private void ProcessBanFileOnStart() { lock (ipBlocker) { ipBlocker.Clear(); ipBlockerDate.Clear(); if (File.Exists(config.BanFile)) { string[] lines = File.ReadAllLines(config.BanFile); if (config.BanFileClearOnRestart) { File.Delete(config.BanFile); } else { IPAddress tmp; foreach (string ip in lines) { string ipTrimmed = ip.Trim(); if (IPAddress.TryParse(ipTrimmed, out tmp)) { IPBlockCount blockCount = new IPBlockCount(); blockCount.IncrementCount(); ipBlocker[ip] = blockCount; ipBlockerDate[ip] = DateTime.UtcNow; } } } } } IPBanWindowsFirewall.DeleteRules(); ExecuteBanScript(); }
private void ProcessBanFileOnStart() { lock (ipAddressesAndBlockCounts) { ipAddressesAndBlockCounts.Clear(); ipAddressesAndBanDate.Clear(); if (File.Exists(config.BanFile)) { if (config.BanFileClearOnRestart) { // don't re-ban any ip addresses, per config option File.Delete(config.BanFile); } else { string[] lines = File.ReadAllLines(config.BanFile); foreach (string ip in lines) { string[] pieces = ip.Split('\t'); if (pieces.Length > 0) { string ipTrimmed = pieces[0].Trim(); if (IPAddress.TryParse(ipTrimmed, out IPAddress tmp)) { // setup a ban entry for the ip address IPBlockCount blockCount = new IPBlockCount(config.FailedLoginAttemptsBeforeBan); ipAddressesAndBlockCounts[ipTrimmed] = blockCount; if (pieces.Length > 1) { try { // use the date/time if we have it ipAddressesAndBanDate[ipTrimmed] = DateTime.Parse(pieces[1]).ToUniversalTime(); } catch { // corrupt date/time in the file, fallback to current date/time ipAddressesAndBanDate[ipTrimmed] = DateTime.UtcNow; } } else { // otherwise fall back to current date/time ipAddressesAndBanDate[ipTrimmed] = DateTime.UtcNow; } } } } } } } ExecuteBanScript(); }
private void ProcessIPAddress(string ipAddress) { lock (ipBlocker) { // Get the IPBlockCount, if one exists. IPBlockCount ipBlockCount; ipBlocker.TryGetValue(ipAddress, out ipBlockCount); if (ipBlockCount == null) { // This is the first failed login attempt, so record a new IPBlockCount. ipBlockCount = new IPBlockCount(); ipBlocker[ipAddress] = ipBlockCount; } // Increment the count. ipBlockCount.IncrementCount(); Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}", ipAddress, ipBlockCount.Count); // check for the target user name for additional blacklisting checks bool blackListed = config.IsBlackListed(ipAddress); // if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan) { // if they are not black listed OR this is the first increment of a black listed ip address, perform the ban if (!blackListed || ipBlockCount.Count >= 1) { if (!ipBlockerDate.ContainsKey(ipAddress)) { Log.Write(LogLevel.Error, "Banning ip address: {0}, black listed: {1}, count: {2}", ipAddress, blackListed, ipBlockCount.Count); ipBlockerDate[ipAddress] = DateTime.UtcNow; ExecuteBanScript(); } } else { Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, ip should already be banned", ipAddress); } } else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan) { Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count); } } }
private void ProcessPendingIPAddresses() { List <PendingIPAddress> ipAddresses; lock (pendingIPAddresses) { ipAddresses = new List <PendingIPAddress>(pendingIPAddresses); pendingIPAddresses.Clear(); } foreach (PendingIPAddress p in ipAddresses) { string ipAddress = p.IPAddress; string userName = p.UserName; DateTime dateTime = p.DateTime; if (config.IsWhiteListed(ipAddress)) { Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName); } else { lock (ipBlocker) { // Get the IPBlockCount, if one exists. IPBlockCount ipBlockCount; ipBlocker.TryGetValue(ipAddress, out ipBlockCount); if (ipBlockCount == null) { // This is the first failed login attempt, so record a new IPBlockCount. ipBlockCount = new IPBlockCount(); ipBlocker[ipAddress] = ipBlockCount; } // Increment the count. ipBlockCount.IncrementCount(); Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName); // check for the target user name for additional blacklisting checks bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName)); // if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan) { // if they are not black listed OR this is the first increment of a black listed ip address, perform the ban if (!blackListed || ipBlockCount.Count >= 1) { if (!ipBlockerDate.ContainsKey(ipAddress)) { Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count); ipBlockerDate[ipAddress] = dateTime; ExecuteBanScript(); } } else { Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName); } } else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan) { Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count); } } } } }
