Bug #9223 ยป sshguad_by_service_filtering.patch
| sshguard/src/blocker/attack.c 2019-01-20 22:40:58.716095771 +0100 | ||
|---|---|---|
| 22 | 22 |
} |
| 23 | 23 |
|
| 24 | 24 |
int attack_addr_seeker(const void *el, const void *key) {
|
| 25 |
const sshg_address_t *adr = (const sshg_address_t *)key;
|
|
| 25 |
const attack_t *akey = (const attack_t *)key;
|
|
| 26 | 26 |
const attacker_t *atk = (const attacker_t *)el; |
| 27 | 27 |
|
| 28 |
assert(atk != NULL && adr != NULL);
|
|
| 29 |
if (atk->attack.address.kind != adr->kind) return 0;
|
|
| 30 |
return (strcmp(atk->attack.address.value, adr->value) == 0);
|
|
| 28 |
assert(atk != NULL && akey != NULL);
|
|
| 29 |
if (atk->attack.address.kind != akey->address.kind) return 0;
|
|
| 30 |
return (strcmp(atk->attack.address.value, akey->address.value) == 0 && akey->service == atk->attack.service);
|
|
| 31 | 31 |
} |
| sshguard/src/blocker/blocker.c 2019-01-20 22:40:58.832096530 +0100 | ||
|---|---|---|
| 183 | 183 |
abort(); |
| 184 | 184 |
} |
| 185 | 185 |
} |
| 186 |
sshguard_log(LOG_WARNING, "Blocking \"%s/%u\" %s (%u attacks in %lld " |
|
| 186 |
sshguard_log(LOG_WARNING, "Blocking \"%s/%u\" on service %d %s (%u attacks in %lld "
|
|
| 187 | 187 |
"secs, after %d abuses over %lld secs.)", |
| 188 |
tmpent->attack.address.value, subnet_size, time_msg, tmpent->numhits, |
|
| 188 |
tmpent->attack.address.value, subnet_size, tmpent->attack.service, time_msg, tmpent->numhits,
|
|
| 189 | 189 |
(long long)(tmpent->whenlast - tmpent->whenfirst), |
| 190 | 190 |
offenderent->numhits, |
| 191 | 191 |
(long long)(offenderent->whenlast - offenderent->whenfirst)); |
| ... | ... | |
| 211 | 211 |
|
| 212 | 212 |
/* address already blocked? (can happen for 100 reasons) */ |
| 213 | 213 |
if (blocklist_contains(attack)) {
|
| 214 |
sshguard_log(LOG_INFO, "%s has already been blocked.", |
|
| 215 |
attack.address.value); |
|
| 214 |
sshguard_log(LOG_INFO, "%s has already been blocked for service %d.",
|
|
| 215 |
attack.address.value, attack.service);
|
|
| 216 | 216 |
return; |
| 217 | 217 |
} |
| 218 | 218 |
|
| ... | ... | |
| 222 | 222 |
return; |
| 223 | 223 |
} |
| 224 | 224 |
|
| 225 |
sshguard_log(LOG_NOTICE,
|
|
| 225 |
sshguard_log(LOG_WARNING,
|
|
| 226 | 226 |
"Attack from \"%s\" on service %d with danger %u.", |
| 227 | 227 |
attack.address.value, attack.service, |
| 228 | 228 |
attack.dangerousness); |
| 229 | 229 |
|
| 230 | 230 |
/* search entry in list */ |
| 231 |
tmpent = list_seek(& limbo, & attack.address);
|
|
| 231 |
tmpent = list_seek(& limbo, & attack); |
|
| 232 | 232 |
if (tmpent == NULL) { /* entry not already in list, add it */
|
| 233 | 233 |
/* otherwise: insert the new item */ |
| 234 | 234 |
tmpent = malloc(sizeof(attacker_t)); |
| ... | ... | |
| 252 | 252 |
/* find out if this is a recidivous offender to determine the |
| 253 | 253 |
* duration of blocking */ |
| 254 | 254 |
tmpent->pardontime = opts.pardon_threshold; |
| 255 |
offenderent = list_seek(& offenders, & attack.address);
|
|
| 255 |
offenderent = list_seek(& offenders, & attack); |
|
| 256 | 256 |
if (offenderent == NULL) {
|
| 257 | 257 |
/* first time we block this guy */ |
| 258 |
sshguard_log(LOG_DEBUG, "%s: first block (adding as offender.)", |
|
| 259 |
tmpent->attack.address.value); |
|
| 258 |
sshguard_log(LOG_DEBUG, "%s: first block for service %d (adding as offender.)",
|
|
| 259 |
tmpent->attack.address.value, tmpent->attack.service);
|
|
| 260 | 260 |
offenderent = (attacker_t *)malloc(sizeof(attacker_t)); |
| 261 | 261 |
/* copy everything from tmpent */ |
| 262 | 262 |
memcpy(offenderent, tmpent, sizeof(attacker_t)); |
| sshguard/src/blocker/blocklist.c 2019-01-20 22:40:58.948097289 +0100 | ||
|---|---|---|
| 29 | 29 |
static void fw_block(const attack_t *attack) {
|
| 30 | 30 |
unsigned int subnet_size = fw_block_subnet_size(attack->address.kind); |
| 31 | 31 |
|
| 32 |
printf("block %s %d %u\n", attack->address.value, attack->address.kind, subnet_size);
