Project

General

Profile

sshguad_by_service_filtering.patch

Joshua Sign, 01/20/2019 04:32 PM

View differences:

sshguard/src/blocker/attack.c 2019-01-20 22:40:58.716095771 +0100
22 22
}
23 23

  
24 24
int attack_addr_seeker(const void *el, const void *key) {
25
    const sshg_address_t *adr = (const sshg_address_t *)key;
25
    const attack_t *akey = (const attack_t *)key;
26 26
    const attacker_t *atk = (const attacker_t *)el;
27 27

  
28
    assert(atk != NULL && adr != NULL);
29
    if (atk->attack.address.kind != adr->kind) return 0;
30
    return (strcmp(atk->attack.address.value, adr->value) == 0);
28
    assert(atk != NULL && akey != NULL);
29
    if (atk->attack.address.kind != akey->address.kind) return 0;
30
    return (strcmp(atk->attack.address.value, akey->address.value) == 0 && akey->service == atk->attack.service);
31 31
}
sshguard/src/blocker/blocker.c 2019-01-20 22:40:58.832096530 +0100
183 183
            abort();
184 184
        }
185 185
    }
186
    sshguard_log(LOG_WARNING, "Blocking \"%s/%u\" %s (%u attacks in %lld "
186
    sshguard_log(LOG_WARNING, "Blocking \"%s/%u\" on service %d %s (%u attacks in %lld "
187 187
                              "secs, after %d abuses over %lld secs.)",
188
                 tmpent->attack.address.value, subnet_size, time_msg, tmpent->numhits,
188
                 tmpent->attack.address.value, subnet_size, tmpent->attack.service, time_msg, tmpent->numhits,
189 189
                 (long long)(tmpent->whenlast - tmpent->whenfirst),
190 190
                 offenderent->numhits,
191 191
                 (long long)(offenderent->whenlast - offenderent->whenfirst));
......
211 211

  
212 212
    /* address already blocked? (can happen for 100 reasons) */
213 213
    if (blocklist_contains(attack)) {
214
        sshguard_log(LOG_INFO, "%s has already been blocked.",
215
                attack.address.value);
214
        sshguard_log(LOG_INFO, "%s has already been blocked for service %d.",
215
                attack.address.value, attack.service);
216 216
        return;
217 217
    }
218 218

  
......
222 222
        return;
223 223
    }
224 224

  
225
    sshguard_log(LOG_NOTICE,
225
    sshguard_log(LOG_WARNING,
226 226
                 "Attack from \"%s\" on service %d with danger %u.",
227 227
                 attack.address.value, attack.service,
228 228
                 attack.dangerousness);
229 229

  
230 230
    /* search entry in list */
231
    tmpent = list_seek(& limbo, & attack.address);
231
    tmpent = list_seek(& limbo, & attack);
232 232
    if (tmpent == NULL) { /* entry not already in list, add it */
233 233
        /* otherwise: insert the new item */
234 234
        tmpent = malloc(sizeof(attacker_t));
......
252 252
    /* find out if this is a recidivous offender to determine the
253 253
     * duration of blocking */
254 254
    tmpent->pardontime = opts.pardon_threshold;
255
    offenderent = list_seek(& offenders, & attack.address);
255
    offenderent = list_seek(& offenders, & attack);
256 256
    if (offenderent == NULL) {
257 257
        /* first time we block this guy */
258
        sshguard_log(LOG_DEBUG, "%s: first block (adding as offender.)",
259
                tmpent->attack.address.value);
258
        sshguard_log(LOG_DEBUG, "%s: first block for service %d (adding as offender.)",
259
                tmpent->attack.address.value, tmpent->attack.service);
260 260
        offenderent = (attacker_t *)malloc(sizeof(attacker_t));
261 261
        /* copy everything from tmpent */
262 262
        memcpy(offenderent, tmpent, sizeof(attacker_t));
sshguard/src/blocker/blocklist.c 2019-01-20 22:40:58.948097289 +0100
29 29
static void fw_block(const attack_t *attack) {
30 30
    unsigned int subnet_size = fw_block_subnet_size(attack->address.kind);
31 31