private void ProcessPendingIPAddresses() { List <PendingIPAddress> ipAddresses; lock (pendingIPAddresses) { ipAddresses = new List <PendingIPAddress>(pendingIPAddresses); pendingIPAddresses.Clear(); } foreach (PendingIPAddress p in ipAddresses) { string ipAddress = p.IPAddress; string userName = p.UserName; DateTime dateTime = p.DateTime; if (config.IsWhiteListed(ipAddress)) { Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName); } else { lock (ipAddressesAndBlockCounts) { // Get the IPBlockCount, if one exists. if (!ipAddressesAndBlockCounts.TryGetValue(ipAddress, out IPBlockCount ipBlockCount)) { // This is the first failed login attempt, so record a new IPBlockCount. ipBlockCount = new IPBlockCount(); ipAddressesAndBlockCounts[ipAddress] = ipBlockCount; } // Increment the count. ipBlockCount.IncrementCount(); Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName); // check for the target user name for additional blacklisting checks bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName)); // if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan) { // if they are not black listed OR this is the first increment of a black listed ip address, perform the ban if (!blackListed || ipBlockCount.Count >= 1) { if (!ipAddressesAndBanDate.ContainsKey(ipAddress)) { Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count); ipAddressesAndBanDate[ipAddress] = dateTime; // Run a process if one is in config var programToRunConfigString = config.ProcessToRunOnBan(ipAddress); if (!string.IsNullOrWhiteSpace(programToRunConfigString)) { try { var firstSpaceIndex = programToRunConfigString.IndexOf(" ", StringComparison.Ordinal); var program = programToRunConfigString.Substring(0, firstSpaceIndex); var arguments = programToRunConfigString.Remove(0, firstSpaceIndex + 1); Log.Write(LogLevel.Error, "Running program: {0} with arguments: {1}", program, arguments); Process.Start(program, arguments); } catch (Exception e) { Log.Write(LogLevel.Error, "Failed to execute process on ban: {0}", e); } } ExecuteBanScript(); } } else { Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName); } } else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan) { Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count); } } } } }
private void ProcessIPAddress(string ipAddress, XmlDocument doc) { if (string.IsNullOrWhiteSpace(ipAddress)) { return; } string userName = null; XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']"); if (userNameNode != null) { userName = userNameNode.InnerText.Trim(); } if (config.IsWhiteListed(ipAddress)) { Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName); } else { lock (ipBlocker) { // Get the IPBlockCount, if one exists. IPBlockCount ipBlockCount; ipBlocker.TryGetValue(ipAddress, out ipBlockCount); if (ipBlockCount == null) { // This is the first failed login attempt, so record a new IPBlockCount. ipBlockCount = new IPBlockCount(); ipBlocker[ipAddress] = ipBlockCount; } // Increment the count. ipBlockCount.IncrementCount(); Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName); // check for the target user name for additional blacklisting checks bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName)); // if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan) { // if they are not black listed OR this is the first increment of a black listed ip address, perform the ban if (!blackListed || ipBlockCount.Count >= 1) { if (!ipBlockerDate.ContainsKey(ipAddress)) { Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count); ipBlockerDate[ipAddress] = DateTime.UtcNow; ExecuteBanScript(); } } else { Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName); } } else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan) { Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count); } } } }
private void ProcessBanFileOnStart() { lock (ipBlocker) { DeleteRule(); ipBlocker.Clear(); ipBlockerDate.Clear(); if (File.Exists(config.BanFile)) { if (config.BanFileClearOnRestart) { File.Delete(config.BanFile); } else { string[] lines = File.ReadAllLines(config.BanFile); IPAddress tmp; foreach (string ip in lines) { string ipTrimmed = ip.Trim(); if (IPAddress.TryParse(ipTrimmed, out tmp)) { IPBlockCount blockCount = new IPBlockCount(); blockCount.IncrementCount(); ipBlocker[ip] = blockCount; ipBlockerDate[ip] = DateTime.UtcNow; } } if (ipBlockerDate.Count != 0) { ExecuteBanScript(); } } } } }
