after #4083 the staleness window is 30 minutes, which still lets an ip
that stopped connecting a few minutes ago sit in the db blob and keep
the protected slot on the ascending sort. the ip that is actually
connecting right now gets classified as excess and sent to fail2ban,
and never lands in inbound_client_ips.ips so the panel doesnt show it
until you clear the log by hand.
only count ips observed in the current scan toward the limit. db-only
entries stay in the blob for display but dont participate in the ban
decision. live subset still uses the "protect oldest, ban newcomer"
rule.
closes#4091. followup to #4077.
After 60abeaa flipped the excess-IP selector to "oldest wins,
newest loses" (to protect the original/current connections), the
per-client IP table in `inbound_client_ips.ips` never evicted IPs
that stopped connecting. Their stored timestamp stayed ancient, so
on every subsequent run they counted as the "oldest protected"
slot(s) and whichever IP was actually using the config now was
classified as "new excess" and re-banned via fail2ban.
This is exactly the #4077 scenario: two IPs connect once and get
recorded, the ban lifts after the configured duration, the lone
legitimate IP that reconnects gets banned again, and again, and
again — a permanent 3xipl.log loop with no real abuser anywhere.
Fix: when merging the persisted `old` list with the freshly
observed `new` log lines, drop entries whose last-seen timestamp
is older than `ipStaleAfterSeconds` (30 minutes). A client that's
actually still active refreshes its timestamp any time xray emits
a new `accepted` line for a fresh TCP, so the cutoff is far above
even idle streaming sessions; a client that's genuinely gone falls
out of the table in bounded time and frees its slot.
Extracted the merge into `mergeClientIps` so it can be exercised
by unit tests without spinning up the full DB-backed job.
Tests cover:
- stale old entry is dropped (the #4077 regression)
- fresh old entries are still carried forward (access-log rotation
is still backed by the persisted table)
- newer timestamp wins when the same IP appears in both lists
- a clock-skewed old `new` entry can't resurrect a stale IP
- a zero cutoff never over-evicts
Closes#4077
* fix: Ban new IPs with fail2ban instead of disconnected the client.
* fix: Remove unused strconv import
* fix: Revert log fail2ban format
* fix: Disconnect the client to remove the banned IPs connections
* fix: Fix getting the xray inbound api port
* fix: Run go formatter
* fix: Disconnect only the supported protocols client
* fix: Ensure the required "cipher" field is present in the shadowsocks protocol
* fix: Log the errors in the resolveXrayAPIPort function
* fix: Run go formatter
- Add timestamp tracking for each client IP address
- Sort IPs by connection time (newest first) instead of alphabetically
- Automatically disconnect old connections when IP limit exceeded
- Keep only the most recent N IPs based on LimitIP setting
- Force disconnection via Xray API (RemoveUser + AddUser)
- Prevents account sharing while allowing legitimate network switching
- Log format: [LIMIT_IP] Email = user@example.com || Disconnecting OLD IP = 1.2.3.4 || Timestamp = 1738521234
This ensures users can seamlessly switch between networks (mobile/WiFi)
and the system maintains connections from their most recent IPs only.
Fixes account sharing prevention for VPN providers selling per-IP licenses.
Co-authored-by: Aung Ye Zaw <zaw.a.y@phluid.world>
When the client has MUX enabled, a TCP or UDP prefix appears before the IP address. We initially weren’t aware of this behavior, but we have now resolved the issue.
* [iplimit] fix access log path in settings service
better to avoid hardcoding the access log path to enhance flexibility. not all users prefer the default './access.log'
* [iplimit] fix iplimit
* [refactor] api controller
* [fix] access log path
better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log
* [fix] set select options from logs paths in xray settings
* [update] .gitignore
* [lint] all .go files
* [update] use status code for jsonMsg and 401 to unauthorize
* [update] handle response status code via axios
* [fix] set correct value if log paths is set to 'none'
we also use the default value for the paths if its set to none
* [fix] iplimit - only warning access log if f2b is installed
* Reduce outage time on Xray errors
* Improved logs clearing, added previous logs
File name change: 3xipl-access-persistent.log -> 3xipl-ap.log
All previous logs have .prev suffix
* Preparations for tgbot additions
* [tgbot] Improvements, Additions and Fixes
* Changed interaction with Expire Date for Clients
* Added more info and interactions with Online Clients
* Added a way to get Ban Logs (also added them to backup)
* Few fixes and optimizations in code
* Fixed RU translation
* [tgbot] More updates and fixes
* [tgbot] Quick Fix
* [tgbot] Quick Fix 2
* [tgbot] Big Updates
Added Notifications for Clients throught Tgbot (when Expire)
Added compability for Usernames both w/wo @
Added more buttons overall for admins
* [tgbot] Fixes
* [tbot] Fixes 2
* [tgbot] Removed usernames support for Notifications to work
* [tgbot] Fix
* [tgbot] Fix Notify
* [tgbot] small fixes
* [tgbot] replyMarkup only for last message on big messages
* [tgbot] Fixed last message is empty
* [tgbot] Fix messages split
* IP Limit Tweaks to reduce false bans
1) Check IPs every 10s instead of 20s
2) F2B jail: maxretry 3 -> 4, findtime 100 -> 60
* USERS SHOULD UPDATE BANTIME ONCE AFTER UPDATE
to recreate jail for Ip Limit
after this
if limitip is 0 and there is no access.log on xray config you don't see this warning
access.log doesn't exist in your config.json
-------------
better view on ip log
-------------
update dependencies
* Logging for fail2ban service
Removed limitDevice and other unnecessary functions
* Logging for fail2ban service
Removed limitDevice and other unnecessary functions
* fixed shouldCleanLog
* last fix
* reduced ip limit detection frequency to 30 sec (less logging, more precise)
changed maxretry in fail2ban jail config to 2 to fit above
* fixed check delay
* added 5 seconds delay before cleaning logs
now only those IPs that are allowed are able to establish a connection; other connections are dropped it will happen every 10 sec
after user offline that IPs will be removed from AllowedIps
