Ejemplo n.º 1
0
        private bool AddFailedLoginForEventViewerXml(string ipAddress, string source, string userName, XmlDocument doc)
        {
            if (string.IsNullOrWhiteSpace(ipAddress))
            {
                return(false);
            }
            else if (string.IsNullOrWhiteSpace(source))
            {
                XmlNode sourceNode = doc.SelectSingleNode("//Source");
                if (sourceNode != null)
                {
                    source = sourceNode.InnerText.Trim();
                }
            }
            if (string.IsNullOrWhiteSpace(userName))
            {
                XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']");
                if (userNameNode == null)
                {
                    userNameNode = doc.SelectSingleNode("//TargetUserName");
                }
                if (userNameNode != null)
                {
                    userName = userNameNode.InnerText.Trim();
                }
            }

            IPBanLog.Write(LogLevel.Information, "*LOGIN FAIL* IP: {0}, USER: {1}", ipAddress, userName);
            service.AddFailedLogin(ipAddress, source, userName);

            return(true);
        }
Ejemplo n.º 2
0
 /// <summary>
 /// Log current log levels
 /// </summary>
 public static void WriteLogLevels(IPBan.LogLevel level = LogLevel.Warn)
 {
     if (logger != null)
     {
         IPBanLog.Write(level, "Log levels: {0},{1},{2},{3},{4},{5}", logger.IsFatalEnabled, logger.IsErrorEnabled, logger.IsWarnEnabled, logger.IsInfoEnabled, logger.IsDebugEnabled, logger.IsTraceEnabled);
     }
 }
Ejemplo n.º 3
0
        private void SetupEventLogWatcher()
        {
            try
            {
                List <string> ignored     = new List <string>();
                string        queryString = GetEventLogQueryString(ignored);
                if (queryString != previousQueryString)
                {
                    IPBanLog.Write(LogLevel.Warning, "Event viewer query string: {0}", queryString);
                    foreach (string path in ignored)
                    {
                        IPBanLog.Write(LogLevel.Warning, "Ignoring event viewer path {0}", path);
                    }

                    watcher?.Dispose();
                    query   = new EventLogQuery(null, PathType.LogName, queryString);
                    watcher = new EventLogWatcher(query);
                    watcher.EventRecordWritten += EventRecordWritten;
                    watcher.Enabled             = true;
                    previousQueryString         = queryString;
                }
            }
            catch (Exception ex)
            {
                IPBanLog.Error("Failed to create event viewer watcher", ex);
            }
        }
Ejemplo n.º 4
0
        /// <summary>
        /// Easy way to execute processes. Timeout to complete is 30 seconds.
        /// </summary>
        /// <param name="program">Program to run</param>
        /// <param name="args">Arguments</param>
        /// <param name="allowedExitCode">Allowed exit codes, if empty not checked, otherwise a mismatch will throw an exception.</param>
        public static void StartProcessAndWait(string program, string args, params int[] allowedExitCode)
        {
            IPBanLog.Write(LogLevel.Information, $"Executing process {program} {args}...");

            var p = new Process
            {
                StartInfo = new ProcessStartInfo(program, args)
                {
                    CreateNoWindow  = true,
                    UseShellExecute = false,
                    WindowStyle     = ProcessWindowStyle.Hidden,
                    Verb            = "runas"
                }
            };

            p.Start();
            if (!p.WaitForExit(30000))
            {
                p.Kill();
            }
            if (allowedExitCode.Length != 0 && Array.IndexOf(allowedExitCode, p.ExitCode) < 0)
            {
                throw new ApplicationException($"Program {program} {args}: failed with exit code {p.ExitCode}");
            }
        }
Ejemplo n.º 5
0
        public static void LinuxMain(string[] args)
        {
            bool         testing = false; // TODO: Change to true if we are running Linux tests
            IPBanService service = IPBanService.CreateService(testing);

            service.Start();
            IPBanLog.Write(LogLevel.Warning, "IPBan Linux Service Running, Press Ctrl-C to quit.");
            ManualResetEvent wait = new ManualResetEvent(false);

            wait.WaitOne();
        }
Ejemplo n.º 6
0
        /// <summary>
        /// Process event viewer XML
        /// </summary>
        /// <param name="xml">XML</param>
        /// <param name="testing">True if testing, false otherwise</param>
        public void ProcessEventViewerXml(string xml, bool testing = false)
        {
            IPBanLog.Write(LogLevel.Information, "Processing xml: {0}", xml);

