- 修复RDP协议连接导致的任意文件读取漏洞

- RDP协议增加「域」参数 - 增加安全访问功能 - 优化代码
2021-03-11 21:16:29 +08:00
parent ba5bff1b38
commit 7f7edaa33c
45 changed files with 1020 additions and 158 deletions
--- a/pkg/api/asset.go
+++ b/pkg/api/asset.go
@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"github.com/labstack/echo/v4"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/model"
 	"next-terminal/pkg/utils"
 	"strconv"
@ -85,7 +86,7 @@ func AssetImportEndpoint(c echo.Context) error {
 				Protocol:    record[1],
 				IP:          record[2],
 				Port:        port,
-				AccountType: model.Custom,
+				AccountType: constant.Custom,
 				Username:    record[4],
 				Password:    record[5],
 				PrivateKey:  record[6],
--- a/pkg/api/credential.go
+++ b/pkg/api/credential.go
@ -3,6 +3,7 @@ package api
 import (
 	"errors"
 	"github.com/labstack/echo/v4"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/model"
 	"next-terminal/pkg/utils"
 	"strconv"
@ -26,7 +27,7 @@ func CredentialCreateEndpoint(c echo.Context) error {
 	item.Created = utils.NowJsonTime()

 	switch item.Type {
-	case model.Custom:
+	case constant.Custom:
 		item.PrivateKey = "-"
 		item.Passphrase = "-"
 		if len(item.Username) == 0 {
@ -35,7 +36,7 @@ func CredentialCreateEndpoint(c echo.Context) error {
 		if len(item.Password) == 0 {
 			item.Password = "-"
 		}
-	case model.PrivateKey:
+	case constant.PrivateKey:
 		item.Password = "-"
 		if len(item.Username) == 0 {
 			item.Username = "-"
@ -90,7 +91,7 @@ func CredentialUpdateEndpoint(c echo.Context) error {
 	}

 	switch item.Type {
-	case model.Custom:
+	case constant.Custom:
 		item.PrivateKey = "-"
 		item.Passphrase = "-"
 		if len(item.Username) == 0 {
@ -99,7 +100,7 @@ func CredentialUpdateEndpoint(c echo.Context) error {
 		if len(item.Password) == 0 {
 			item.Password = "-"
 		}
-	case model.PrivateKey:
+	case constant.PrivateKey:
 		item.Password = "-"
 		if len(item.Username) == 0 {
 			item.Username = "-"
--- a/pkg/api/middleware.go
+++ b/pkg/api/middleware.go
@ -3,8 +3,10 @@ package api
 import (
 	"fmt"
 	"github.com/labstack/echo/v4"
+	"net"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
-	"next-terminal/pkg/model"
+	"next-terminal/pkg/utils"
 	"regexp"
 	"strings"
 	"time"
@ -26,6 +28,62 @@ func ErrorHandler(next echo.HandlerFunc) echo.HandlerFunc {
 	}
 }

+func TcpWall(next echo.HandlerFunc) echo.HandlerFunc {
+
+	return func(c echo.Context) error {
+
+		if global.Securities == nil {
+			return next(c)
+		}
+
+		ip := c.RealIP()
+		for i := 0; i < len(global.Securities); i++ {
+			security := global.Securities[i]
+
+			if strings.Contains(security.IP, "/") {
+				// CIDR
+				_, ipNet, err := net.ParseCIDR(security.IP)
+				if err != nil {
+					continue
+				}
+				if !ipNet.Contains(net.ParseIP(ip)) {
+					continue
+				}
+			} else if strings.Contains(security.IP, "-") {
+				// 范围段
+				split := strings.Split(security.IP, "-")
+				if len(split) < 2 {
+					continue
+				}
+				start := split[0]
+				end := split[1]
+				intReqIP := utils.IpToInt(ip)
+				if intReqIP < utils.IpToInt(start) || intReqIP > utils.IpToInt(end) {
+					continue
+				}
+			} else {
+				// IP
+				if security.IP != ip {
+					continue
+				}
+			}
+
+			if security.Rule == constant.AccessRuleAllow {
+				return next(c)
+			}
+			if security.Rule == constant.AccessRuleReject {
+				if c.Request().Header.Get("X-Requested-With") != "" || c.Request().Header.Get(Token) != "" {
+					return Fail(c, 0, "您的访问请求被拒绝 :(")
+				} else {
+					return c.HTML(666, "您的访问请求被拒绝 :(")
+				}
+			}
+		}
+
+		return next(c)
+	}
+}
+
 func Auth(next echo.HandlerFunc) echo.HandlerFunc {

 	startWithUrls := []string{"/login", "/static", "/favicon.ico", "/logo.svg", "/asciinema"}
@ -80,7 +138,7 @@ func Admin(next echo.HandlerFunc) echo.HandlerFunc {
 			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
 		}

-		if account.Type != model.TypeAdmin {
+		if account.Type != constant.TypeAdmin {
 			return Fail(c, 403, "permission denied")
 		}

