public void Begin() { HelperFunctions.debugMessage(id, "Event Processor Worker starting...", 3); if (entry.Entry.Source.ToString().Equals("sshd")) { if (entry.Entry.Message.ToString().Contains("Invalid user")) { ban(entry.Entry.Message.ToString()); } if (entry.Entry.Message.ToString().Contains("Failed password")) { int pid; Int32.TryParse((entry.Entry.Message.ToString().Split(':')[1].Replace(" PID ", "")), out pid); int count = FailedLoginCorrelator.failedLogin(pid); if (count > 1) { ban(entry.Entry.Message.ToString()); } } } }
// Define the event handlers. private void OnChanged(object source, FileSystemEventArgs e) { // Specify what is done when a file is changed, created, or deleted. HelperFunctions.debugMessage(0, "Change in log file detected.", 5, 100, HelperFunctions.MessageType.Information, TAG); lock (this.fileLock) { ArrayList bannedThisIteration = new ArrayList(); //Because of the way the way data is flushed to disk in the log file, there is potential for bans to be duplicated. As such we'll keep a //list of the IPs we've banned this time round to avoid creating duplicates using (var file = new FileStream(e.FullPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) using (var sr = new StreamReader(file)) { //Move to the high water mark for (int i = 1; i <= this.highWaterMark; ++i) { sr.ReadLine(); } //Process each subsequent line while (!sr.EndOfStream) { string logLine = sr.ReadLine(); logLine = logLine.ToLower(); highWaterMark++; Console.WriteLine(logLine); Regex regxIP = new Regex(@"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"); Match regxIPM = regxIP.Match(logLine); string ip = regxIPM.Value; if (logLine.ToLower().Contains("not listed in allowusers")) { Regex regxUser = new Regex(@"(?<=user ).*?(?= from)"); Match regxUserM = regxUser.Match(logLine); string user = regxUserM.Value; if (!bannedThisIteration.Contains(regxIPM.Value)) { bannedThisIteration.Add(regxIPM.Value); CarnifexWorker worker = new CarnifexWorker(user, ip); ThreadManager.LaunchWorker(worker); //ban(ip, user); } } if (logLine.ToLower().Contains("failed password")) { Regex regxUser = new Regex(@"(?<=for ).*?(?= from)"); Match regxUserM = regxUser.Match(logLine); string user = regxUserM.Value; if (!bannedThisIteration.Contains(ip)) { int pid; Int32.TryParse((logLine.Split(' ')[0]), out pid); int count = FailedLoginCorrelator.failedLogin(pid); if (count > 1) { bannedThisIteration.Add(ip); CarnifexWorker worker = new CarnifexWorker(user, ip); ThreadManager.LaunchWorker(worker); //ban(ip, user); } } } if (logLine.ToLower().Contains("invalid user")) { Regex regxUser = new Regex(@"(?<=user ).*?(?= from)"); Match regxUserM = regxUser.Match(logLine); string user = regxUserM.Value; if (!bannedThisIteration.Contains(ip)) { int pid; Int32.TryParse((logLine.Split(' ')[0]), out pid); int count = FailedLoginCorrelator.failedLogin(pid); bannedThisIteration.Add(ip); CarnifexWorker worker = new CarnifexWorker(user, ip); ThreadManager.LaunchWorker(worker); //ban(ip, user); } } if (logLine.ToLower().Contains("received disconnect from")) { if (!bannedThisIteration.Contains(ip)) { int pid; Int32.TryParse(ip.Replace(".", ""), out pid); int count = FailedLoginCorrelator.failedLogin(pid); if (count > 1) { bannedThisIteration.Add(ip); CarnifexWorker worker = new CarnifexWorker("", ip); ThreadManager.LaunchWorker(worker); //ban(ip, user); } } } } sr.Close(); sr.Dispose(); file.Close(); } } }