前没有任何修改，不断重写日志过程中推送都基本正常，手动测试也正常。

没法再现，先不管了，等大佬更一下ban ip的防打扰吧，另及可以考虑一下保留日志的最后n行取代删除最前n行？

[tty228]

你那个命令同时读取和写入一个文件，不通过临时文件的话，会造成保存失败的，实际上保存不了最后200行
我还是老老实实用临时文件吧