--- a/pkg/api/overview.go
+++ b/pkg/api/overview.go
@ -2,6 +2,7 @@ package api

 import (
 	"github.com/labstack/echo/v4"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/model"
 )

@ -21,7 +22,7 @@ func OverviewCounterEndPoint(c echo.Context) error {
 		credential         int64
 		asset              int64
 	)
-	if model.TypeUser == account.Type {
+	if constant.TypeUser == account.Type {
 		countUser, _ = model.CountOnlineUser()
 		countOnlineSession, _ = model.CountOnlineSession()
 		credential, _ = model.CountCredentialByUserId(account.ID)
--- a/pkg/api/routes.go
+++ b/pkg/api/routes.go
@ -2,6 +2,7 @@ package api

 import (
 	"net/http"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/log"
 	"next-terminal/pkg/model"
@ -34,6 +35,7 @@ func SetupRoutes() *echo.Echo {
 		AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
 	}))
 	e.Use(ErrorHandler)
+	e.Use(TcpWall)
 	e.Use(Auth)

 	e.POST("/login", LoginEndpoint)
@ -121,7 +123,7 @@ func SetupRoutes() *echo.Echo {
 		sessions.POST("/:id/mkdir", SessionMkDirEndpoint)
 		sessions.POST("/:id/rm", SessionRmEndpoint)
 		sessions.POST("/:id/rename", SessionRenameEndpoint)
-		sessions.DELETE("/:id", SessionDeleteEndpoint)
+		sessions.DELETE("/:id", Admin(SessionDeleteEndpoint))
 		sessions.GET("/:id/recording", SessionRecordingEndpoint)
 	}

@ -158,6 +160,15 @@ func SetupRoutes() *echo.Echo {
 		jobs.DELETE("/:id/logs", JobDeleteLogsEndpoint)
 	}

+	securities := e.Group("/securities", Admin)
+	{
+		securities.POST("", SecurityCreateEndpoint)
+		securities.GET("/paging", SecurityPagingEndpoint)
+		securities.PUT("/:id", SecurityUpdateEndpoint)
+		securities.DELETE("/:id", SecurityDeleteEndpoint)
+		securities.GET("/:id", SecurityGetEndpoint)
+	}
+
 	return e
 }

@ -218,7 +229,7 @@ func HasPermission(c echo.Context, owner string) bool {
 		return false
 	}
 	// 检测是否为管理人员
-	if model.TypeAdmin == account.Type {
+	if constant.TypeAdmin == account.Type {
 		return true
 	}
 	// 检测是否为所有者
--- a/pkg/api/security.go
+++ b/pkg/api/security.go
@ -0,0 +1,114 @@
+package api
+
+import (
+	"github.com/labstack/echo/v4"
+	"next-terminal/pkg/global"
+	"next-terminal/pkg/model"
+	"next-terminal/pkg/utils"
+	"strconv"
+	"strings"
+)
+
+func SecurityCreateEndpoint(c echo.Context) error {
+	var item model.AccessSecurity
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	item.ID = utils.UUID()
+	item.Source = "管理员添加"
+
+	if err := model.CreateNewSecurity(&item); err != nil {
+		return err
+	}
+	// 更新内存中的安全规则
+	if err := ReloadAccessSecurity(); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func ReloadAccessSecurity() error {
+	rules, err := model.FindAllAccessSecurities()
+	if err != nil {
+		return err
+	}
+	if rules != nil && len(rules) > 0 {
+		var securities []*global.Security
+		for i := 0; i < len(rules); i++ {
+			rule := global.Security{
+				IP:   rules[i].IP,
+				Rule: rules[i].Rule,
+			}
+			securities = append(securities, &rule)
+		}
+		global.Securities = securities
+	}
+	return nil
+}
+
+func SecurityPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	ip := c.QueryParam("ip")
+	rule := c.QueryParam("rule")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	items, total, err := model.FindPageSecurity(pageIndex, pageSize, ip, rule, order, field)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func SecurityUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	var item model.AccessSecurity
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	if err := model.UpdateSecurityById(&item, id); err != nil {
+		return err
+	}
+	// 更新内存中的安全规则
+	if err := ReloadAccessSecurity(); err != nil {
+		return err
+	}
+	return Success(c, nil)
+}
+
+func SecurityDeleteEndpoint(c echo.Context) error {
+	ids := c.Param("id")
+
+	split := strings.Split(ids, ",")
+	for i := range split {
+		jobId := split[i]
+		if err := model.DeleteSecurityById(jobId); err != nil {
+			return err
+		}
+	}
+	// 更新内存中的安全规则
+	if err := ReloadAccessSecurity(); err != nil {
+		return err
+	}
+	return Success(c, nil)
+}
+
+func SecurityGetEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	item, err := model.FindSecurityById(id)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
--- a/pkg/api/session.go
+++ b/pkg/api/session.go
@ -10,6 +10,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/model"
 	"next-terminal/pkg/utils"
@ -36,10 +37,10 @@ func SessionPagingEndpoint(c echo.Context) error {
 	}

