Пример #1
0
        private void ReadState(string filename)
        {
            using (Stream stream = File.Open(filename, FileMode.Open))
                using (BinaryReader reader = new BinaryReader(stream))
                {
                    lock (thisLock)
                    {
                        int nhistory = reader.ReadInt32();
                        for (int i = 0; i < nhistory; i++)
                        {
                            IPAddress addr = new IPAddress(reader.ReadBytes(16));
                            IFail     fail = null;

                            switch (history)
                            {
                            case HistoryType.ALL: fail = new FailAll(reader, findtime * TimeSpan.TicksPerSecond); break;

                            case HistoryType.ONE: fail = new FailOne(reader, findtime * TimeSpan.TicksPerSecond); break;

                            case HistoryType.FIXED: fail = new FailFixed(reader, findtime * TimeSpan.TicksPerSecond, history_fixed_count, history_fixed_decay); break;

                            case HistoryType.RRD: fail = new FailRRD(reader, findtime * TimeSpan.TicksPerSecond, history_rrd_count, history_rrd_repeat); break;
                            }

                            if (fail.Count > 0)
                            {
                                data[addr] = fail;
                            }
                        }
                    }
                }
        }
Пример #2
0
        private void ReadState(string filename)
        {
            using (Stream stream = File.Open(filename, FileMode.Open))
            using (BinaryReader reader = new BinaryReader(stream))
            {
                lock (thisLock)
                {
                    int nhistory = reader.ReadInt32();
                    for (int i = 0; i < nhistory; i++)
                    {
                        IPAddress addr = new IPAddress(reader.ReadBytes(16));
                        IFail fail = null;

                        switch (history)
                        {
                            case HistoryType.ALL: fail = new FailAll(reader, findtime * TimeSpan.TicksPerSecond); break;
                            case HistoryType.ONE: fail = new FailOne(reader, findtime * TimeSpan.TicksPerSecond); break;
                            case HistoryType.FIXED: fail = new FailFixed(reader, findtime * TimeSpan.TicksPerSecond, history_fixed_count, history_fixed_decay); break;
                            case HistoryType.RRD: fail = new FailRRD(reader, findtime * TimeSpan.TicksPerSecond, history_rrd_count, history_rrd_repeat); break;
                        }

                        if (fail.Count > 0)
                        {
                            data[addr] = fail;
                        }
                    }
                }
            }
        }
Пример #3
0
        public override string Execute(EventEntry evtlog)
        {
            // get fail2ban network address for given IP and prefix
            IPAddress addr = evtlog.Address;
            int prefix = ipv6_prefix;
            if (evtlog.Address.IsIPv4MappedToIPv6)
            {
                prefix = ipv4_prefix;
                if (prefix <= 32)
                {
                    prefix += 96;
                }
            }
            if (prefix != 128)
            {
                addr = Utils.GetNetwork(evtlog.Address, prefix);
            }

            // fix log event that came from future(?!), _we_ have correct time!
            long now = DateTime.Now.Ticks;
            long logtime = evtlog.Created.Ticks;

            if (logtime > now)
            {
                // is clock skew too hight!? occasionally log warning
                if (logtime > now + 300 * TimeSpan.TicksPerSecond)
                {
                    if (clockskew + 60 * TimeSpan.TicksPerSecond < now)
                    {
                        clockskew = now;

                        Log.Warn("Fail2ban[" + Name + "]: logtime from future ("
                            + ((logtime - now) / TimeSpan.TicksPerSecond) + " seconds) for "
                            + evtlog.Input + "/" + evtlog.Input.SelectorName
                            + " from " + evtlog.Hostname);
                    }
                }

                logtime = now;
            }

            int failcnt = 0;
            bool[] tresholdCheck = new bool[tresholds.Count];

            lock (thisLock)
            {
                // update failed login fail2ban data
                IFail fail;
                if (!data.TryGetValue(addr, out fail))
                {
                    switch (history)
                    {
                        case HistoryType.ALL: fail = new FailAll(findtime * TimeSpan.TicksPerSecond); break;
                        case HistoryType.ONE: fail = new FailOne(findtime * TimeSpan.TicksPerSecond); break;
                        case HistoryType.FIXED: fail = new FailFixed(findtime * TimeSpan.TicksPerSecond, history_fixed_count, history_fixed_decay); break;
                        case HistoryType.RRD: fail = new FailRRD(findtime * TimeSpan.TicksPerSecond, history_rrd_count, history_rrd_repeat); break;
                    }

                    data[addr] = fail;
                }
                failcnt = fail.Add(logtime);

                for (int i = 0; i < tresholds.Count; i++)
                {
                    tresholdCheck[i] = Check(addr, tresholds[i], failcnt);
                }
            }

            // evaluate all defined tresholds
            for (int i = 0; i < tresholds.Count; i++)
            {
                if (!tresholdCheck[i])
                    continue;

                Treshold treshold = tresholds[i];
                int tmpPrefix = prefix;
                IPAddress tmpAddr = addr;
                long expiration = now + TimeSpan.FromSeconds(treshold.Bantime).Ticks;

                if (addr.IsIPv4MappedToIPv6)
                {
                    // workaround for buggy MapToIPv4 implementation
                    tmpAddr = Fixes.MapToIPv4(addr);
                    tmpPrefix = prefix - 96;
                }

