public void Begin()
{
HelperFunctions.debugMessage(id, "Event Processor Worker starting...", 3);
if (entry.Entry.Source.ToString().Equals("sshd"))
{
if (entry.Entry.Message.ToString().Contains("Invalid user"))
{
ban(entry.Entry.Message.ToString());
}
if (entry.Entry.Message.ToString().Contains("Failed password"))
{
int pid;
Int32.TryParse((entry.Entry.Message.ToString().Split(':')[1].Replace(" PID ", "")), out pid);
int count = FailedLoginCorrelator.failedLogin(pid);
if (count > 1)
{
ban(entry.Entry.Message.ToString());
}
}
}
}
// Define the event handlers.
private void OnChanged(object source, FileSystemEventArgs e)
{
// Specify what is done when a file is changed, created, or deleted.
HelperFunctions.debugMessage(0, "Change in log file detected.", 5, 100, HelperFunctions.MessageType.Information, TAG);
lock (this.fileLock)
{
ArrayList bannedThisIteration = new ArrayList(); //Because of the way the way data is flushed to disk in the log file, there is potential for bans to be duplicated. As such we'll keep a
//list of the IPs we've banned this time round to avoid creating duplicates
using (var file = new FileStream(e.FullPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
using (var sr = new StreamReader(file))
{
//Move to the high water mark
for (int i = 1; i <= this.highWaterMark; ++i)
{
sr.ReadLine();
}
//Process each subsequent line
while (!sr.EndOfStream)
{
string logLine = sr.ReadLine();
logLine = logLine.ToLower();
highWaterMark++;
Console.WriteLine(logLine);
Regex regxIP = new Regex(@"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b");
Match regxIPM = regxIP.Match(logLine);
string ip = regxIPM.Value;
if (logLine.ToLower().Contains("not listed in allowusers"))
{
Regex regxUser = new Regex(@"(?<=user ).*?(?= from)");
Match regxUserM = regxUser.Match(logLine);
string user = regxUserM.Value;
if (!bannedThisIteration.Contains(regxIPM.Value))
{
bannedThisIteration.Add(regxIPM.Value);
CarnifexWorker worker = new CarnifexWorker(user, ip);
ThreadManager.LaunchWorker(worker);
//ban(ip, user);
}
}
if (logLine.ToLower().Contains("failed password"))
{
Regex regxUser = new Regex(@"(?<=for ).*?(?= from)");
Match regxUserM = regxUser.Match(logLine);
string user = regxUserM.Value;
if (!bannedThisIteration.Contains(ip))
{
int pid;
Int32.TryParse((logLine.Split(' ')[0]), out pid);
int count = FailedLoginCorrelator.failedLogin(pid);
if (count > 1)
{
bannedThisIteration.Add(ip);
CarnifexWorker worker = new CarnifexWorker(user, ip);
ThreadManager.LaunchWorker(worker);
//ban(ip, user);
}
}
}
if (logLine.ToLower().Contains("invalid user"))
{
Regex regxUser = new Regex(@"(?<=user ).*?(?= from)");
Match regxUserM = regxUser.Match(logLine);
string user = regxUserM.Value;
if (!bannedThisIteration.Contains(ip))
{
int pid;
Int32.TryParse((logLine.Split(' ')[0]), out pid);
int count = FailedLoginCorrelator.failedLogin(pid);
bannedThisIteration.Add(ip);
CarnifexWorker worker = new CarnifexWorker(user, ip);
ThreadManager.LaunchWorker(worker);
//ban(ip, user);
}
}
if (logLine.ToLower().Contains("received disconnect from"))
{
if (!bannedThisIteration.Contains(ip))
{
int pid;
Int32.TryParse(ip.Replace(".", ""), out pid);
int count = FailedLoginCorrelator.failedLogin(pid);
if (count > 1)
{
bannedThisIteration.Add(ip);
CarnifexWorker worker = new CarnifexWorker("", ip);
ThreadManager.LaunchWorker(worker);
//ban(ip, user);
}
}
}
}
sr.Close();
sr.Dispose();
file.Close();
}
}
}