 	for i := 0; i < len(items); i++ {
-		if status == model.Disconnected && len(items[i].Recording) > 0 {
+		if status == constant.Disconnected && len(items[i].Recording) > 0 {

 			var recording string
-			if items[i].Mode == model.Naive {
+			if items[i].Mode == constant.Naive {
 				recording = items[i].Recording
 			} else {
 				recording = items[i].Recording + "/recording"
@ -77,7 +78,7 @@ func SessionConnectEndpoint(c echo.Context) error {

 	session := model.Session{}
 	session.ID = sessionId
-	session.Status = model.Connected
+	session.Status = constant.Connected
 	session.ConnectedTime = utils.NowJsonTime()

 	if err := model.UpdateSessionById(&session, sessionId); err != nil {
@ -118,11 +119,11 @@ func CloseSessionById(sessionId string, code int, reason string) {
 		return
 	}

-	if s.Status == model.Disconnected {
+	if s.Status == constant.Disconnected {
 		return
 	}

-	if s.Status == model.Connecting {
+	if s.Status == constant.Connecting {
 		// 会话还未建立成功，无需保留数据
 		_ = model.DeleteSessionById(sessionId)
 		return
@ -130,7 +131,7 @@ func CloseSessionById(sessionId string, code int, reason string) {

 	session := model.Session{}
 	session.ID = sessionId
-	session.Status = model.Disconnected
+	session.Status = constant.Disconnected
 	session.DisconnectedTime = utils.NowJsonTime()
 	session.Code = code
 	session.Message = reason
@ -161,15 +162,15 @@ func SessionCreateEndpoint(c echo.Context) error {
 	assetId := c.QueryParam("assetId")
 	mode := c.QueryParam("mode")

-	if mode == model.Naive {
-		mode = model.Naive
+	if mode == constant.Naive {
+		mode = constant.Naive
 	} else {
-		mode = model.Guacd
+		mode = constant.Guacd
 	}

 	user, _ := GetCurrentAccount(c)

-	if model.TypeUser == user.Type {
+	if constant.TypeUser == user.Type {
 		// 检测是否有访问权限
 		assetIds, err := model.FindAssetIdsByUserId(user.ID)
 		if err != nil {
@ -196,7 +197,7 @@ func SessionCreateEndpoint(c echo.Context) error {
 		Protocol:   asset.Protocol,
 		IP:         asset.IP,
 		Port:       asset.Port,
-		Status:     model.NoConnect,
+		Status:     constant.NoConnect,
 		Creator:    user.ID,
 		ClientIP:   c.RealIP(),
 		Mode:       mode,
@ -208,7 +209,7 @@ func SessionCreateEndpoint(c echo.Context) error {
 			return err
 		}

-		if credential.Type == model.Custom {
+		if credential.Type == constant.Custom {
 			session.Username = credential.Username
 			session.Password = credential.Password
 		} else {
@ -273,7 +274,7 @@ func SessionUploadEndpoint(c echo.Context) error {
 	} else if "rdp" == session.Protocol {

 		if strings.Contains(remoteFile, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}

@ -331,7 +332,7 @@ func SessionDownloadEndpoint(c echo.Context) error {
 		return c.Stream(http.StatusOK, echo.MIMEOctetStream, bytes.NewReader(buff.Bytes()))
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(remoteFile, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@ -413,7 +414,7 @@ func SessionLsEndpoint(c echo.Context) error {
 		return Success(c, files)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(remoteDir, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@ -446,6 +447,18 @@ func SessionLsEndpoint(c echo.Context) error {
 	return errors.New("当前协议不支持此操作")
 }

+func SafetyRuleTrigger(c echo.Context) {
+	logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+	security := model.AccessSecurity{
+		ID:     utils.UUID(),
+		Source: "安全规则触发",
+		IP:     c.RealIP(),
+		Rule:   constant.AccessRuleReject,
+	}
+
+	_ = model.CreateNewSecurity(&security)
+}
+
 func SessionMkDirEndpoint(c echo.Context) error {
 	sessionId := c.Param("id")
 	session, err := model.FindSessionById(sessionId)
@ -464,7 +477,7 @@ func SessionMkDirEndpoint(c echo.Context) error {
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(remoteDir, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@ -525,7 +538,7 @@ func SessionRmEndpoint(c echo.Context) error {
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(key, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@ -566,7 +579,7 @@ func SessionRenameEndpoint(c echo.Context) error {
 		return Success(c, nil)
 	} else if "rdp" == session.Protocol {
 		if strings.Contains(oldName, "../") {
-			logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+			SafetyRuleTrigger(c)
 			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
 		}
 		drivePath, err := model.GetDrivePath()
@ -591,7 +604,7 @@ func SessionRecordingEndpoint(c echo.Context) error {
 	}