private void ProcessXml(string xml) { Log.Write(LogLevel.Info, "Processing xml: {0}", xml); string ipAddress = null; XmlTextReader reader = new XmlTextReader(new StringReader(xml)); reader.Namespaces = false; XmlDocument doc = new XmlDocument(); doc.Load(reader); XmlNode keywordsNode = doc.SelectSingleNode("//Keywords"); if (keywordsNode != null) { // we must match on keywords foreach (ExpressionsToBlockGroup group in config.Expressions.Groups.Where(g => g.Keywords == keywordsNode.InnerText)) { foreach (ExpressionToBlock expression in group.Expressions) { // we must find a node for each xpath expression XmlNodeList nodes = doc.SelectNodes(expression.XPath); if (nodes.Count == 0) { Log.Write(LogLevel.Warning, "No nodes found for xpath {0}", expression.XPath); ipAddress = null; break; } // if there is a regex, it must match if (string.IsNullOrWhiteSpace(expression.Regex)) { Log.Write(LogLevel.Info, "No regex, so counting as a match"); } else { bool foundMatch = false; foreach (XmlNode node in nodes) { Match m = expression.RegexObject.Match(node.InnerText); if (m.Success) { foundMatch = true; // check if the regex had an ipadddress group Group ipAddressGroup = m.Groups["ipaddress"]; if (ipAddressGroup != null && ipAddressGroup.Success && !string.IsNullOrWhiteSpace(ipAddressGroup.Value)) { ipAddress = ipAddressGroup.Value.Trim(); } break; } } if (!foundMatch) { // no match, move on to the next group to check Log.Write(LogLevel.Warning, "Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath); ipAddress = null; break; } } } } } if (!string.IsNullOrWhiteSpace(ipAddress)) { if (config.IsWhiteListed(ipAddress)) { Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}", ipAddress); } else { IPBlockCount ipBlockCount; lock (ipBlocker) { // Get the IPBlockCount, if one exists. ipBlocker.TryGetValue(ipAddress, out ipBlockCount); if (ipBlockCount == null) { // This is the first failed login attempt, so record a new IPBlockCount. ipBlockCount = new IPBlockCount(); ipBlocker[ipAddress] = ipBlockCount; } // Increment the count. ipBlockCount.IncrementCount(); bool blackListed = config.IsBlackListed(ipAddress); if (blackListed || ipBlockCount.Count == config.FailedLoginAttemptsBeforeBan) { if (!blackListed || ipBlockCount.Count == 1) { Log.Write(LogLevel.Error, "Banning ip address {0}", ipAddress); ipBlockerDate[ipAddress] = DateTime.UtcNow; ExecuteBanScript(); } } else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan) { Log.Write(LogLevel.Info, "Got event with ip address {0}, count {1}, ip is already banned", ipAddress, ipBlockCount.Count); } else { Log.Write(LogLevel.Info, "Got event with ip address {0}, count: {1}", ipAddress, ipBlockCount.Count); } } } } }
private void ProcessIPAddress(string ipAddress, XmlDocument doc) { if (string.IsNullOrWhiteSpace(ipAddress)) { return; } else if (config.IsWhiteListed(ipAddress)) { Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}", ipAddress); } else { IPBlockCount ipBlockCount; lock (ipBlocker) { // Get the IPBlockCount, if one exists. ipBlocker.TryGetValue(ipAddress, out ipBlockCount); if (ipBlockCount == null) { // This is the first failed login attempt, so record a new IPBlockCount. ipBlockCount = new IPBlockCount(); ipBlocker[ipAddress] = ipBlockCount; } // Increment the count. ipBlockCount.IncrementCount(); // check for the target user name for additional blacklisting checks XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']"); bool blackListed = config.IsBlackListed(ipAddress) || (userNameNode != null && config.IsBlackListed(userNameNode.InnerText)); if (blackListed || ipBlockCount.Count == config.FailedLoginAttemptsBeforeBan) { if (!blackListed || ipBlockCount.Count == 1) { Log.Write(LogLevel.Error, "Banning ip address {0}", ipAddress); ipBlockerDate[ipAddress] = DateTime.UtcNow; ExecuteBanScript(); } } else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan) { Log.Write(LogLevel.Info, "Got event with ip address {0}, count {1}, ip is already banned", ipAddress, ipBlockCount.Count); } else { Log.Write(LogLevel.Info, "Got event with ip address {0}, count: {1}", ipAddress, ipBlockCount.Count); } } } }