private void ParseRegex(Regex regex, string text, bool successful, string timestampFormat) { List <IPAddressLogEvent> events = new(); IPAddressEventType type = (successful ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin); foreach (IPAddressLogEvent info in IPBanService.GetIPAddressEventsFromRegex(regex, text, timestampFormat, type, dns)) { info.Source ??= Source; // apply default source only if we don't already have a source if (info.FailedLoginThreshold <= 0) { info.FailedLoginThreshold = FailedLoginThreshold; } if (successful) { info.LogLevel = SuccessfulLogLevel; } else { info.LogLevel = FailedLogLevel; } events.Add(info); Logger.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}, type: {4}", info.IPAddress, info.UserName, info.Source, info.Count, info.Type); } loginHandler.AddIPAddressLogEvents(events); }
/// <summary> /// Create a test IPBanService /// </summary> /// <param name="directory">Root directory</param> /// <param name="configFileName">Config file name</param> /// <param name="defaultBannedIPAddressHandlerUrl">Url for banned ip handling or null to not handle banned ip</param> /// <param name="configFileModifier">Change config file (param are file text, returns new file text)</param> /// <returns>Service</returns> public static T CreateAndStartIPBanTestService <T>(string directory = null, string configFileName = null, string defaultBannedIPAddressHandlerUrl = null, Func <string, string> configFileModifier = null) where T : IPBanService { DefaultHttpRequestMaker.DisableLiveRequests = true; // cleanup any db, set or tbl files foreach (string file in Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.set") .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.tbl")) .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.set6")) .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.tbl6")) .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.sqlite")) .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.sqlite-wal")) .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.sqlite-shm")) .Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*-journal"))) { ExtensionMethods.FileDeleteWithRetry(file, 1000); } if (string.IsNullOrWhiteSpace(directory)) { directory = Path.GetDirectoryName(IPBanAssembly.Location); } if (string.IsNullOrWhiteSpace(configFileName)) { configFileName = IPBanService.ConfigFileName; } string configFilePath = Path.Combine(directory, configFileName); string configFileText = File.ReadAllText(configFilePath); configFilePath += ".tmp"; if (configFileModifier != null) { configFileText = configFileModifier(configFileText); } ExtensionMethods.FileWriteAllTextWithRetry(configFilePath, configFileText); T service = IPBanService.CreateService <T>() as T; service.ExternalIPAddressLookup = LocalMachineExternalIPAddressLookupTest.Instance; service.ConfigFilePath = configFilePath; service.MultiThreaded = false; service.ManualCycle = true; if (defaultBannedIPAddressHandlerUrl is null) { service.BannedIPAddressHandler = NullBannedIPAddressHandler.Instance; } else { service.BannedIPAddressHandler = new DefaultBannedIPAddressHandler { BaseUrl = defaultBannedIPAddressHandlerUrl }; } service.Version = "1.1.1.1"; service.StartAsync().Sync(); service.DB.Truncate(true); service.Firewall.Truncate(); return(service); }
/// <summary> /// Dispose of an IPBanService created with CreateAndStartIPBanTestService /// </summary> /// <param name="service">Service to dispose</param> public static void DisposeIPBanTestService(IPBanService service) { if (service != null) { service.Firewall.Truncate(); service.RunCycle().Sync(); service.Dispose(); IPBanService.UtcNow = default; } }
/// <summary> /// Dispose of an IPBanService created with CreateAndStartIPBanTestService /// </summary> /// <param name="service">Service to dispose</param> public static void DisposeIPBanTestService(IPBanService service) { if (service != null) { if (File.Exists(Path.Combine(AppContext.BaseDirectory, "nlog.config"))) { File.Delete(Path.Combine(AppContext.BaseDirectory, "nlog.config")); } service.Firewall.Truncate(); service.RunCycleAsync().Sync(); service.IPBanDelegate = null; service.Dispose(); NLog.Time.TimeSource.Current = new NLog.Time.AccurateUtcTimeSource(); IPBanService.UtcNow = default; } }