 	var recording string
-	if session.Mode == model.Naive {
+	if session.Mode == constant.Naive {
 		recording = session.Recording
 	} else {
 		recording = session.Recording + "/recording"
--- a/pkg/api/ssh.go
+++ b/pkg/api/ssh.go
@ -6,6 +6,7 @@ import (
 	"github.com/labstack/echo/v4"
 	"github.com/sirupsen/logrus"
 	"net/http"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/guacd"
 	"next-terminal/pkg/model"
@ -62,7 +63,7 @@ func SSHEndpoint(c echo.Context) (err error) {
 	}

 	user, _ := GetCurrentAccount(c)
-	if model.TypeUser == user.Type {
+	if constant.TypeUser == user.Type {
 		// 检测是否有访问权限
 		assetIds, err := model.FindAssetIdsByUserId(user.ID)
 		if err != nil {
@ -137,7 +138,7 @@ func SSHEndpoint(c echo.Context) (err error) {
 		ConnectionId: sessionId,
 		Width:        cols,
 		Height:       rows,
-		Status:       model.Connecting,
+		Status:       constant.Connecting,
 		Recording:    recording,
 	}
 	// 创建新会话
--- a/pkg/api/tunnel.go
+++ b/pkg/api/tunnel.go
@ -5,6 +5,7 @@ import (
 	"github.com/gorilla/websocket"
 	"github.com/labstack/echo/v4"
 	"github.com/sirupsen/logrus"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/guacd"
 	"next-terminal/pkg/model"
@ -49,7 +50,7 @@ func TunEndpoint(c echo.Context) error {
 			logrus.Warnf("会话不存在")
 			return err
 		}
-		if session.Status != model.Connected {
+		if session.Status != constant.Connected {
 			logrus.Warnf("会话未在线")
 			return errors.New("会话未在线")
 		}
@ -188,7 +189,7 @@ func TunEndpoint(c echo.Context) error {
 			ConnectionId: tunnel.UUID,
 			Width:        intWidth,
 			Height:       intHeight,
-			Status:       model.Connecting,
+			Status:       constant.Connecting,
 			Recording:    configuration.GetParameter(guacd.RecordingPath),
 		}
 		// 创建新会话
--- a/pkg/constant/const.go
+++ b/pkg/constant/const.go
@ -0,0 +1,33 @@
+package constant
+
+const (
+	AccessRuleAllow  = "allow"  // 允许访问
+	AccessRuleReject = "reject" // 拒绝访问
+
+	Custom     = "custom"      // 密码
+	PrivateKey = "private-key" // 密钥
+
+	JobStatusRunning        = "running"                // 计划任务运行状态
+	JobStatusNotRunning     = "not-running"            // 计划任务未运行状态
+	FuncCheckAssetStatusJob = "check-asset-status-job" // 检测资产是否在线
+	FuncShellJob            = "shell-job"              // 执行Shell脚本
+	JobModeAll              = "all"                    // 全部资产
+	JobModeCustom           = "custom"                 // 自定义选择资产
+
+	SshMode      = "ssh-mode"      // ssh模式
+	MailHost     = "mail-host"     // 邮件服务器地址
+	MailPort     = "mail-port"     // 邮件服务器端口
+	MailUsername = "mail-username" // 邮件服务账号
+	MailPassword = "mail-password" // 邮件服务密码
+
+	NoConnect    = "no_connect"   // 会话状态：未连接
+	Connecting   = "connecting"   // 会话状态：连接中
+	Connected    = "connected"    // 会话状态：已连接
+	Disconnected = "disconnected" // 会话状态：已断开连接
+
+	Guacd = "guacd" // 接入模式：guacd
+	Naive = "naive" // 接入模式：原生
+
+	TypeUser  = "user"  // 普通用户
+	TypeAdmin = "admin" // 管理员
+)
--- a/pkg/global/global.go
+++ b/pkg/global/global.go
@ -16,3 +16,10 @@ var Config *config.Config
 var Store *TunStore

 var Cron *cron.Cron
+
+type Security struct {
+	Rule string
+	IP   string
+}
+
+var Securities []*Security
--- a/pkg/guacd/guacd.go
+++ b/pkg/guacd/guacd.go
@ -34,6 +34,7 @@ const (
 	DisableOffscreenCaching  = "disable-offscreen-caching"
 	DisableGlyphCaching      = "disable-glyph-caching"

