private void ProcessBanFileOnStart()
{
lock (ipBlocker)
{
ipBlocker.Clear();
ipBlockerDate.Clear();
if (File.Exists(config.BanFile))
{
string[] lines = File.ReadAllLines(config.BanFile);
if (config.BanFileClearOnRestart)
{
File.Delete(config.BanFile);
}
else
{
IPAddress tmp;
foreach (string ip in lines)
{
string ipTrimmed = ip.Trim();
if (IPAddress.TryParse(ipTrimmed, out tmp))
{
IPBlockCount blockCount = new IPBlockCount();
blockCount.IncrementCount();
ipBlocker[ip] = blockCount;
ipBlockerDate[ip] = DateTime.UtcNow;
}
}
}
}
}
IPBanWindowsFirewall.DeleteRules();
ExecuteBanScript();
}
private void ProcessBanFileOnStart()
{
lock (ipAddressesAndBlockCounts)
{
ipAddressesAndBlockCounts.Clear();
ipAddressesAndBanDate.Clear();
if (File.Exists(config.BanFile))
{
if (config.BanFileClearOnRestart)
{
// don't re-ban any ip addresses, per config option
File.Delete(config.BanFile);
}
else
{
string[] lines = File.ReadAllLines(config.BanFile);
foreach (string ip in lines)
{
string[] pieces = ip.Split('\t');
if (pieces.Length > 0)
{
string ipTrimmed = pieces[0].Trim();
if (IPAddress.TryParse(ipTrimmed, out IPAddress tmp))
{
// setup a ban entry for the ip address
IPBlockCount blockCount = new IPBlockCount(config.FailedLoginAttemptsBeforeBan);
ipAddressesAndBlockCounts[ipTrimmed] = blockCount;
if (pieces.Length > 1)
{
try
{
// use the date/time if we have it
ipAddressesAndBanDate[ipTrimmed] = DateTime.Parse(pieces[1]).ToUniversalTime();
}
catch
{
// corrupt date/time in the file, fallback to current date/time
ipAddressesAndBanDate[ipTrimmed] = DateTime.UtcNow;
}
}
else
{
// otherwise fall back to current date/time
ipAddressesAndBanDate[ipTrimmed] = DateTime.UtcNow;
}
}
}
}
}
}
}
ExecuteBanScript();
}
private void ProcessIPAddress(string ipAddress)
{
lock (ipBlocker)
{
// Get the IPBlockCount, if one exists.
IPBlockCount ipBlockCount;
ipBlocker.TryGetValue(ipAddress, out ipBlockCount);
if (ipBlockCount == null)
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipBlocker[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}", ipAddress, ipBlockCount.Count);
// check for the target user name for additional blacklisting checks
bool blackListed = config.IsBlackListed(ipAddress);
// if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them
if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan)
{
// if they are not black listed OR this is the first increment of a black listed ip address, perform the ban
if (!blackListed || ipBlockCount.Count >= 1)
{
if (!ipBlockerDate.ContainsKey(ipAddress))
{
Log.Write(LogLevel.Error, "Banning ip address: {0}, black listed: {1}, count: {2}", ipAddress, blackListed, ipBlockCount.Count);
ipBlockerDate[ipAddress] = DateTime.UtcNow;
ExecuteBanScript();
}
}
else
{
Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, ip should already be banned", ipAddress);
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count);
}
}
}
private void ProcessPendingIPAddresses()
{
List <PendingIPAddress> ipAddresses;
lock (pendingIPAddresses)
{
ipAddresses = new List <PendingIPAddress>(pendingIPAddresses);
pendingIPAddresses.Clear();
}
foreach (PendingIPAddress p in ipAddresses)
{
string ipAddress = p.IPAddress;
string userName = p.UserName;
DateTime dateTime = p.DateTime;
if (config.IsWhiteListed(ipAddress))
{
Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName);
}
else
{
lock (ipBlocker)
{
// Get the IPBlockCount, if one exists.
IPBlockCount ipBlockCount;
ipBlocker.TryGetValue(ipAddress, out ipBlockCount);
if (ipBlockCount == null)
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipBlocker[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName);
// check for the target user name for additional blacklisting checks
bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName));
// if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them
if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan)
{
// if they are not black listed OR this is the first increment of a black listed ip address, perform the ban
if (!blackListed || ipBlockCount.Count >= 1)
{
if (!ipBlockerDate.ContainsKey(ipAddress))
{
Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count);
ipBlockerDate[ipAddress] = dateTime;
ExecuteBanScript();
}
}
else
{
Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName);
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count);
}
}
}
}
}
private void ProcessPendingIPAddresses()
{
List <PendingIPAddress> ipAddresses;
lock (pendingIPAddresses)
{
ipAddresses = new List <PendingIPAddress>(pendingIPAddresses);
pendingIPAddresses.Clear();
}
foreach (PendingIPAddress p in ipAddresses)
{
string ipAddress = p.IPAddress;
string userName = p.UserName;
DateTime dateTime = p.DateTime;
if (config.IsWhiteListed(ipAddress))
{
Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName);
}
else
{
lock (ipAddressesAndBlockCounts)
{
// Get the IPBlockCount, if one exists.
