private bool AddFailedLoginForEventViewerXml(string ipAddress, string source, string userName, XmlDocument doc) { if (string.IsNullOrWhiteSpace(ipAddress)) { return(false); } else if (string.IsNullOrWhiteSpace(source)) { XmlNode sourceNode = doc.SelectSingleNode("//Source"); if (sourceNode != null) { source = sourceNode.InnerText.Trim(); } } if (string.IsNullOrWhiteSpace(userName)) { XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']"); if (userNameNode == null) { userNameNode = doc.SelectSingleNode("//TargetUserName"); } if (userNameNode != null) { userName = userNameNode.InnerText.Trim(); } } IPBanLog.Write(LogLevel.Information, "*LOGIN FAIL* IP: {0}, USER: {1}", ipAddress, userName); service.AddFailedLogin(ipAddress, source, userName); return(true); }
/// <summary> /// Log current log levels /// </summary> public static void WriteLogLevels(IPBan.LogLevel level = LogLevel.Warn) { if (logger != null) { IPBanLog.Write(level, "Log levels: {0},{1},{2},{3},{4},{5}", logger.IsFatalEnabled, logger.IsErrorEnabled, logger.IsWarnEnabled, logger.IsInfoEnabled, logger.IsDebugEnabled, logger.IsTraceEnabled); } }
private void SetupEventLogWatcher() { try { List <string> ignored = new List <string>(); string queryString = GetEventLogQueryString(ignored); if (queryString != previousQueryString) { IPBanLog.Write(LogLevel.Warning, "Event viewer query string: {0}", queryString); foreach (string path in ignored) { IPBanLog.Write(LogLevel.Warning, "Ignoring event viewer path {0}", path); } watcher?.Dispose(); query = new EventLogQuery(null, PathType.LogName, queryString); watcher = new EventLogWatcher(query); watcher.EventRecordWritten += EventRecordWritten; watcher.Enabled = true; previousQueryString = queryString; } } catch (Exception ex) { IPBanLog.Error("Failed to create event viewer watcher", ex); } }
/// <summary> /// Easy way to execute processes. Timeout to complete is 30 seconds. /// </summary> /// <param name="program">Program to run</param> /// <param name="args">Arguments</param> /// <param name="allowedExitCode">Allowed exit codes, if empty not checked, otherwise a mismatch will throw an exception.</param> public static void StartProcessAndWait(string program, string args, params int[] allowedExitCode) { IPBanLog.Write(LogLevel.Information, $"Executing process {program} {args}..."); var p = new Process { StartInfo = new ProcessStartInfo(program, args) { CreateNoWindow = true, UseShellExecute = false, WindowStyle = ProcessWindowStyle.Hidden, Verb = "runas" } }; p.Start(); if (!p.WaitForExit(30000)) { p.Kill(); } if (allowedExitCode.Length != 0 && Array.IndexOf(allowedExitCode, p.ExitCode) < 0) { throw new ApplicationException($"Program {program} {args}: failed with exit code {p.ExitCode}"); } }
public static void LinuxMain(string[] args) { bool testing = false; // TODO: Change to true if we are running Linux tests IPBanService service = IPBanService.CreateService(testing); service.Start(); IPBanLog.Write(LogLevel.Warning, "IPBan Linux Service Running, Press Ctrl-C to quit."); ManualResetEvent wait = new ManualResetEvent(false); wait.WaitOne(); }
/// <summary> /// Process event viewer XML /// </summary> /// <param name="xml">XML</param> /// <param name="testing">True if testing, false otherwise</param> public void ProcessEventViewerXml(string xml, bool testing = false) { IPBanLog.Write(LogLevel.Information, "Processing xml: {0}", xml); XmlDocument doc = ParseXml(xml); ExtractEventViewerXml(doc, out string ipAddress, out string source, out string userName); if (AddFailedLoginForEventViewerXml(ipAddress, source, userName, doc) && testing) { Console.WriteLine("Found {0}, {1}, {2}", ipAddress, source, userName); } }
private HashSet <WatchedFile> UpdateWatchedFiles() { HashSet <WatchedFile> watchedFilesCopy = new HashSet <WatchedFile>(); try { // read in existing files that match the mask in the directory being watched if (Directory.Exists(directoryToWatch)) { foreach (string file in Directory.EnumerateFiles(directoryToWatch, fileMask, SearchOption.TopDirectoryOnly)) { watchedFilesCopy.Add(new WatchedFile(file, new FileInfo(file).Length)); } } } catch { // nothing to do here, something failed enumerating the directory files } lock (watchedFiles) { // remove files that no longer exist foreach (WatchedFile existing in watchedFiles.ToArray()) { if (!watchedFilesCopy.Contains(existing)) { IPBanLog.Write(LogLevel.Debug, "Removing parsed log file {0}", existing.FileName); watchedFiles.Remove(existing); } } // add new files foreach (WatchedFile newFile in watchedFilesCopy) { // add the file, will fail if it already exists if (watchedFiles.Add(newFile)) { IPBanLog.Write(LogLevel.Debug, "Adding parsed log file {0}", newFile.FileName); } } // make a copy so we can enumerate outside a lock watchedFilesCopy.Clear(); foreach (WatchedFile file in watchedFiles) { watchedFilesCopy.Add(file); } } return(watchedFilesCopy); }