  
32
    printf("block %s %d %u\n", attack->address.value, attack->address.kind, subnet_size);
32
    printf("block %s %d %u %d\n", attack->address.value, attack->address.kind, subnet_size, attack->service);
33 33
    fflush(stdout);
34 34
}
35 35

  
36 36
static void fw_release(const attack_t *attack) {
37 37
    unsigned int subnet_size = fw_block_subnet_size(attack->address.kind);
38 38

  
39
    printf("release %s %d %u\n", attack->address.value, attack->address.kind, subnet_size);
39
    printf("release %s %d %u %d\n", attack->address.value, attack->address.kind, subnet_size, attack->service);
40 40
    fflush(stdout);
41 41
}
42 42

  
......
57 57
        /* process hosts with finite pardon time */
58 58
        if (now - tmpel->whenlast > tmpel->pardontime) {
59 59
            /* pardon time passed, release block */
60
            sshguard_log(LOG_DEBUG, "%s: unblocking after %lld secs",
61
                         tmpel->attack.address.value,
60
            sshguard_log(LOG_WARNING, "Unblocking %s for service %d after %lld secs",
61
                         tmpel->attack.address.value, tmpel->attack.service,
62 62
                         (long long)(now - tmpel->whenlast));
63 63
            fw_release(&tmpel->attack);
64 64
            list_delete_at(&hell, pos);
......
101 101
bool blocklist_contains(attack_t attack) {
102 102
    attacker_t *tmpent = NULL;
103 103
    pthread_mutex_lock(&list_mutex);
104
    tmpent = list_seek(&hell, &attack.address);
104
    tmpent = list_seek(&hell, &attack);
105 105
    pthread_mutex_unlock(&list_mutex);
106 106
    return tmpent != NULL;
107 107
}
sshguard/src/blocker/sshguard_blacklist.c 2019-01-20 22:40:59.040097892 +0100
119 119

  
120 120
void blacklist_add(const attacker_t *restrict newel) {
121 121
    assert(blacklist_file != NULL && blacklist != NULL);
122
    if (blacklist_contains(&newel->attack.address)) {
123
        sshguard_log(LOG_WARNING, "blacklist: %s is already blacklisted",
124
                newel->attack.address.value);
122
    if (blacklist_contains(&newel->attack)) {
123
        sshguard_log(LOG_WARNING, "blacklist: %s is already blacklisted for service %d",
124
                newel->attack.address.value, newel->attack.service);
125 125
        return;
126 126
    }
127 127

  
......
139 139
    }
140 140
}
141 141

  
142
int blacklist_contains(const sshg_address_t *restrict addr) {
142
int blacklist_contains(const attack_t *restrict attack) {
143 143
    if (blacklist == NULL) {
144 144
        // Blacklist hasn't been loaded yet.
145 145
        return -1;
146 146
    }
147 147

  
148 148
    list_attributes_seeker(blacklist, attack_addr_seeker);
149
    attacker_t *restrict el = list_seek(blacklist, addr);
149
    attacker_t *restrict el = list_seek(blacklist, attack);
150 150
    return (el != NULL);
151 151
}
152 152

  
sshguard/src/blocker/sshguard_blacklist.h 2019-01-20 22:40:59.172098756 +0100
44 44
 *
45 45
 * @return          <0 if error; 1 if (addr,addrkind) present in blacklist, 0 otherwise
46 46
 */
47
int blacklist_contains(const sshg_address_t *restrict addr);
47
int blacklist_contains(const attack_t *restrict attack);
sshguard/src/fw/sshg-fw.in 2019-01-20 22:40:59.340099855 +0100
16 16

  
17 17
trap cleanup EXIT INT
18 18

  
19
while read cmd address addrtype cidr; do
19
while read cmd address addrtype cidr service; do
20 20
    case $cmd in
21 21
        block)
22
            fw_block $address $addrtype $cidr;;
22
            fw_block $address $addrtype $cidr $service;;
23 23
        release)
24
            fw_release $address $addrtype $cidr;;
24
            fw_release $address $addrtype $cidr $service;;
25 25
        flush)
26 26
            fw_flush;;
27 27
        flushonexit)