+	Domain        = "domain"
 	RemoteApp     = "remote-app"
 	RemoteAppDir  = "remote-app-dir"
 	RemoteAppArgs = "remote-app-args"
--- a/pkg/handle/runner.go
+++ b/pkg/handle/runner.go
@ -2,6 +2,7 @@ package handle

 import (
 	"github.com/sirupsen/logrus"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/guacd"
 	"next-terminal/pkg/model"
 	"next-terminal/pkg/utils"
@ -16,7 +17,7 @@ func RunTicker() {
 	unUsedSessionTicker := time.NewTicker(time.Minute * 60)
 	go func() {
 		for range unUsedSessionTicker.C {
-			sessions, _ := model.FindSessionByStatusIn([]string{model.NoConnect, model.Connecting})
+			sessions, _ := model.FindSessionByStatusIn([]string{constant.NoConnect, constant.Connecting})
 			if sessions != nil && len(sessions) > 0 {
 				now := time.Now()
 				for i := range sessions {
@ -65,14 +66,14 @@ func RunTicker() {
 }

 func RunDataFix() {
-	sessions, _ := model.FindSessionByStatus(model.Connected)
+	sessions, _ := model.FindSessionByStatus(constant.Connected)
 	if sessions == nil {
 		return
 	}

 	for i := range sessions {
 		session := model.Session{
-			Status:           model.Disconnected,
+			Status:           constant.Disconnected,
 			DisconnectedTime: utils.NowJsonTime(),
 		}

--- a/pkg/model/access_security.go
+++ b/pkg/model/access_security.go
@ -0,0 +1,83 @@
+package model
+
+import (
+	"next-terminal/pkg/global"
+)
+
+type AccessSecurity struct {
+	ID       string `json:"id"`
+	Rule     string `json:"rule"`
+	IP       string `json:"ip"`
+	Source   string `json:"source"`
+	Priority int64  `json:"priority"` // 越小优先级越高
+}
+
+func (r *AccessSecurity) TableName() string {
+	return "access_securities"
+}
+
+func FindAllAccessSecurities() (o []AccessSecurity, err error) {
+	db := global.DB
+	err = db.Order("priority asc").Find(&o).Error
+	return
+}
+
+func FindPageSecurity(pageIndex, pageSize int, ip, rule, order, field string) (o []AccessSecurity, total int64, err error) {
+	t := AccessSecurity{}
+	db := global.DB.Table(t.TableName())
+	dbCounter := global.DB.Table(t.TableName())
+
+	if len(ip) > 0 {
+		db = db.Where("ip like ?", "%"+ip+"%")
+		dbCounter = dbCounter.Where("ip like ?", "%"+ip+"%")
+	}
+
+	if len(rule) > 0 {
+		db = db.Where("rule = ?", rule)
+		dbCounter = dbCounter.Where("rule = ?", rule)
+	}
+
+	err = dbCounter.Count(&total).Error
+	if err != nil {
+		return nil, 0, err
+	}
+
+	if order == "descend" {
+		order = "desc"
+	} else {
+		order = "asc"
+	}
+
+	if field == "ip" {
+		field = "ip"
+	} else if field == "rule" {
+		field = "rule"
+	} else {
+		field = "priority"
+	}
+
+	err = db.Order(field + " " + order).Find(&o).Offset((pageIndex - 1) * pageSize).Limit(pageSize).Error
+	if o == nil {
+		o = make([]AccessSecurity, 0)
+	}
+	return
+}
+
+func CreateNewSecurity(o *AccessSecurity) error {
+	return global.DB.Create(o).Error
+}
+
+func UpdateSecurityById(o *AccessSecurity, id string) error {
+	o.ID = id
+	return global.DB.Updates(o).Error
+}
+
+func DeleteSecurityById(id string) error {
+
+	return global.DB.Where("id = ?", id).Delete(AccessSecurity{}).Error
+}
+
+func FindSecurityById(id string) (o *AccessSecurity, err error) {
+	err = global.DB.Where("id = ?", id).First(&o).Error
+	return
+}
--- a/pkg/model/asset.go
+++ b/pkg/model/asset.go
@ -1,6 +1,7 @@
 package model

 import (
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/utils"
 	"strings"
@ -66,7 +67,7 @@ func FindAssetByProtocolAndIds(protocol string, assetIds []string) (o []Asset, e
 func FindAssetByConditions(protocol string, account User) (o []Asset, err error) {
 	db := global.DB.Table("assets").Select("assets.id,assets.name,assets.ip,assets.port,assets.protocol,assets.active,assets.owner,assets.created, users.nickname as owner_name,COUNT(resource_sharers.user_id) as sharer_count").Joins("left join users on assets.owner = users.id").Joins("left join resource_sharers on assets.id = resource_sharers.resource_id").Group("assets.id")

-	if TypeUser == account.Type {
+	if constant.TypeUser == account.Type {
 		owner := account.ID
 		db = db.Where("assets.owner = ? or resource_sharers.user_id = ?", owner, owner)
 	}
@ -82,7 +83,7 @@ func FindPageAsset(pageIndex, pageSize int, name, protocol, tags string, account
 	db := global.DB.Table("assets").Select("assets.id,assets.name,assets.ip,assets.port,assets.protocol,assets.active,assets.owner,assets.created,assets.tags, users.nickname as owner_name,COUNT(resource_sharers.user_id) as sharer_count").Joins("left join users on assets.owner = users.id").Joins("left join resource_sharers on assets.id = resource_sharers.resource_id").Group("assets.id")
 	dbCounter := global.DB.Table("assets").Select("DISTINCT assets.id").Joins("left join resource_sharers on assets.id = resource_sharers.resource_id").Group("assets.id")