private int RunProcess(string program, bool requireExitCode, string commandLine, params object[] args) { commandLine = program + " " + string.Format(commandLine, args); commandLine = "-c \"" + commandLine.Replace("\"", "\\\"") + "\""; IPBanLog.Write(LogLevel.Debug, "Running firewall process: /bin/bash {0}", commandLine); Process p = Process.Start("/bin/bash", commandLine); p.WaitForExit(); if (requireExitCode && p.ExitCode != 0) { IPBanLog.Write(LogLevel.Error, "Process {0} {1} had exit code {2}", program, commandLine, p.ExitCode); } return(p.ExitCode); }
private bool PingFile(WatchedFile file, FileStream fs) { const int maxCountBeforeNewline = 1024; int b; long lastNewlinePos = -1; byte[] bytes; long end = Math.Min(file.LastLength, fs.Length); int countBeforeNewline = 0; fs.Position = file.LastPosition; IPBanLog.Write(LogLevel.Info, "Processing watched file {0}, len = {1}, pos = {2}", file.FileName, file.LastLength, file.LastPosition); while (fs.Position < end && countBeforeNewline++ != maxCountBeforeNewline) { // read until last \n is found b = fs.ReadByte(); if (b == '\n') { lastNewlinePos = fs.Position - 1; countBeforeNewline = 0; } } if (countBeforeNewline == maxCountBeforeNewline) { throw new InvalidOperationException("Log file " + this.fileMask + " may not be a plain text new line delimited file"); } if (lastNewlinePos > -1) { // set file position ready for the next read right after the newline fs.Position = file.LastPosition; bytes = new BinaryReader(fs).ReadBytes((int)(lastNewlinePos - fs.Position)); // set position for next ping file.LastPosition = lastNewlinePos + 1; // read text and run regex to find ip addresses to ban string subString = Encoding.UTF8.GetString(bytes); string[] lines = subString.Split('\n'); string ipAddress = null; string userName = null; bool foundOne = false; // find ip and user name from all lines foreach (string line in lines) { IPBanLog.Write(LogLevel.Debug, "Parsing log file line {0}...", line); bool foundMatch = IPBanService.GetIPAddressAndUserNameFromRegex(Regex, line.Trim(), ref ipAddress, ref userName); if (foundMatch) { IPBanLog.Write(LogLevel.Debug, "Found match, ip: {0}, user: {1}", ipAddress, userName); service.AddFailedLogin(ipAddress, Source, userName); foundOne = true; } else { IPBanLog.Write(LogLevel.Debug, "No match!"); } } if (foundOne) { // signal that we have found ip addresses ipEvent.Set(); } } return(maxFileSize > 0 && fs.Length > maxFileSize); }
private void ExtractEventViewerXml(XmlDocument doc, out string ipAddress, out string source, out string userName) { XmlNode keywordsNode = doc.SelectSingleNode("//Keywords"); string keywordsText = keywordsNode.InnerText; if (keywordsText.StartsWith("0x")) { keywordsText = keywordsText.Substring(2); } ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture); ipAddress = source = userName = null; if (keywordsNode != null) { // we must match on keywords foreach (ExpressionsToBlockGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG)) { foreach (ExpressionToBlock expression in group.Expressions) { // find all the nodes, try and get an ip from any of them, all must match XmlNodeList nodes = doc.SelectNodes(expression.XPath); if (nodes.Count == 0) { IPBanLog.Write(LogLevel.Information, "No nodes found for xpath {0}", expression.XPath); ipAddress = null; break; } // if there is a regex, it must match if (string.IsNullOrWhiteSpace(expression.Regex)) { // count as a match, do not modify the ip address if it was already set IPBanLog.Write(LogLevel.Information, "No regex, so counting as a match"); } else { bool foundMatch = false; // try and find an ip from any of the nodes foreach (XmlNode node in nodes) { // if we get a match, stop checking nodes if ((foundMatch = IPBanService.GetIPAddressAndUserNameFromRegex(expression.RegexObject, node.InnerText, ref ipAddress, ref userName))) { break; } } if (!foundMatch) { // match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban IPBanLog.Write(LogLevel.Information, "Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath); ipAddress = null; break; } } } if (ipAddress != null) { source = group.Source; break; } ipAddress = source = userName = null; // set null for the next node attempt } } }