syslog2iptables: src/syslogconfig.cpp comparison

comparison src/syslogconfig.cpp @ 63:60f59936fabb

good authentication prevents ip blocking for awhile

author	Carl Byington <carl@five-ten-sg.com>
date	Sat, 19 Dec 2015 10:12:24 -0800
parents	f133196b8591
children	0e736950a117

comparison

equal deleted inserted replaced

-:c30df5975c49
+:60f59936fabb
 }
 void IPR::add(int ip, int amount, CONTEXT &con, const char *file_name, int pattern_index, const char *message) {
 if (con.looking(ip)) {
-ip_buckets::iterator j = repeat_offenders.find(ip);
+if (amount > 0) {
-int scale = (j == repeat_offenders.end()) ? 1 : (*j).second.count;
+ip_buckets::iterator j = repeat_offenders.find(ip);
-amount *= scale;
+int scale = (j == repeat_offenders.end()) ? 1 : (*j).second.count;
+amount *= scale;
-ip_buckets::iterator i = violations.find(ip);
-if (i == violations.end()) {
+ip_buckets::iterator i = violations.find(ip);
-bucket b;
+if (i == violations.end()) {
-b.count = amount;
+bucket b;
-b.blocked = (con.get_threshold() <= b.count);
+b.count = amount;
-violations[ip] = b;
+b.blocked = (con.get_threshold() <= b.count);
-if (b.blocked) {
+violations[ip] = b;
-update(ip, true, scale, file_name, pattern_index, message);
+if (b.blocked) {
-changed(con, ip, true);
-}
-}
-else {
-bucket &b = (*i).second;
-if (b.count < (INT_MAX-amount)) {
-b.count += amount;
-if ((!b.blocked) && (con.get_threshold() <= b.count)) {
-b.blocked = true;
 update(ip, true, scale, file_name, pattern_index, message);
 changed(con, ip, true);
+}
+}
+else {
+bucket &b = (*i).second;
+if ((b.count >= 0) && (b.count < 2600000)) {
+// good authentication (count<0) prevents blocking
+// not much point in blocking for more than a month
+b.count += amount;
+if ((!b.blocked) && (con.get_threshold() <= b.count)) {
+b.blocked = true;
+update(ip, true, scale, file_name, pattern_index, message);
+changed(con, ip, true);
+}
+}
+}
+}
+else {  // amount < 0
+char buf[maxlen];
+in_addr ad;
+ad.s_addr = htonl(ip);
+snprintf(buf, maxlen, "%s for %s", message, inet_ntoa(ad));
+my_syslog(buf);
+ip_buckets::iterator j = repeat_offenders.find(ip);
+if (j != repeat_offenders.end()) {
+repeat_offenders.erase(j++);
+snprintf(buf, maxlen, "removing %s from repeat offenders", inet_ntoa(ad));
+my_syslog(buf);
+}
+ip_buckets::iterator i = violations.find(ip);
+if (i == violations.end()) {
+bucket b;
+b.count = amount;
+b.blocked = false;
+violations[ip] = b;
+}
+else {
+bucket &b = (*i).second;
+b.count = amount;
+if (b.blocked) {
+update(ip, false, 0, NULL, 0, NULL);
+changed(con, ip, false);
 }
 }
 }
 }
 }
 void IPR::leak(int amount, CONTEXT &con) {
 for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) {
 int    ip = (*i).first;
 bucket &b = (*i).second;
-if (b.count <= amount) {
+if (b.count < 0) {
-if (b.blocked) {
+if (b.count >= -amount) violations.erase(i++);
-update(ip, false, 0, NULL, 0, NULL);
+else {
-changed(con, ip, false);
+b.count += amount;
-}
+i++;
-violations.erase(i++);
+}
 }
 else {
-b.count -= amount;
+if (b.count <= amount) {
-i++;
+if (b.blocked) {
+update(ip, false, 0, NULL, 0, NULL);
+changed(con, ip, false);
+}
+violations.erase(i++);
+}
+else {
+b.count -= amount;
+i++;
+}
 }
 }
 daily_timer -= amount;
 if (daily_timer < 0) {
 daily_timer = 86400;

Mercurial > syslog2iptables

comparison src/syslogconfig.cpp @ 63:60f59936fabb