-	if TypeUser == account.Type {
+	if constant.TypeUser == account.Type {
 		owner := account.ID
 		db = db.Where("assets.owner = ? or resource_sharers.user_id = ?", owner, owner)
 		dbCounter = dbCounter.Where("assets.owner = ? or resource_sharers.user_id = ?", owner, owner)
--- a/pkg/model/asset_attribute.go
+++ b/pkg/model/asset_attribute.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"github.com/labstack/echo/v4"
 	"gorm.io/gorm"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/guacd"
 	"next-terminal/pkg/utils"
@ -20,8 +21,8 @@ func (r *AssetAttribute) TableName() string {
 	return "asset_attributes"
 }

-var SSHParameterNames = []string{guacd.FontName, guacd.FontSize, guacd.ColorScheme, guacd.Backspace, guacd.TerminalType, SshMode}
-var RDPParameterNames = []string{guacd.RemoteApp, guacd.RemoteAppDir, guacd.RemoteAppArgs}
+var SSHParameterNames = []string{guacd.FontName, guacd.FontSize, guacd.ColorScheme, guacd.Backspace, guacd.TerminalType, constant.SshMode}
+var RDPParameterNames = []string{guacd.Domain, guacd.RemoteApp, guacd.RemoteAppDir, guacd.RemoteAppArgs}
 var VNCParameterNames = []string{guacd.ColorDepth, guacd.Cursor, guacd.SwapRedBlue, guacd.DestHost, guacd.DestPort}
 var TelnetParameterNames = []string{guacd.FontName, guacd.FontSize, guacd.ColorScheme, guacd.Backspace, guacd.TerminalType, guacd.UsernameRegex, guacd.PasswordRegex, guacd.LoginSuccessRegex, guacd.LoginFailureRegex}
 var KubernetesParameterNames = []string{guacd.FontName, guacd.FontSize, guacd.ColorScheme, guacd.Backspace, guacd.TerminalType, guacd.Namespace, guacd.Pod, guacd.Container, guacd.UesSSL, guacd.ClientCert, guacd.ClientKey, guacd.CaCert, guacd.IgnoreCert}
--- a/pkg/model/command.go
+++ b/pkg/model/command.go
@ -1,6 +1,7 @@
 package model

 import (
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/utils"
 )
@ -32,7 +33,7 @@ func FindPageCommand(pageIndex, pageSize int, name, content, order, field string
 	db := global.DB.Table("commands").Select("commands.id,commands.name,commands.content,commands.owner,commands.created, users.nickname as owner_name,COUNT(resource_sharers.user_id) as sharer_count").Joins("left join users on commands.owner = users.id").Joins("left join resource_sharers on commands.id = resource_sharers.resource_id").Group("commands.id")
 	dbCounter := global.DB.Table("commands").Select("DISTINCT commands.id").Joins("left join resource_sharers on commands.id = resource_sharers.resource_id").Group("commands.id")

-	if TypeUser == account.Type {
+	if constant.TypeUser == account.Type {
 		owner := account.ID
 		db = db.Where("commands.owner = ? or resource_sharers.user_id = ?", owner, owner)
 		dbCounter = dbCounter.Where("commands.owner = ? or resource_sharers.user_id = ?", owner, owner)
--- a/pkg/model/credential.go
+++ b/pkg/model/credential.go
@ -1,16 +1,11 @@
 package model

 import (
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/utils"
 )

-// 密码
-const Custom = "custom"
-
-// 密钥
-const PrivateKey = "private-key"
-
 type Credential struct {
 	ID         string         `gorm:"primary_key" json:"id"`
 	Name       string         `json:"name"`
@ -45,7 +40,7 @@ type CredentialSimpleVo struct {

 func FindAllCredential(account User) (o []CredentialSimpleVo, err error) {
 	db := global.DB.Table("credentials").Select("DISTINCT credentials.id,credentials.name").Joins("left join resource_sharers on credentials.id = resource_sharers.resource_id")
-	if account.Type == TypeUser {
+	if account.Type == constant.TypeUser {
 		db = db.Where("credentials.owner = ? or resource_sharers.user_id = ?", account.ID, account.ID)
 	}
 	err = db.Find(&o).Error
@ -56,7 +51,7 @@ func FindPageCredential(pageIndex, pageSize int, name, order, field string, acco
 	db := global.DB.Table("credentials").Select("credentials.id,credentials.name,credentials.type,credentials.username,credentials.owner,credentials.created,users.nickname as owner_name,COUNT(resource_sharers.user_id) as sharer_count").Joins("left join users on credentials.owner = users.id").Joins("left join resource_sharers on credentials.id = resource_sharers.resource_id").Group("credentials.id")
 	dbCounter := global.DB.Table("credentials").Select("DISTINCT credentials.id").Joins("left join resource_sharers on credentials.id = resource_sharers.resource_id").Group("credentials.id")

