Mercurial > syslog2iptables
diff src/syslogconfig.cpp @ 63:60f59936fabb
good authentication prevents ip blocking for awhile
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Sat, 19 Dec 2015 10:12:24 -0800 |
parents | f133196b8591 |
children | 0e736950a117 |
line wrap: on
line diff
--- a/src/syslogconfig.cpp Sat Oct 04 10:21:40 2014 -0700 +++ b/src/syslogconfig.cpp Sat Dec 19 10:12:24 2015 -0800 @@ -64,6 +64,7 @@ void IPR::add(int ip, int amount, CONTEXT &con, const char *file_name, int pattern_index, const char *message) { if (con.looking(ip)) { + if (amount > 0) { ip_buckets::iterator j = repeat_offenders.find(ip); int scale = (j == repeat_offenders.end()) ? 1 : (*j).second.count; amount *= scale; @@ -81,7 +82,9 @@ } else { bucket &b = (*i).second; - if (b.count < (INT_MAX-amount)) { + if ((b.count >= 0) && (b.count < 2600000)) { + // good authentication (count<0) prevents blocking + // not much point in blocking for more than a month b.count += amount; if ((!b.blocked) && (con.get_threshold() <= b.count)) { b.blocked = true; @@ -91,6 +94,37 @@ } } } + + else { // amount < 0 + char buf[maxlen]; + in_addr ad; + ad.s_addr = htonl(ip); + snprintf(buf, maxlen, "%s for %s", message, inet_ntoa(ad)); + my_syslog(buf); + + ip_buckets::iterator j = repeat_offenders.find(ip); + if (j != repeat_offenders.end()) { + repeat_offenders.erase(j++); + snprintf(buf, maxlen, "removing %s from repeat offenders", inet_ntoa(ad)); + my_syslog(buf); + } + ip_buckets::iterator i = violations.find(ip); + if (i == violations.end()) { + bucket b; + b.count = amount; + b.blocked = false; + violations[ip] = b; + } + else { + bucket &b = (*i).second; + b.count = amount; + if (b.blocked) { + update(ip, false, 0, NULL, 0, NULL); + changed(con, ip, false); + } + } + } + } } @@ -98,6 +132,14 @@ for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { int ip = (*i).first; bucket &b = (*i).second; + if (b.count < 0) { + if (b.count >= -amount) violations.erase(i++); + else { + b.count += amount; + i++; + } + } + else { if (b.count <= amount) { if (b.blocked) { update(ip, false, 0, NULL, 0, NULL); @@ -110,6 +152,7 @@ i++; } } + } daily_timer -= amount; if (daily_timer < 0) { daily_timer = 86400;