private bool Check(IPAddress addr, Treshold treshold, int cnt)
{
bool over = false;
long last = 0;
bool hasLast = treshold.Last.TryGetValue(addr, out last);
//Log.Error("XXX addr=" + addr
// + ", cnt=" + cnt
// + ", Name=" + treshold.Name
// + ", MaxRetry=" + treshold.MaxRetry
// + ", Repeat=" + treshold.Repeat
// + ", Last(" + treshold.Last.Count + ")=" + last
// + ", now=" + DateTime.Now.Ticks);
// is number of failed logins over treshold according
// configured treshold function and number of failed logins
if (treshold.Function == TresholdFunction.SIMPLE)
{
if (cnt > treshold.MaxRetry)
{
over = true;
}
}
if (!over)
{
if (hasLast)
{
treshold.Last.Remove(addr);
}
return(false);
}
// check rules for repeated over treshold notifications
long now = DateTime.Now.Ticks;
if (treshold.Repeat == 0 && last != 0)
{
return(false);
}
else if (treshold.Repeat > 0 && last + treshold.Repeat * TimeSpan.TicksPerSecond > now)
{
return(false);
}
else
{
treshold.Last[addr] = now;
return(true);
}
}
private bool Check(IPAddress addr, Treshold treshold, int cnt)
{
bool over = false;
long last = 0;
bool hasLast = treshold.Last.TryGetValue(addr, out last);
//Log.Error("XXX addr=" + addr
// + ", cnt=" + cnt
// + ", Name=" + treshold.Name
// + ", MaxRetry=" + treshold.MaxRetry
// + ", Repeat=" + treshold.Repeat
// + ", Last(" + treshold.Last.Count + ")=" + last
// + ", now=" + DateTime.Now.Ticks);
// is number of failed logins over treshold according
// configured treshold function and number of failed logins
if (treshold.Function == TresholdFunction.SIMPLE)
{
if (cnt > treshold.MaxRetry)
{
over = true;
}
}
if (!over)
{
if (hasLast)
{
treshold.Last.Remove(addr);
}
return false;
}
// check rules for repeated over treshold notifications
long now = DateTime.Now.Ticks;
if (treshold.Repeat == 0 && last != 0)
{
return false;
}
else if (treshold.Repeat > 0 && last + treshold.Repeat * TimeSpan.TicksPerSecond > now)
{
return false;
}
else
{
treshold.Last[addr] = now;
return true;
}
}
public override string Execute(EventEntry evtlog)
{
string strAddress = evtlog.GetProcData <string>(address);
if (string.IsNullOrEmpty(strAddress))
{
Log.Info("Fail2ban[" + Name
+ "]: empty address attribute: " + address);
return(goto_error);
}
IPAddress addr = null;
try
{
addr = IPAddress.Parse(strAddress.Trim()).MapToIPv6();
}
catch (FormatException ex)
{
Log.Info("Fail2ban[" + Name
+ "]: invalid address " + address
+ "[" + strAddress + "]: " + ex.Message);
return(goto_error);
}
// get fail2ban network address for given IP and prefix
int prefix = ipv6_prefix;
if (addr.IsIPv4MappedToIPv6)
{
prefix = ipv4_prefix;
if (prefix <= 32)
{
prefix += 96;
}
}
if (prefix != 128)
{
addr = Utils.GetNetwork(addr, prefix);
}
// fix log event that came from future(?!), _we_ have correct time!
long now = DateTime.Now.Ticks;
long logtime = evtlog.Created.Ticks;
if (logtime > now)
{
// is clock skew too hight!? occasionally log warning
if (logtime > now + 300 * TimeSpan.TicksPerSecond)
{
if (clockskew + 60 * TimeSpan.TicksPerSecond < now)
{
clockskew = now;
Log.Warn("Fail2ban[" + Name + "]: logtime from future ("
+ ((logtime - now) / TimeSpan.TicksPerSecond) + " seconds) for "
+ evtlog.Input + "/" + evtlog.Input.SelectorName
+ " from " + evtlog.Machine);
}
}
logtime = now;
}
int failcnt = 0;
bool[] tresholdCheck = new bool[tresholds.Count];
lock (thisLock)
{
// update failed login fail2ban data
IFail fail;
if (!data.TryGetValue(addr, out fail))
{
switch (history)
{
case HistoryType.ALL: fail = new FailAll(findtime * TimeSpan.TicksPerSecond); break;
case HistoryType.ONE: fail = new FailOne(findtime * TimeSpan.TicksPerSecond); break;
case HistoryType.FIXED: fail = new FailFixed(findtime * TimeSpan.TicksPerSecond, history_fixed_count, history_fixed_decay); break;
case HistoryType.RRD: fail = new FailRRD(findtime * TimeSpan.TicksPerSecond, history_rrd_count, history_rrd_repeat); break;
}
data[addr] = fail;
}
failcnt = fail.Add(logtime);
for (int i = 0; i < tresholds.Count; i++)
{
tresholdCheck[i] = Check(addr, tresholds[i], failcnt);
}
}
// evaluate all defined tresholds
for (int i = 0; i < tresholds.Count; i++)
{
if (!tresholdCheck[i])
{
continue;
}
Treshold treshold = tresholds[i];
int tmpPrefix = prefix;
IPAddress tmpAddr = addr;
long expiration = now + TimeSpan.FromSeconds(treshold.Bantime).Ticks;
if (addr.IsIPv4MappedToIPv6)
{
// workaround for buggy MapToIPv4 implementation
tmpAddr = Fixes.MapToIPv4(addr);
tmpPrefix = prefix - 96;
}
Log.Info("Fail2ban[" + Name + "]: reached treshold "
+ treshold.Name + " (" + treshold.MaxRetry + "&"
+ failcnt + ") for " + tmpAddr + "/" + tmpPrefix);
if (evtlog.HasProcData("Fail2ban.All"))
{
string all = evtlog.GetProcData <string>("Fail2ban.All");
evtlog.SetProcData("Fail2ban.All", all + "," + Name);
}
else
{
evtlog.SetProcData("Fail2ban.All", Name);
}
evtlog.SetProcData("Fail2ban.Last", Name);
evtlog.SetProcData(Name + ".Address", tmpAddr);
evtlog.SetProcData(Name + ".Prefix", tmpPrefix);
evtlog.SetProcData(Name + ".FailCnt", failcnt);
evtlog.SetProcData(Name + ".Bantime", treshold.Bantime);
evtlog.SetProcData(Name + ".Expiration", expiration);
evtlog.SetProcData(Name + ".Treshold", treshold.Name);
// Add to "action" queue
Produce(new EventEntry(evtlog), treshold.Action, EventQueue.Priority.High);
}
return(goto_next);
}
