public void TestLogFileCustomSource()
{
string fullPath = Path.Combine(tempPath, "test1.txt");
using (IPBanLogFileScanner scanner = new IPBanIPAddressLogFileScanner(this, TestDnsLookup.Instance,
source: "SSH",
pathAndMask: pathAndMask,
recursive: false,
regexFailure: "(?<source_ssh1>SSH1 (?<ipaddress>.+))|(?<source_ssh2>SSH2 (?<ipaddress>.+))|(?<source_ssh4>SSH4 (?<ipaddress>.+))|(SSH Default (?<ipaddress>.+))",
regexSuccess: null,
pingIntervalMilliseconds: 0))
{
IPBanExtensionMethods.FileWriteAllTextWithRetry(fullPath, string.Empty);
scanner.PingFiles();
File.AppendAllText(fullPath, "SSH1 97.97.97.97\n");
File.AppendAllText(fullPath, "SSH2 98.97.97.97\n");
File.AppendAllText(fullPath, "SSH3 99.97.97.97\n"); // fail
File.AppendAllText(fullPath, "SSH Default 100.97.97.97\n");
scanner.PingFiles();
Assert.AreEqual(3, failedIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("97.97.97.97", failedIPAddresses[0].IPAddress);
Assert.AreEqual("ssh1", failedIPAddresses[0].Source);
Assert.AreEqual("98.97.97.97", failedIPAddresses[1].IPAddress);
Assert.AreEqual("ssh2", failedIPAddresses[1].Source);
Assert.AreEqual("100.97.97.97", failedIPAddresses[2].IPAddress);
Assert.AreEqual("SSH", failedIPAddresses[2].Source);
}
}
public void TestLogFileParserMaskReplace()
{
string pathAndMask = Path.Combine(tempPath, "log-{year}-{month}-{day}.txt");
using (IPBanLogFileScanner scanner = new IPBanIPAddressLogFileScanner(this, TestDnsLookup.Instance,
source: "SSH",
pathAndMask: pathAndMask,
recursive: false,
regexFailure: "fail, ip: (?<ipaddress>.+), user: (?<username>.*?)",
regexSuccess: "success, ip: (?<ipaddress>.+), user: (?<username>.*?)",
pingIntervalMilliseconds: 0))
{
string filePath = Path.Combine(tempPath, "log-2019-05-05.txt");
IPBanService.UtcNow = new DateTime(2019, 5, 5, 1, 1, 1, DateTimeKind.Utc);
IPBanExtensionMethods.FileWriteAllTextWithRetry(filePath, string.Empty);
scanner.PingFiles();
File.AppendAllText(filePath, "fail, ip: 99.99.99.99, user: testuser\n");
File.AppendAllText(filePath, "success, ip: 98.99.99.99, user: testuser\n");
scanner.PingFiles();
Assert.AreEqual(1, failedIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("99.99.99.99", failedIPAddresses[0].IPAddress);
Assert.AreEqual(1, successIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("98.99.99.99", successIPAddresses[0].IPAddress);
// move date to non-match on log file
IPBanService.UtcNow = new DateTime(2019, 6, 5, 1, 1, 1, DateTimeKind.Utc);
File.AppendAllText(filePath, "fail, ip: 97.99.99.99, user: testuser\n");
File.AppendAllText(filePath, "success, ip: 96.99.99.99, user: testuser\n");
scanner.PingFiles();
// should be no change in parsing as file should have dropped out
Assert.AreEqual(1, failedIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("99.99.99.99", failedIPAddresses[0].IPAddress);
Assert.AreEqual(1, successIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("98.99.99.99", successIPAddresses[0].IPAddress);
}
}
public void TestPlugin()
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
// prime Linux log files
IPBanPlugin.IPBanLoginFailed("SSH", "User1", "78.88.88.88");
foreach (IPBanLogFileScanner toParse in service.LogFilesToParse)
{
toParse.PingFiles();
}
}
service.RunCycle().Sync();
for (int i = 0; i < 5; i++)
{
IPBanPlugin.IPBanLoginFailed("SSH", "User1", "88.88.88.88");
service.RunCycle().Sync();
// attempt to read failed logins, if they do not match, sleep a bit and try again
for (int j = 0; j < 10 && (!service.DB.TryGetIPAddress("88.88.88.88", out IPBanDB.IPAddressEntry e) || e.FailedLoginCount != i + 1); j++)
{
System.Threading.Thread.Sleep(100);
foreach (IPBanLogFileScanner toParse in service.LogFilesToParse)
{
toParse.PingFiles();
}
service.RunCycle().Sync();
}
IPBanService.UtcNow += TimeSpan.FromMinutes(5.0);
}
service.RunCycle().Sync();
Assert.IsTrue(service.Firewall.IsIPAddressBlocked("88.88.88.88", out _));
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
string toDelete = $"/var/log/ipbancustom_{IPBanPlugin.ProcessName}.log";
IPBanExtensionMethods.FileDeleteWithRetry(toDelete);
}
// by default, Windows plugin goes to event viewer, we want to also make sure custom log files work on Windows
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
// prime log file to parse
string file = @"C:/IPBanCustomLogs/ipbancustom_test.log";
