Mercurial > syslog2iptables

diff src/syslogconfig.cpp @ 63:60f59936fabb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
good authentication prevents ip blocking for awhile
author Carl Byington <carl@five-ten-sg.com>
date Sat, 19 Dec 2015 10:12:24 -0800
parents f133196b8591
children 0e736950a117
line wrap: on
line diff
--- a/src/syslogconfig.cpp	Sat Oct 04 10:21:40 2014 -0700
+++ b/src/syslogconfig.cpp	Sat Dec 19 10:12:24 2015 -0800
@@ -64,6 +64,7 @@
 
 void IPR::add(int ip, int amount, CONTEXT &con, const char *file_name, int pattern_index, const char *message) {
     if (con.looking(ip)) {
+        if (amount > 0) {
         ip_buckets::iterator j = repeat_offenders.find(ip);
         int scale = (j == repeat_offenders.end()) ? 1 : (*j).second.count;
         amount *= scale;
@@ -81,7 +82,9 @@
         }
         else {
             bucket &b = (*i).second;
-            if (b.count < (INT_MAX-amount)) {
+                if ((b.count >= 0) && (b.count < 2600000)) {
+                    // good authentication (count<0) prevents blocking
+                    // not much point in blocking for more than a month
                 b.count += amount;
                 if ((!b.blocked) && (con.get_threshold() <= b.count)) {
                     b.blocked = true;
@@ -91,6 +94,37 @@
             }
         }
     }
+
+        else {  // amount < 0
+            char buf[maxlen];
+            in_addr ad;
+            ad.s_addr = htonl(ip);
+            snprintf(buf, maxlen, "%s for %s", message, inet_ntoa(ad));
+            my_syslog(buf);
+
+            ip_buckets::iterator j = repeat_offenders.find(ip);
+            if (j != repeat_offenders.end()) {
+                repeat_offenders.erase(j++);
+                snprintf(buf, maxlen, "removing %s from repeat offenders", inet_ntoa(ad));
+                my_syslog(buf);
+            }
+            ip_buckets::iterator i = violations.find(ip);
+            if (i == violations.end()) {
+                bucket b;
+                b.count = amount;
+                b.blocked = false;
+                violations[ip] = b;
+            }
+            else {
+                bucket &b = (*i).second;
+                b.count = amount;
+                if (b.blocked) {
+                    update(ip, false, 0, NULL, 0, NULL);
+                    changed(con, ip, false);
+                }
+            }
+        }
+    }
 }
 
 
@@ -98,6 +132,14 @@
     for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) {
         int    ip = (*i).first;
         bucket &b = (*i).second;
+        if (b.count < 0) {
+            if (b.count >= -amount) violations.erase(i++);
+            else {
+                b.count += amount;
+                i++;
+            }
+        }
+        else {
         if (b.count <= amount) {
             if (b.blocked) {
                 update(ip, false, 0, NULL, 0, NULL);
@@ -110,6 +152,7 @@
             i++;
         }
     }
+    }
     daily_timer -= amount;
     if (daily_timer < 0) {
         daily_timer = 86400;