-	if TypeUser == account.Type {
+	if constant.TypeUser == account.Type {
 		owner := account.ID
 		db = db.Where("credentials.owner = ? or resource_sharers.user_id = ?", owner, owner)
 		dbCounter = dbCounter.Where("credentials.owner = ? or resource_sharers.user_id = ?", owner, owner)
--- a/pkg/model/job.go
+++ b/pkg/model/job.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	"github.com/robfig/cron/v3"
 	"github.com/sirupsen/logrus"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/term"
 	"next-terminal/pkg/utils"
@ -13,17 +14,6 @@ import (
 	"time"
 )

-const (
-	JobStatusRunning    = "running"
-	JobStatusNotRunning = "not-running"
-
-	FuncCheckAssetStatusJob = "check-asset-status-job"
-	FuncShellJob            = "shell-job"
-
-	JobModeAll    = "all"
-	JobModeCustom = "custom"
-)
-
 type Job struct {
 	ID          string         `gorm:"primary_key" json:"id"`
 	CronJobId   int            `json:"cronJobId"`
@ -91,7 +81,7 @@ func FindJobByFunc(function string) (o []Job, err error) {

 func CreateNewJob(o *Job) (err error) {

-	if o.Status == JobStatusRunning {
+	if o.Status == constant.JobStatusRunning {
 		j, err := getJob(o)
 		if err != nil {
 			return err
@ -107,11 +97,12 @@ func CreateNewJob(o *Job) (err error) {
 }

 func UpdateJobById(o *Job, id string) (err error) {
-	if o.Status == JobStatusRunning {
+	if o.Status == constant.JobStatusRunning {
 		return errors.New("请先停止定时任务后再修改")
 	}

-	return global.DB.Where("id = ?", id).Updates(o).Error
+	o.ID = id
+	return global.DB.Updates(o).Error
 }

 func UpdateJonUpdatedById(id string) (err error) {
@ -125,7 +116,7 @@ func ChangeJobStatusById(id, status string) (err error) {
 	if err != nil {
 		return err
 	}
-	if status == JobStatusRunning {
+	if status == constant.JobStatusRunning {
 		j, err := getJob(&job)
 		if err != nil {
 			return err
@ -136,11 +127,11 @@ func ChangeJobStatusById(id, status string) (err error) {
 		}
 		logrus.Debugf("开启计划任务「%v」,运行中计划任务数量「%v」", job.Name, len(global.Cron.Entries()))

-		return global.DB.Updates(Job{ID: id, Status: JobStatusRunning, CronJobId: int(entryID)}).Error
+		return global.DB.Updates(Job{ID: id, Status: constant.JobStatusRunning, CronJobId: int(entryID)}).Error
 	} else {
 		global.Cron.Remove(cron.EntryID(job.CronJobId))
 		logrus.Debugf("关闭计划任务「%v」,运行中计划任务数量「%v」", job.Name, len(global.Cron.Entries()))
-		return global.DB.Updates(Job{ID: id, Status: JobStatusNotRunning}).Error
+		return global.DB.Updates(Job{ID: id, Status: constant.JobStatusNotRunning}).Error
 	}
 }

@ -167,8 +158,8 @@ func DeleteJobById(id string) error {
 	if err != nil {
 		return err
 	}
-	if job.Status == JobStatusRunning {
-		if err := ChangeJobStatusById(id, JobStatusNotRunning); err != nil {
+	if job.Status == constant.JobStatusRunning {
+		if err := ChangeJobStatusById(id, constant.JobStatusNotRunning); err != nil {
 			return err
 		}
 	}
@ -177,9 +168,9 @@ func DeleteJobById(id string) error {

 func getJob(j *Job) (job cron.Job, err error) {
 	switch j.Func {
-	case FuncCheckAssetStatusJob:
+	case constant.FuncCheckAssetStatusJob:
 		job = CheckAssetStatusJob{ID: j.ID, Mode: j.Mode, ResourceIds: j.ResourceIds, Metadata: j.Metadata}
-	case FuncShellJob:
+	case constant.FuncShellJob:
 		job = ShellJob{ID: j.ID, Mode: j.Mode, ResourceIds: j.ResourceIds, Metadata: j.Metadata}
 	default:
 		return nil, errors.New("未识别的任务")
@ -200,7 +191,7 @@ func (r CheckAssetStatusJob) Run() {
 	}

 	var assets []Asset
-	if r.Mode == JobModeAll {
+	if r.Mode == constant.JobModeAll {
 		assets, _ = FindAllAsset()
 	} else {
 		assets, _ = FindAssetByIds(strings.Split(r.ResourceIds, ","))
@ -258,7 +249,7 @@ func (r ShellJob) Run() {
 	}

 	var assets []Asset
-	if r.Mode == JobModeAll {
+	if r.Mode == constant.JobModeAll {
 		assets, _ = FindAssetByProtocol("ssh")
 	} else {
 		assets, _ = FindAssetByProtocolAndIds("ssh", strings.Split(r.ResourceIds, ","))
@ -299,7 +290,7 @@ func (r ShellJob) Run() {
 				return
 			}