Directory.CreateDirectory(Path.GetDirectoryName(file));
IPBanExtensionMethods.FileWriteAllTextWithRetry(file, "awerfoajwerp jaeowr paojwer " + Environment.NewLine);
service.RunCycle().Sync();
System.Threading.Thread.Sleep(100);
foreach (IPBanLogFileScanner toParse in service.LogFilesToParse)
{
toParse.PingFiles();
}
string data = "ipban failed login, ip address: 99.99.99.99, source: SSH, user: User2" + Environment.NewLine;
for (int i = 0; i < 5; i++)
{
File.AppendAllText(file, data);
IPBanService.UtcNow += TimeSpan.FromMinutes(5.0);
foreach (IPBanLogFileScanner toParse in service.LogFilesToParse)
{
toParse.PingFiles();
}
// attempt to read failed logins, if they do not match, sleep a bit and try again
for (int j = 0; j < 10 && (!service.DB.TryGetIPAddress("99.99.99.99", out IPBanDB.IPAddressEntry e) || e.FailedLoginCount != i + 1); j++)
{
System.Threading.Thread.Sleep(100);
service.RunCycle().Sync();
}
service.RunCycle().Sync();
}
try
{
Assert.IsTrue(service.Firewall.IsIPAddressBlocked("99.99.99.99", out _));
}
finally
{
IPBanExtensionMethods.FileDeleteWithRetry(file);
Directory.Delete(Path.GetDirectoryName(file));
using (EventLog appLog = new EventLog("Application", System.Environment.MachineName))
{
appLog.Clear();
}
}
}
}
public void SimpleLogParseTest()
{
string fullPath = Path.Combine(tempPath, "test1.txt");
using (IPBanLogFileScanner scanner = new IPBanIPAddressLogFileScanner(this, TestDnsLookup.Instance,
source: "SSH",
pathAndMask: pathAndMask,
recursive: false,
regexFailure: "__prefix__(?<ipaddress>.+)__suffix(__(?<username>.*?)__end)?",
regexSuccess: "success_prefix__(?<ipaddress>.+)__suffix(__(?<username>.*?)__end)?",
pingIntervalMilliseconds: 0))
{
StreamWriter writer = new StreamWriter(CreateFile(fullPath), Encoding.UTF8)
{
AutoFlush = true
};
// scan once before writing any data, otherwise scanner starts at aned of file and will miss
// the first data written
scanner.PingFiles();
// start off with one ip, do not write the last newline, we will do that later
writer.Write("asdasdasdasdasdasd ");
writer.Write("__prefix__1.1.1.1__suffix message repeated 3 times");
scanner.PingFiles();
Assert.AreEqual(0, failedIPAddresses.Count, "Should not have found ip address yet");
// now write a newline, this should make it pickup the line
writer.WriteLine(" aaa ");
writer.WriteLine();
scanner.PingFiles();
Assert.AreEqual(1, failedIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("1.1.1.1", failedIPAddresses[0].IPAddress, "First ip address is wrong");
Assert.AreEqual("SSH", failedIPAddresses[0].Source, "First ip source is wrong");
Assert.AreEqual(3, failedIPAddresses[0].Count, "Repeat count is wrong");
Assert.IsNull(failedIPAddresses[0].UserName, "First user name should be null");
scanner.PingFiles();
Assert.AreEqual(1, failedIPAddresses.Count, "Should not have found more ip address yet");
writer.WriteLine("aowefjapweojfopaejfpaoe4231 343240-302843 -204 8-23084 -0");
writer.WriteLine("__prefix__2.2.2.2__suffix__THISUSER__end");
writer.WriteLine("success_prefix__4.4.4.4__suffix__THISUSER__end");
scanner.PingFiles();
Assert.AreEqual(2, failedIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("2.2.2.2", failedIPAddresses[1].IPAddress, "Second ip address is wrong");
Assert.AreEqual("SSH", failedIPAddresses[1].Source, "First ip source is wrong");
Assert.AreEqual("THISUSER", failedIPAddresses[1].UserName, "Second user name is wrong");
Assert.AreEqual(1, failedIPAddresses[1].Count, "Repeat count is wrong");
Assert.AreEqual(1, successIPAddresses.Count);
Assert.IsTrue(successIPAddresses[0].Type == IPAddressEventType.SuccessfulLogin);
Assert.AreEqual("4.4.4.4", successIPAddresses[0].IPAddress);
Assert.AreEqual("SSH", successIPAddresses[0].Source);
Assert.AreEqual("THISUSER", successIPAddresses[0].UserName);
writer.Close();
IPBanExtensionMethods.FileDeleteWithRetry(fullPath);
writer = new StreamWriter(CreateFile(fullPath), Encoding.UTF8)
{
AutoFlush = true
};
writer.WriteLine("__prefix__3.3.3.3__suffix message repeated 4 times");
scanner.PingFiles();
Assert.AreEqual(3, failedIPAddresses.Count, "Did not find all expected ip addresses");
Assert.AreEqual("3.3.3.3", failedIPAddresses[2].IPAddress, "Second ip address is wrong");
Assert.AreEqual("SSH", failedIPAddresses[2].Source, "First ip source is wrong");
Assert.AreEqual(4, failedIPAddresses[2].Count, "Repeat count is wrong");
writer.Close();
}
}