if (!ipAddressesAndBlockCounts.TryGetValue(ipAddress, out IPBlockCount ipBlockCount))
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipAddressesAndBlockCounts[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName);
// check for the target user name for additional blacklisting checks
bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName));
// if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them
if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan)
{
// if they are not black listed OR this is the first increment of a black listed ip address, perform the ban
if (!blackListed || ipBlockCount.Count >= 1)
{
if (!ipAddressesAndBanDate.ContainsKey(ipAddress))
{
Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count);
ipAddressesAndBanDate[ipAddress] = dateTime;
// Run a process if one is in config
var programToRunConfigString = config.ProcessToRunOnBan(ipAddress);
if (!string.IsNullOrWhiteSpace(programToRunConfigString))
{
try
{
var firstSpaceIndex = programToRunConfigString.IndexOf(" ", StringComparison.Ordinal);
var program = programToRunConfigString.Substring(0, firstSpaceIndex);
var arguments = programToRunConfigString.Remove(0, firstSpaceIndex + 1);
Log.Write(LogLevel.Error, "Running program: {0} with arguments: {1}", program, arguments);
Process.Start(program, arguments);
}
catch (Exception e)
{
Log.Write(LogLevel.Error, "Failed to execute process on ban: {0}", e);
}
}
ExecuteBanScript();
}
}
else
{
Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName);
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count);
}
}
}
}
}
private void ProcessIPAddress(string ipAddress, XmlDocument doc)
{
if (string.IsNullOrWhiteSpace(ipAddress))
{
return;
}
string userName = null;
XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']");
if (userNameNode != null)
{
userName = userNameNode.InnerText.Trim();
}
if (config.IsWhiteListed(ipAddress))
{
Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName);
}
else
{
lock (ipBlocker)
{
// Get the IPBlockCount, if one exists.
IPBlockCount ipBlockCount;
ipBlocker.TryGetValue(ipAddress, out ipBlockCount);
if (ipBlockCount == null)
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipBlocker[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName);
// check for the target user name for additional blacklisting checks
bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName));
// if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them
if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan)
{
// if they are not black listed OR this is the first increment of a black listed ip address, perform the ban
if (!blackListed || ipBlockCount.Count >= 1)
{
if (!ipBlockerDate.ContainsKey(ipAddress))
{
Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count);
ipBlockerDate[ipAddress] = DateTime.UtcNow;
ExecuteBanScript();
}
}
else
{
Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName);
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count);
}
}
}
}
private void ProcessBanFileOnStart()
{
lock (ipBlocker)
{
DeleteRule();
ipBlocker.Clear();
ipBlockerDate.Clear();
if (File.Exists(config.BanFile))
{
if (config.BanFileClearOnRestart)
{
File.Delete(config.BanFile);
}
else
{
string[] lines = File.ReadAllLines(config.BanFile);
IPAddress tmp;
foreach (string ip in lines)
{
string ipTrimmed = ip.Trim();
if (IPAddress.TryParse(ipTrimmed, out tmp))
{
IPBlockCount blockCount = new IPBlockCount();
blockCount.IncrementCount();
ipBlocker[ip] = blockCount;
ipBlockerDate[ip] = DateTime.UtcNow;
}
}
if (ipBlockerDate.Count != 0)
{
ExecuteBanScript();
}
}
}
}
}
private void ProcessIPAddress(string ipAddress, XmlDocument doc)
{
if (string.IsNullOrWhiteSpace(ipAddress))
{
return;
}
string userName = null;
XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']");
if (userNameNode != null)
{
userName = userNameNode.InnerText.Trim();
}
if (config.IsWhiteListed(ipAddress))
{
Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}, user name: {1}", ipAddress, userName);
}
else
{
lock (ipBlocker)
{
// Get the IPBlockCount, if one exists.