                Log.Info("Fail2ban[" + Name + "]: reached treshold "
                        + treshold.Name + " (" + treshold.MaxRetry + "&"
                        + failcnt + ") for " + tmpAddr + "/" + tmpPrefix);

                if (evtlog.HasProcData("Fail2ban.All"))
                {
                    string all = evtlog.GetProcData<string>("Fail2ban.All");
                    evtlog.SetProcData("Fail2ban.All", all + "," + Name);
                }
                else
                {
                    evtlog.SetProcData("Fail2ban.All", Name);
                }
                evtlog.SetProcData("Fail2ban.Last", Name);

                evtlog.SetProcData(Name + ".Address", tmpAddr);
                evtlog.SetProcData(Name + ".Prefix", tmpPrefix);
                evtlog.SetProcData(Name + ".FailCnt", failcnt);
                evtlog.SetProcData(Name + ".Bantime", treshold.Bantime);
                evtlog.SetProcData(Name + ".Expiration", expiration);
                evtlog.SetProcData(Name + ".Treshold", treshold.Name);

                // Add to "action" queue
                Produce(new EventEntry(evtlog), treshold.Action, EventQueue.Priority.High);
            }

            return goto_next;
        }
Пример #4
0
        public override string Execute(EventEntry evtlog)
        {
            string strAddress = evtlog.GetProcData <string>(address);

            if (string.IsNullOrEmpty(strAddress))
            {
                Log.Info("Fail2ban[" + Name
                         + "]: empty address attribute: " + address);

                return(goto_error);
            }

            IPAddress addr = null;

            try
            {
                addr = IPAddress.Parse(strAddress.Trim()).MapToIPv6();
            }
            catch (FormatException ex)
            {
                Log.Info("Fail2ban[" + Name
                         + "]: invalid address " + address
                         + "[" + strAddress + "]: " + ex.Message);

                return(goto_error);
            }

            // get fail2ban network address for given IP and prefix
            int prefix = ipv6_prefix;

            if (addr.IsIPv4MappedToIPv6)
            {
                prefix = ipv4_prefix;
                if (prefix <= 32)
                {
                    prefix += 96;
                }
            }
            if (prefix != 128)
            {
                addr = Utils.GetNetwork(addr, prefix);
            }

            // fix log event that came from future(?!), _we_ have correct time!
            long now     = DateTime.Now.Ticks;
            long logtime = evtlog.Created.Ticks;

            if (logtime > now)
            {
                // is clock skew too hight!? occasionally log warning
                if (logtime > now + 300 * TimeSpan.TicksPerSecond)
                {
                    if (clockskew + 60 * TimeSpan.TicksPerSecond < now)
                    {
                        clockskew = now;

                        Log.Warn("Fail2ban[" + Name + "]: logtime from future ("
                                 + ((logtime - now) / TimeSpan.TicksPerSecond) + " seconds) for "
                                 + evtlog.Input + "/" + evtlog.Input.SelectorName
                                 + " from " + evtlog.Machine);
                    }
                }

                logtime = now;
            }

            int failcnt = 0;

            bool[] tresholdCheck = new bool[tresholds.Count];

            lock (thisLock)
            {
                // update failed login fail2ban data
                IFail fail;
                if (!data.TryGetValue(addr, out fail))
                {
                    switch (history)
                    {
                    case HistoryType.ALL: fail = new FailAll(findtime * TimeSpan.TicksPerSecond); break;

                    case HistoryType.ONE: fail = new FailOne(findtime * TimeSpan.TicksPerSecond); break;

                    case HistoryType.FIXED: fail = new FailFixed(findtime * TimeSpan.TicksPerSecond, history_fixed_count, history_fixed_decay); break;

                    case HistoryType.RRD: fail = new FailRRD(findtime * TimeSpan.TicksPerSecond, history_rrd_count, history_rrd_repeat); break;
                    }

                    data[addr] = fail;
                }
                failcnt = fail.Add(logtime);

                for (int i = 0; i < tresholds.Count; i++)
                {
                    tresholdCheck[i] = Check(addr, tresholds[i], failcnt);
                }
            }

            // evaluate all defined tresholds
            for (int i = 0; i < tresholds.Count; i++)
            {
                if (!tresholdCheck[i])
                {
                    continue;
                }

                Treshold  treshold   = tresholds[i];
                int       tmpPrefix  = prefix;
                IPAddress tmpAddr    = addr;
                long      expiration = now + TimeSpan.FromSeconds(treshold.Bantime).Ticks;

                if (addr.IsIPv4MappedToIPv6)
                {
                    // workaround for buggy MapToIPv4 implementation
                    tmpAddr   = Fixes.MapToIPv4(addr);
                    tmpPrefix = prefix - 96;
                }

                Log.Info("Fail2ban[" + Name + "]: reached treshold "
                         + treshold.Name + " (" + treshold.MaxRetry + "&"
                         + failcnt + ") for " + tmpAddr + "/" + tmpPrefix);

                if (evtlog.HasProcData("Fail2ban.All"))
                {
                    string all = evtlog.GetProcData <string>("Fail2ban.All");
                    evtlog.SetProcData("Fail2ban.All", all + "," + Name);
                }
                else
                {
                    evtlog.SetProcData("Fail2ban.All", Name);
                }
                evtlog.SetProcData("Fail2ban.Last", Name);

                evtlog.SetProcData(Name + ".Address", tmpAddr);
                evtlog.SetProcData(Name + ".Prefix", tmpPrefix);
                evtlog.SetProcData(Name + ".FailCnt", failcnt);
                evtlog.SetProcData(Name + ".Bantime", treshold.Bantime);
                evtlog.SetProcData(Name + ".Expiration", expiration);
                evtlog.SetProcData(Name + ".Treshold", treshold.Name);

                // Add to "action" queue
                Produce(new EventEntry(evtlog), treshold.Action, EventQueue.Priority.High);
            }

            return(goto_next);
        }