예제 #1
0
        public void Begin()
        {
            HelperFunctions.debugMessage(id, "Event Processor Worker starting...", 3);
            if (entry.Entry.Source.ToString().Equals("sshd"))
            {
                if (entry.Entry.Message.ToString().Contains("Invalid user"))
                {
                    ban(entry.Entry.Message.ToString());
                }

                if (entry.Entry.Message.ToString().Contains("Failed password"))
                {
                    int pid;

                    Int32.TryParse((entry.Entry.Message.ToString().Split(':')[1].Replace(" PID ", "")), out pid);

                    int count = FailedLoginCorrelator.failedLogin(pid);

                    if (count > 1)
                    {
                        ban(entry.Entry.Message.ToString());
                    }
                }
            }
        }
예제 #2
0
        // Define the event handlers.
        private void OnChanged(object source, FileSystemEventArgs e)
        {
            // Specify what is done when a file is changed, created, or deleted.

            HelperFunctions.debugMessage(0, "Change in log file detected.", 5, 100, HelperFunctions.MessageType.Information, TAG);

            lock (this.fileLock)
            {
                ArrayList bannedThisIteration = new ArrayList(); //Because of the way the way data is flushed to disk in the log file, there is potential for bans to be duplicated. As such we'll keep a
                                                                 //list of the IPs we've banned this time round to avoid creating duplicates

                using (var file = new FileStream(e.FullPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
                    using (var sr = new StreamReader(file))
                    {
                        //Move to the high water mark

                        for (int i = 1; i <= this.highWaterMark; ++i)
                        {
                            sr.ReadLine();
                        }

                        //Process each subsequent line

                        while (!sr.EndOfStream)
                        {
                            string logLine = sr.ReadLine();
                            logLine = logLine.ToLower();

                            highWaterMark++;

                            Console.WriteLine(logLine);

                            Regex  regxIP  = new Regex(@"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b");
                            Match  regxIPM = regxIP.Match(logLine);
                            string ip      = regxIPM.Value;

                            if (logLine.ToLower().Contains("not listed in allowusers"))
                            {
                                Regex  regxUser  = new Regex(@"(?<=user ).*?(?= from)");
                                Match  regxUserM = regxUser.Match(logLine);
                                string user      = regxUserM.Value;

                                if (!bannedThisIteration.Contains(regxIPM.Value))
                                {
                                    bannedThisIteration.Add(regxIPM.Value);
                                    CarnifexWorker worker = new CarnifexWorker(user, ip);
                                    ThreadManager.LaunchWorker(worker);
                                    //ban(ip, user);
                                }
                            }

                            if (logLine.ToLower().Contains("failed password"))
                            {
                                Regex  regxUser  = new Regex(@"(?<=for ).*?(?= from)");
                                Match  regxUserM = regxUser.Match(logLine);
                                string user      = regxUserM.Value;

                                if (!bannedThisIteration.Contains(ip))
                                {
                                    int pid;

                                    Int32.TryParse((logLine.Split(' ')[0]), out pid);

                                    int count = FailedLoginCorrelator.failedLogin(pid);

                                    if (count > 1)
                                    {
                                        bannedThisIteration.Add(ip);
                                        CarnifexWorker worker = new CarnifexWorker(user, ip);
                                        ThreadManager.LaunchWorker(worker);
                                        //ban(ip, user);
                                    }
                                }
                            }

                            if (logLine.ToLower().Contains("invalid user"))
                            {
                                Regex  regxUser  = new Regex(@"(?<=user ).*?(?= from)");
                                Match  regxUserM = regxUser.Match(logLine);
                                string user      = regxUserM.Value;

                                if (!bannedThisIteration.Contains(ip))
                                {
                                    int pid;

                                    Int32.TryParse((logLine.Split(' ')[0]), out pid);

                                    int count = FailedLoginCorrelator.failedLogin(pid);


                                    bannedThisIteration.Add(ip);
                                    CarnifexWorker worker = new CarnifexWorker(user, ip);
                                    ThreadManager.LaunchWorker(worker);
                                    //ban(ip, user);
                                }
                            }

                            if (logLine.ToLower().Contains("received disconnect from"))
                            {
                                if (!bannedThisIteration.Contains(ip))
                                {
                                    int pid;

                                    Int32.TryParse(ip.Replace(".", ""), out pid);

                                    int count = FailedLoginCorrelator.failedLogin(pid);

                                    if (count > 1)
                                    {
                                        bannedThisIteration.Add(ip);
                                        CarnifexWorker worker = new CarnifexWorker("", ip);
                                        ThreadManager.LaunchWorker(worker);
                                        //ban(ip, user);
                                    }
                                }
                            }
                        }

                        sr.Close();
                        sr.Dispose();
                        file.Close();
                    }
            }
        }