IPBlockCount ipBlockCount;
ipBlocker.TryGetValue(ipAddress, out ipBlockCount);
if (ipBlockCount == null)
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipBlocker[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
Log.Write(LogLevel.Info, "Incrementing count for ip {0} to {1}, user name: {2}", ipAddress, ipBlockCount.Count, userName);
// check for the target user name for additional blacklisting checks
bool blackListed = config.IsBlackListed(ipAddress) || (userName != null && config.IsBlackListed(userName));
// if the ip is black listed or they have reached the maximum failed login attempts before ban, ban them
if (blackListed || ipBlockCount.Count >= config.FailedLoginAttemptsBeforeBan)
{
// if they are not black listed OR this is the first increment of a black listed ip address, perform the ban
if (!blackListed || ipBlockCount.Count >= 1)
{
if (!ipBlockerDate.ContainsKey(ipAddress))
{
Log.Write(LogLevel.Error, "Banning ip address: {0}, user name: {1}, black listed: {2}, count: {3}", ipAddress, userName, blackListed, ipBlockCount.Count);
ipBlockerDate[ipAddress] = DateTime.UtcNow;
ExecuteBanScript();
}
}
else
{
Log.Write(LogLevel.Info, "Ignoring previously banned black listed ip {0}, user name: {1}, ip should already be banned", ipAddress, userName);
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Warning, "Got event with ip address {0}, count {1}, ip should already be banned", ipAddress, ipBlockCount.Count);
}
}
}
}
private void ProcessXml(string xml)
{
Log.Write(LogLevel.Info, "Processing xml: {0}", xml);
string ipAddress = null;
XmlTextReader reader = new XmlTextReader(new StringReader(xml));
reader.Namespaces = false;
XmlDocument doc = new XmlDocument();
doc.Load(reader);
XmlNode keywordsNode = doc.SelectSingleNode("//Keywords");
if (keywordsNode != null)
{
// we must match on keywords
foreach (ExpressionsToBlockGroup group in config.Expressions.Groups.Where(g => g.Keywords == keywordsNode.InnerText))
{
foreach (ExpressionToBlock expression in group.Expressions)
{
// we must find a node for each xpath expression
XmlNodeList nodes = doc.SelectNodes(expression.XPath);
if (nodes.Count == 0)
{
Log.Write(LogLevel.Warning, "No nodes found for xpath {0}", expression.XPath);
ipAddress = null;
break;
}
// if there is a regex, it must match
if (string.IsNullOrWhiteSpace(expression.Regex))
{
Log.Write(LogLevel.Info, "No regex, so counting as a match");
}
else
{
bool foundMatch = false;
foreach (XmlNode node in nodes)
{
Match m = expression.RegexObject.Match(node.InnerText);
if (m.Success)
{
foundMatch = true;
// check if the regex had an ipadddress group
Group ipAddressGroup = m.Groups["ipaddress"];
if (ipAddressGroup != null && ipAddressGroup.Success && !string.IsNullOrWhiteSpace(ipAddressGroup.Value))
{
ipAddress = ipAddressGroup.Value.Trim();
}
break;
}
}
if (!foundMatch)
{
// no match, move on to the next group to check
Log.Write(LogLevel.Warning, "Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath);
ipAddress = null;
break;
}
}
}
}
}
if (!string.IsNullOrWhiteSpace(ipAddress))
{
if (config.IsWhiteListed(ipAddress))
{
Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}", ipAddress);
}
else
{
IPBlockCount ipBlockCount;
lock (ipBlocker)
{
// Get the IPBlockCount, if one exists.
ipBlocker.TryGetValue(ipAddress, out ipBlockCount);
if (ipBlockCount == null)
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipBlocker[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
bool blackListed = config.IsBlackListed(ipAddress);
if (blackListed || ipBlockCount.Count == config.FailedLoginAttemptsBeforeBan)
{
if (!blackListed || ipBlockCount.Count == 1)
{
Log.Write(LogLevel.Error, "Banning ip address {0}", ipAddress);
ipBlockerDate[ipAddress] = DateTime.UtcNow;
ExecuteBanScript();
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Info, "Got event with ip address {0}, count {1}, ip is already banned", ipAddress, ipBlockCount.Count);
}
else
{
Log.Write(LogLevel.Info, "Got event with ip address {0}, count: {1}", ipAddress, ipBlockCount.Count);
}
}
}
}
}
private void ProcessIPAddress(string ipAddress, XmlDocument doc)
{
if (string.IsNullOrWhiteSpace(ipAddress))
{
return;
}
else if (config.IsWhiteListed(ipAddress))
{
Log.Write(LogLevel.Info, "Ignoring whitelisted ip address {0}", ipAddress);
}
else
{
IPBlockCount ipBlockCount;
lock (ipBlocker)
{
// Get the IPBlockCount, if one exists.
ipBlocker.TryGetValue(ipAddress, out ipBlockCount);
if (ipBlockCount == null)
{
// This is the first failed login attempt, so record a new IPBlockCount.
ipBlockCount = new IPBlockCount();
ipBlocker[ipAddress] = ipBlockCount;
}
// Increment the count.
ipBlockCount.IncrementCount();
// check for the target user name for additional blacklisting checks
XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']");
bool blackListed = config.IsBlackListed(ipAddress) || (userNameNode != null && config.IsBlackListed(userNameNode.InnerText));
if (blackListed || ipBlockCount.Count == config.FailedLoginAttemptsBeforeBan)
{
if (!blackListed || ipBlockCount.Count == 1)
{
Log.Write(LogLevel.Error, "Banning ip address {0}", ipAddress);
ipBlockerDate[ipAddress] = DateTime.UtcNow;
ExecuteBanScript();
}
}
else if (ipBlockCount.Count > config.FailedLoginAttemptsBeforeBan)
{
Log.Write(LogLevel.Info, "Got event with ip address {0}, count {1}, ip is already banned", ipAddress, ipBlockCount.Count);
}
else
{
Log.Write(LogLevel.Info, "Got event with ip address {0}, count: {1}", ipAddress, ipBlockCount.Count);
}
}
}
}