-			if credential.Type == Custom {
+			if credential.Type == constant.Custom {
 				username = credential.Username
 				password = credential.Password
 			} else {
--- a/pkg/model/login_log.go
+++ b/pkg/model/login_log.go
--- a/pkg/model/property.go
+++ b/pkg/model/property.go
@ -4,18 +4,11 @@ import (
 	"github.com/jordan-wright/email"
 	"github.com/sirupsen/logrus"
 	"net/smtp"
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/guacd"
 )

-const (
-	SshMode      = "ssh-mode"
-	MailHost     = "mail-host"
-	MailPort     = "mail-port"
-	MailUsername = "mail-username"
-	MailPassword = "mail-password"
-)
-
 type Property struct {
 	Name  string `gorm:"primary_key" json:"name"`
 	Value string `json:"value"`
@ -74,10 +67,10 @@ func GetRecordingPath() (string, error) {

 func SendMail(to, subject, text string) {
 	propertiesMap := FindAllPropertiesMap()
-	host := propertiesMap[MailHost]
-	port := propertiesMap[MailPort]
-	username := propertiesMap[MailUsername]
-	password := propertiesMap[MailPassword]
+	host := propertiesMap[constant.MailHost]
+	port := propertiesMap[constant.MailPort]
+	username := propertiesMap[constant.MailUsername]
+	password := propertiesMap[constant.MailPassword]

 	if host == "" || port == "" || username == "" || password == "" {
 		logrus.Debugf("邮箱信息不完整，跳过发送邮件。")
--- a/pkg/model/session.go
+++ b/pkg/model/session.go
@ -1,6 +1,7 @@
 package model

 import (
+	"next-terminal/pkg/constant"
 	"next-terminal/pkg/global"
 	"next-terminal/pkg/utils"
 	"os"
@ -8,18 +9,6 @@ import (
 	"time"
 )

-const (
-	NoConnect    = "no_connect"
-	Connecting   = "connecting"
-	Connected    = "connected"
-	Disconnected = "disconnected"
-)
-
-const (
-	Guacd = "guacd"
-	Naive = "naive"
-)
-
 type Session struct {
 	ID               string         `gorm:"primary_key" json:"id"`
 	Protocol         string         `json:"protocol"`
@ -130,7 +119,7 @@ func FindSessionByStatusIn(statuses []string) (o []Session, err error) {

 func FindOutTimeSessions(dayLimit int) (o []Session, err error) {
 	limitTime := time.Now().Add(time.Duration(-dayLimit*24) * time.Hour)
-	err = global.DB.Where("status = ? and connected_time < ?", Disconnected, limitTime).Find(&o).Error
+	err = global.DB.Where("status = ? and connected_time < ?", constant.Disconnected, limitTime).Find(&o).Error
 	return
 }

@ -187,7 +176,7 @@ func DeleteSessionByStatus(status string) {
 }

 func CountOnlineSession() (total int64, err error) {
-	err = global.DB.Where("status = ?", Connected).Find(&Session{}).Count(&total).Error
+	err = global.DB.Where("status = ?", constant.Connected).Find(&Session{}).Count(&total).Error
 	return
 }

--- a/pkg/model/user-attribute.go
+++ b/pkg/model/user-attribute.go
@ -2,10 +2,6 @@ package model

 import "next-terminal/pkg/global"

-const (
-	FontSize = "font-size"
-)
-
 type UserAttribute struct {
 	Id     string `gorm:"index" json:"id"`
 	UserId string `gorm:"index" json:"userId"`
--- a/pkg/model/user.go
+++ b/pkg/model/user.go
@ -6,11 +6,6 @@ import (
 	"reflect"
 )

-const (
-	TypeUser  = "user"
-	TypeAdmin = "admin"
-)
-
 type User struct {
 	ID         string         `gorm:"primary_key" json:"id"`
 	Username   string         `gorm:"index" json:"username"`
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@ -182,3 +182,30 @@ func StructToMap(obj interface{}) map[string]interface{} {
 	}
 	return data
 }
+
+func IpToInt(ip string) int64 {
+	if len(ip) == 0 {
+		return 0
+	}
+	bits := strings.Split(ip, ".")
+	if len(bits) < 4 {
+		return 0
+	}
+	b0 := StringToInt(bits[0])
+	b1 := StringToInt(bits[1])
+	b2 := StringToInt(bits[2])
+	b3 := StringToInt(bits[3])
+
+	var sum int64
+	sum += int64(b0) << 24
+	sum += int64(b1) << 16
+	sum += int64(b2) << 8
+	sum += int64(b3)
+
+	return sum
+}
+
+func StringToInt(in string) (out int) {
+	out, _ = strconv.Atoi(in)
+	return
+}