            XmlDocument doc = ParseXml(xml);

            ExtractEventViewerXml(doc, out string ipAddress, out string source, out string userName);
            if (AddFailedLoginForEventViewerXml(ipAddress, source, userName, doc) && testing)
            {
                Console.WriteLine("Found {0}, {1}, {2}", ipAddress, source, userName);
            }
        }
Ejemplo n.º 7
0
        private HashSet <WatchedFile> UpdateWatchedFiles()
        {
            HashSet <WatchedFile> watchedFilesCopy = new HashSet <WatchedFile>();

            try
            {
                // read in existing files that match the mask in the directory being watched
                if (Directory.Exists(directoryToWatch))
                {
                    foreach (string file in Directory.EnumerateFiles(directoryToWatch, fileMask, SearchOption.TopDirectoryOnly))
                    {
                        watchedFilesCopy.Add(new WatchedFile(file, new FileInfo(file).Length));
                    }
                }
            }
            catch
            {
                // nothing to do here, something failed enumerating the directory files
            }

            lock (watchedFiles)
            {
                // remove files that no longer exist
                foreach (WatchedFile existing in watchedFiles.ToArray())
                {
                    if (!watchedFilesCopy.Contains(existing))
                    {
                        IPBanLog.Write(LogLevel.Debug, "Removing parsed log file {0}", existing.FileName);
                        watchedFiles.Remove(existing);
                    }
                }

                // add new files
                foreach (WatchedFile newFile in watchedFilesCopy)
                {
                    // add the file, will fail if it already exists
                    if (watchedFiles.Add(newFile))
                    {
                        IPBanLog.Write(LogLevel.Debug, "Adding parsed log file {0}", newFile.FileName);
                    }
                }

                // make a copy so we can enumerate outside a lock
                watchedFilesCopy.Clear();
                foreach (WatchedFile file in watchedFiles)
                {
                    watchedFilesCopy.Add(file);
                }
            }

            return(watchedFilesCopy);
        }
Ejemplo n.º 8
0
        private int RunProcess(string program, bool requireExitCode, string commandLine, params object[] args)
        {
            commandLine = program + " " + string.Format(commandLine, args);
            commandLine = "-c \"" + commandLine.Replace("\"", "\\\"") + "\"";
            IPBanLog.Write(LogLevel.Debug, "Running firewall process: /bin/bash {0}", commandLine);
            Process p = Process.Start("/bin/bash", commandLine);

            p.WaitForExit();
            if (requireExitCode && p.ExitCode != 0)
            {
                IPBanLog.Write(LogLevel.Error, "Process {0} {1} had exit code {2}", program, commandLine, p.ExitCode);
            }
            return(p.ExitCode);
        }
Ejemplo n.º 9
0
        private bool PingFile(WatchedFile file, FileStream fs)
        {
            const int maxCountBeforeNewline = 1024;
            int       b;
            long      lastNewlinePos = -1;

            byte[] bytes;
            long   end = Math.Min(file.LastLength, fs.Length);
            int    countBeforeNewline = 0;

            fs.Position = file.LastPosition;