|
|
| 32 |
printf("block %s %d %u %d\n", attack->address.value, attack->address.kind, subnet_size, attack->service);
|
|
| 33 | 33 |
fflush(stdout); |
| 34 | 34 |
} |
| 35 | 35 |
|
| 36 | 36 |
static void fw_release(const attack_t *attack) {
|
| 37 | 37 |
unsigned int subnet_size = fw_block_subnet_size(attack->address.kind); |
| 38 | 38 |
|
| 39 |
printf("release %s %d %u\n", attack->address.value, attack->address.kind, subnet_size);
|
|
| 39 |
printf("release %s %d %u %d\n", attack->address.value, attack->address.kind, subnet_size, attack->service);
|
|
| 40 | 40 |
fflush(stdout); |
| 41 | 41 |
} |
| 42 | 42 |
|
| ... | ... | |
| 57 | 57 |
/* process hosts with finite pardon time */ |
| 58 | 58 |
if (now - tmpel->whenlast > tmpel->pardontime) {
|
| 59 | 59 |
/* pardon time passed, release block */ |
| 60 |
sshguard_log(LOG_DEBUG, "%s: unblocking after %lld secs",
|
|
| 61 |
tmpel->attack.address.value, |
|
| 60 |
sshguard_log(LOG_WARNING, "Unblocking %s for service %d after %lld secs",
|
|
| 61 |
tmpel->attack.address.value, tmpel->attack.service,
|
|
| 62 | 62 |
(long long)(now - tmpel->whenlast)); |
| 63 | 63 |
fw_release(&tmpel->attack); |
| 64 | 64 |
list_delete_at(&hell, pos); |
| ... | ... | |
| 101 | 101 |
bool blocklist_contains(attack_t attack) {
|
| 102 | 102 |
attacker_t *tmpent = NULL; |
| 103 | 103 |
pthread_mutex_lock(&list_mutex); |
| 104 |
tmpent = list_seek(&hell, &attack.address);
|
|
| 104 |
tmpent = list_seek(&hell, &attack); |
|
| 105 | 105 |
pthread_mutex_unlock(&list_mutex); |
| 106 | 106 |
return tmpent != NULL; |
| 107 | 107 |
} |
| sshguard/src/blocker/sshguard_blacklist.c 2019-01-20 22:40:59.040097892 +0100 | ||
|---|---|---|
| 119 | 119 |
|
| 120 | 120 |
void blacklist_add(const attacker_t *restrict newel) {
|
| 121 | 121 |
assert(blacklist_file != NULL && blacklist != NULL); |
| 122 |
if (blacklist_contains(&newel->attack.address)) {
|
|
| 123 |
sshguard_log(LOG_WARNING, "blacklist: %s is already blacklisted", |
|
| 124 |
newel->attack.address.value); |
|
| 122 |
if (blacklist_contains(&newel->attack)) {
|
|
| 123 |
sshguard_log(LOG_WARNING, "blacklist: %s is already blacklisted for service %d",
|
|
| 124 |
newel->attack.address.value, newel->attack.service);
|
|
| 125 | 125 |
return; |
| 126 | 126 |
} |
| 127 | 127 |
|
| ... | ... | |
| 139 | 139 |
} |
| 140 | 140 |
} |
| 141 | 141 |
|
| 142 |
int blacklist_contains(const sshg_address_t *restrict addr) {
|
|
| 142 |
int blacklist_contains(const attack_t *restrict attack) {
|
|
| 143 | 143 |
if (blacklist == NULL) {
|
| 144 | 144 |
// Blacklist hasn't been loaded yet. |
| 145 | 145 |
return -1; |
| 146 | 146 |
} |
| 147 | 147 |
|
| 148 | 148 |
list_attributes_seeker(blacklist, attack_addr_seeker); |
| 149 |
attacker_t *restrict el = list_seek(blacklist, addr);
|
|
| 149 |
attacker_t *restrict el = list_seek(blacklist, attack);
|
|
| 150 | 150 |
return (el != NULL); |
| 151 | 151 |
} |
| 152 | 152 |
|
| sshguard/src/blocker/sshguard_blacklist.h 2019-01-20 22:40:59.172098756 +0100 | ||
|---|---|---|
| 44 | 44 |
* |
| 45 | 45 |
* @return <0 if error; 1 if (addr,addrkind) present in blacklist, 0 otherwise |
| 46 | 46 |
*/ |
| 47 |
int blacklist_contains(const sshg_address_t *restrict addr); |
|
| 47 |
int blacklist_contains(const attack_t *restrict attack); |
|
| sshguard/src/fw/sshg-fw.in 2019-01-20 22:40:59.340099855 +0100 | ||
|---|---|---|
| 16 | 16 |
|
| 17 | 17 |
trap cleanup EXIT INT |
| 18 | 18 |
|
| 19 |
while read cmd address addrtype cidr; do |
|
| 19 |
while read cmd address addrtype cidr service; do
|
|
| 20 | 20 |
case $cmd in |
| 21 | 21 |
block) |
| 22 |
fw_block $address $addrtype $cidr;; |
|
| 22 |
fw_block $address $addrtype $cidr $service;;
|
|
| 23 | 23 |
release) |
| 24 |
fw_release $address $addrtype $cidr;; |
|
| 24 |
fw_release $address $addrtype $cidr $service;;
|
|
| 25 | 25 |
flush) |
| 26 | 26 |
fw_flush;; |
| 27 | 27 |
flushonexit) |