private bool ParseRegex(Regex regex, string line, bool notifyOnly) { if (regex != null) { IPAddressLogEvent info = IPBanService.GetIPAddressInfoFromRegex(dns, regex, line); if (info.FoundMatch) { info.Type = (notifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin); info.Source = info.Source ?? Source; IPBanLog.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}, type: {4}", info.IPAddress, info.UserName, info.Source, info.Count, info.Type); loginHandler.AddIPAddressLogEvents(new IPAddressLogEvent[] { info }); return(true); } } return(false); }
/// <summary> /// Create a test IPBanService /// </summary> /// <param name="directory">Root directory</param> /// <param name="configFileName">Config file name</param> /// <param name="defaultBannedIPAddressHandlerUrl">Url for banned ip handling or null to not handle banned ip</param> /// <param name="configFileModifier">Change config file (param are file text, returns new file text)</param> /// <returns>Service</returns> public static T CreateAndStartIPBanTestService <T>(string directory = null, string configFileName = null, string defaultBannedIPAddressHandlerUrl = null, Func <string, string> configFileModifier = null) where T : IPBanService { ExtensionMethods.RemoveDatabaseFiles(); DefaultHttpRequestMaker.DisableLiveRequests = true; if (string.IsNullOrWhiteSpace(directory)) { directory = Path.GetDirectoryName(IPBanAssembly.Location); } if (string.IsNullOrWhiteSpace(configFileName)) { configFileName = IPBanConfig.DefaultFileName; } string configFilePath = Path.Combine(directory, configFileName); string configFileText = File.ReadAllText(configFilePath); configFilePath += ".tmp"; if (configFileModifier != null) { configFileText = configFileModifier(configFileText); } ExtensionMethods.FileWriteAllTextWithRetry(configFilePath, configFileText); T service = IPBanService.CreateService <T>() as T; service.ExternalIPAddressLookup = LocalMachineExternalIPAddressLookupTest.Instance; service.ConfigFilePath = configFilePath; service.MultiThreaded = false; service.ManualCycle = true; service.DnsList = null; // too slow for tests, turn off if (defaultBannedIPAddressHandlerUrl is null) { service.BannedIPAddressHandler = NullBannedIPAddressHandler.Instance; } else { service.BannedIPAddressHandler = new DefaultBannedIPAddressHandler { BaseUrl = defaultBannedIPAddressHandlerUrl }; } service.Version = "1.1.1.1"; service.RunAsync(CancellationToken.None).Sync(); service.RunCycle().Sync(); service.DB.Truncate(true); service.Firewall.Truncate(); return(service); }
/// <summary> /// Start typed ipban service /// </summary> /// <typeparam name="T">Type of ipban service</typeparam> /// <param name="args">Args</param> /// <param name="started">Started callback</param> /// <returns>Task</returns> public static async Task MainService <T>(string[] args, Action started = null) where T : IPBanService { T service = IPBanService.CreateService <T>(); await MainService(args, async (_args) => { // kick off start in background thread, make sure service starts up in a timely manner await service.StartAsync(); started?.Invoke(); // wait for service to end await service.WaitAsync(Timeout.Infinite); }, () => { // stop the service, will cause any WaitAsync to exit service.Stop(); }); }
/// <summary> /// Create a test IPBanService /// </summary> /// <param name="directory">Root directory</param> /// <param name="configFileName">Config file name</param> /// <param name="defaultBannedIPAddressHandlerUrl">Url for banned ip handling or null to not handle banned ip</param> /// <param name="configFileModifier">Change config file (param are file text, returns new file text)</param> /// <returns>Service</returns> public static T CreateAndStartIPBanTestService <T>(string directory = null, string configFileName = null, string defaultBannedIPAddressHandlerUrl = null, Func <string, string> configFileModifier = null) where T : IPBanService { NLog.Time.TimeSource.Current = new TestTimeSource(); string defaultNLogConfig = $@"<?xml version=""1.0""?