            IPBanLog.Write(LogLevel.Info, "Processing watched file {0}, len = {1}, pos = {2}", file.FileName, file.LastLength, file.LastPosition);

            while (fs.Position < end && countBeforeNewline++ != maxCountBeforeNewline)
            {
                // read until last \n is found
                b = fs.ReadByte();
                if (b == '\n')
                {
                    lastNewlinePos     = fs.Position - 1;
                    countBeforeNewline = 0;
                }
            }

            if (countBeforeNewline == maxCountBeforeNewline)
            {
                throw new InvalidOperationException("Log file " + this.fileMask + " may not be a plain text new line delimited file");
            }

            if (lastNewlinePos > -1)
            {
                // set file position ready for the next read right after the newline
                fs.Position = file.LastPosition;
                bytes       = new BinaryReader(fs).ReadBytes((int)(lastNewlinePos - fs.Position));

                // set position for next ping
                file.LastPosition = lastNewlinePos + 1;

                // read text and run regex to find ip addresses to ban
                string   subString = Encoding.UTF8.GetString(bytes);
                string[] lines     = subString.Split('\n');
                string   ipAddress = null;
                string   userName  = null;
                bool     foundOne  = false;

                // find ip and user name from all lines
                foreach (string line in lines)
                {
                    IPBanLog.Write(LogLevel.Debug, "Parsing log file line {0}...", line);
                    bool foundMatch = IPBanService.GetIPAddressAndUserNameFromRegex(Regex, line.Trim(), ref ipAddress, ref userName);
                    if (foundMatch)
                    {
                        IPBanLog.Write(LogLevel.Debug, "Found match, ip: {0}, user: {1}", ipAddress, userName);
                        service.AddFailedLogin(ipAddress, Source, userName);
                        foundOne = true;
                    }
                    else
                    {
                        IPBanLog.Write(LogLevel.Debug, "No match!");
                    }
                }

                if (foundOne)
                {
                    // signal that we have found ip addresses
                    ipEvent.Set();
                }
            }

            return(maxFileSize > 0 && fs.Length > maxFileSize);
        }
Ejemplo n.º 10
0
        private void ExtractEventViewerXml(XmlDocument doc, out string ipAddress, out string source, out string userName)
        {
            XmlNode keywordsNode = doc.SelectSingleNode("//Keywords");
            string  keywordsText = keywordsNode.InnerText;

            if (keywordsText.StartsWith("0x"))
            {
                keywordsText = keywordsText.Substring(2);
            }
            ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);

            ipAddress = source = userName = null;

            if (keywordsNode != null)
            {
                // we must match on keywords
                foreach (ExpressionsToBlockGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG))
                {
                    foreach (ExpressionToBlock expression in group.Expressions)
                    {
                        // find all the nodes, try and get an ip from any of them, all must match
                        XmlNodeList nodes = doc.SelectNodes(expression.XPath);

                        if (nodes.Count == 0)
                        {
                            IPBanLog.Write(LogLevel.Information, "No nodes found for xpath {0}", expression.XPath);
                            ipAddress = null;
                            break;
                        }

                        // if there is a regex, it must match
                        if (string.IsNullOrWhiteSpace(expression.Regex))
                        {
                            // count as a match, do not modify the ip address if it was already set
                            IPBanLog.Write(LogLevel.Information, "No regex, so counting as a match");
                        }
                        else
                        {
                            bool foundMatch = false;

                            // try and find an ip from any of the nodes
                            foreach (XmlNode node in nodes)
                            {
                                // if we get a match, stop checking nodes
                                if ((foundMatch = IPBanService.GetIPAddressAndUserNameFromRegex(expression.RegexObject, node.InnerText, ref ipAddress, ref userName)))
                                {
                                    break;
                                }
                            }

                            if (!foundMatch)
                            {
                                // match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban
                                IPBanLog.Write(LogLevel.Information, "Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath);
                                ipAddress = null;
                                break;
                            }
                        }
                    }

                    if (ipAddress != null)
                    {
                        source = group.Source;
                        break;
                    }
                    ipAddress = source = userName = null; // set null for the next node attempt
                }
            }
        }