refactor(security): 重构防火墙实现以增强CC攻击防护

- 移除匿名访问检查中间件中的简单IP计数和封禁逻辑
- 新增专用防火墙工具类 Firewall 实现CC攻击防护
- 集成 ipset 命令进行IP封禁操作
- 实现基于时间窗口的请求计数机制
- 添加虚拟线程异步执行封禁操作
- 设置每分钟400次请求的阈值限制

Author: csfwff

src/main/java/org/b3log/symphony/processor/BeforeRequestHandler.java

@@ -41,6 +41,7 @@
 import org.b3log.symphony.processor.middleware.AnonymousViewCheckMidware;
 import org.b3log.symphony.repository.OptionRepository;
 import org.b3log.symphony.service.UserQueryService;
+import org.b3log.symphony.util.Firewall;
 import org.b3log.symphony.util.Sessions;
 import org.b3log.symphony.util.Symphonys;
 import org.json.JSONObject;
@@ -83,6 +84,7 @@ public void handle(final RequestContext context) {
         }
 
         final String ip = Requests.getRemoteAddr(context.getRequest());
+        Firewall.recordAndMaybeBan(ip);
         // 黑名单判断
         if (AnonymousViewCheckMidware.ipBlacklistCache.getIfPresent(ip) != null && !context.requestURI().equals("/test") && !context.requestURI().equals("/validateCaptcha")) {
             // 已经在黑名单，强制跳转到验证码页面

src/main/java/org/b3log/symphony/processor/middleware/AnonymousViewCheckMidware.java

@@ -173,12 +173,6 @@ public void handle(final RequestContext context) {
                         if (count == null) count = 0;
                         count++;
                         ipVisitCountCache.put(ip, count);
-                        System.out.println(ip + " 访问计数：" + count + " " + context.requestURI());
-
-                        if (count >= 20) {
-                            String result = Execs.exec(new String[]{"sh", "-c", "ipset add fishpi " + ip}, 1000 * 3);
-                            System.out.println(ip + " 已封禁");
-                        }
 
                         // 判断是否需要进入验证码流程
                         boolean needCaptcha = false;

src/main/java/org/b3log/symphony/util/Firewall.java

@@ -0,0 +1,120 @@
+/*
+ * Rhythm - A modern community (forum/BBS/SNS/blog) platform written in Java.
+ * Modified version from Symphony, Thanks Symphony :)
+ * Copyright (C) 2012-present, b3log.org
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package org.b3log.symphony.util;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.b3log.latke.util.Execs;
+
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Lightweight CC firewall: if an IP exceeds {@link #THRESHOLD} requests within a minute, ban it via ipset.
+ *
+ * Call {@link #recordAndMaybeBan(String)} on each request to enforce the threshold.
+ */
+public final class Firewall {
+
+    private static final Logger LOGGER = LogManager.getLogger(Firewall.class);
+
+    /**
+     * Requests per minute threshold.
+     */
+    private static final int THRESHOLD = 400;
+
+    /**
+     * One-minute window length in milliseconds.
+     */
+    private static final long WINDOW_MILLIS = TimeUnit.MINUTES.toMillis(1);
+
+    /**
+     * Per-IP counters keyed by current minute bucket.
+     */
+    private static final Map<String, Counter> COUNTERS = new ConcurrentHashMap<>();
+
+    /**
+     * Already banned IPs to avoid duplicate shell calls.
+     */
+    private static final Set<String> BANNED = ConcurrentHashMap.newKeySet();
+
+    private Firewall() {
+    }
+
+    /**
+     * Record one request from the given IP, and ban it if it crosses the threshold.
+     *
+     * @param ip client IP
+     * @return {@code true} if the request is allowed, {@code false} if already banned or ban was triggered
+     */
+    public static boolean recordAndMaybeBan(final String ip) {
+        if (StringUtils.isBlank(ip)) {
+            return true;
+        }
+
+        final long nowBucket = System.currentTimeMillis() / WINDOW_MILLIS;
+        final Counter counter = COUNTERS.compute(ip, (key, existing) -> {
+            if (existing == null || existing.bucket != nowBucket) {
+                return new Counter(nowBucket, 1);
+            }
+            existing.count++;
+            return existing;
+        });
+
+        // Small, opportunistic cleanup of stale buckets to keep the map lean.
+        if ((COUNTERS.size() & 0xFF) == 0) {
+            cleanupOldBuckets(nowBucket);
+        }
+
+        if (counter.count > THRESHOLD && BANNED.add(ip)) {
+            // Run ban asynchronously on a virtual thread to keep request path light.
+            Thread.startVirtualThread(() -> {
+                try {
+                    final String result = Execs.exec(new String[]{"sh", "-c", "ipset add fishpi " + ip}, 1000 * 3);
+                    LOGGER.log(Level.WARN, "CC firewall banned [{}], result: {}", ip, result);
+                } catch (final Exception e) {
+                    LOGGER.log(Level.ERROR, "CC firewall ban failed for [" + ip + "]", e);
+                }
+            });
+            return false;
+        }
+
+        System.out.println("CC firewall allowed " + ip + " [" + counter.count + "]");
+
+        return !BANNED.contains(ip);
+    }
+
+    private static void cleanupOldBuckets(final long currentBucket) {
+        COUNTERS.entrySet().removeIf(entry -> entry.getValue().bucket != currentBucket);
+    }
+
+    private static final class Counter {
+        private final long bucket;
+        private int count;
+
+        private Counter(final long bucket, final int count) {
+            this.bucket = bucket;
+            this.count = count;
+        }
+    }
+}