> <nlog xmlns=""http://www.nlog-project.org/schemas/NLog.xsd"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" throwExceptions=""false"" internalLogToConsole=""false"" internalLogToConsoleError=""false"" internalLogLevel=""Trace""> <targets> <target name=""logfile"" xsi:type=""File"" fileName=""${{basedir}}/logfile.txt"" encoding=""UTF-8""/> <target name=""console"" xsi:type=""Console""/> </targets> <rules> <logger name=""*"" minlevel=""Debug"" writeTo=""logfile""/> <logger name=""*"" minlevel=""Debug"" writeTo=""console""/> </rules> </nlog>"; File.WriteAllText(Path.Combine(AppContext.BaseDirectory, "nlog.config"), defaultNLogConfig); string logFilePath = Path.Combine(AppContext.BaseDirectory, "logfile.txt"); if (File.Exists(logFilePath)) { File.Delete(logFilePath); } ExtensionMethods.RemoveDatabaseFiles(); DefaultHttpRequestMaker.DisableLiveRequests = true; if (string.IsNullOrWhiteSpace(directory)) { directory = AppContext.BaseDirectory; } if (string.IsNullOrWhiteSpace(configFileName)) { configFileName = IPBanConfig.DefaultFileName; } string configFilePath = Path.Combine(directory, configFileName); string configFileText = File.ReadAllText(configFilePath); configFilePath += ".tmp"; if (configFileModifier != null) { configFileText = configFileModifier(configFileText); } ExtensionMethods.FileWriteAllTextWithRetry(configFilePath, configFileText); T service = IPBanService.CreateService <T>() as T; service.ExternalIPAddressLookup = LocalMachineExternalIPAddressLookupTest.Instance; service.ConfigFilePath = configFilePath; service.MultiThreaded = false; service.ManualCycle = true; service.DnsList = null; // too slow for tests, turn off if (defaultBannedIPAddressHandlerUrl is null) { service.BannedIPAddressHandler = NullBannedIPAddressHandler.Instance; } else { service.BannedIPAddressHandler = new DefaultBannedIPAddressHandler { BaseUrl = defaultBannedIPAddressHandlerUrl }; } service.Version = "1.1.1.1"; service.RunAsync(CancellationToken.None).Sync(); service.RunCycleAsync().Sync(); service.DB.Truncate(true); service.Firewall.Truncate(); return(service); }
private IPAddressLogEvent ExtractEventViewerXml(XmlDocument doc) { XmlNode keywordsNode = doc.SelectSingleNode("//Keywords"); string keywordsText = keywordsNode.InnerText; if (keywordsText.StartsWith("0x")) { keywordsText = keywordsText.Substring(2); } ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture); IPAddressLogEvent info = null; bool foundNotifyOnly = false; if (keywordsNode != null) { // we must match on keywords foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG)) { string userName = null; string source = null; foreach (EventViewerExpression expression in group.Expressions) { // find all the nodes, try and get an ip from any of them, all must match XmlNodeList nodes = doc.SelectNodes(expression.XPath); if (nodes.Count == 0) { Logger.Debug("No nodes found for xpath {0}", expression.XPath); info = null; break; } // if there is a regex, it must match if (string.IsNullOrWhiteSpace(expression.Regex)) { // count as a match, do not modify the ip address if it was already set Logger.Debug("No regex, so counting as a match"); } else { info = null; // try and find an ip from any of the nodes foreach (XmlNode node in nodes) { // if we get a match, stop checking nodes info = IPBanService.GetIPAddressInfoFromRegex(service.DnsLookup, expression.RegexObject, node.InnerText); if (info.FoundMatch) { if (group.NotifyOnly) { foundNotifyOnly = true; } else if (foundNotifyOnly) { throw new InvalidDataException("Conflicting expressions in event viewer, both failed and success logins matched keywords " + group.Keywords); } userName = (userName ?? info.UserName); source = (source ?? info.Source); break; } } if (info != null && !info.FoundMatch) { // match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban Logger.Debug("Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath); info = null; foundNotifyOnly = false; break; } } } if (info != null && info.FoundMatch && info.IPAddress != null) { info.UserName = (info.UserName ?? userName); info.Source = info.Source ?? source ?? group.Source; break; } info = null; // set null for next attempt } } if (info != null) { info.Type = (foundNotifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin); } return(info); }