# HG changeset patch # User carl # Date 1136752617 28800 # Node ID 0d65c3de34fd683826247e9ad1e802616af46943 # Parent 13b2e663b5538f96a683dbb5549d71c8c5a99ab5 add better logging diff -r 13b2e663b553 -r 0d65c3de34fd ChangeLog --- a/ChangeLog Sat Dec 24 06:27:00 2005 -0800 +++ b/ChangeLog Sun Jan 08 12:36:57 2006 -0800 @@ -1,5 +1,8 @@ $Id$ +1.1 2006-01-08 + Add syslog entries when new ip addresses are blocked or released. + 1.0 2005-12-17 Initial release. diff -r 13b2e663b553 -r 0d65c3de34fd configure.in --- a/configure.in Sat Dec 24 06:27:00 2005 -0800 +++ b/configure.in Sun Jan 08 12:36:57 2006 -0800 @@ -1,7 +1,7 @@ AC_INIT(configure.in) AM_CONFIG_HEADER(config.h) -AM_INIT_AUTOMAKE(syslog2iptables,1.0) +AM_INIT_AUTOMAKE(syslog2iptables,1.1) AC_PATH_PROGS(BASH, bash) AC_LANG_CPLUSPLUS diff -r 13b2e663b553 -r 0d65c3de34fd libtool --- a/libtool Sat Dec 24 06:27:00 2005 -0800 +++ b/libtool Sun Jan 08 12:36:57 2006 -0800 @@ -1,7 +1,7 @@ #! /bin/sh # libtoolT - Provide generalized library-building support services. -# Generated automatically by (GNU syslog2iptables 1.0) +# Generated automatically by (GNU syslog2iptables 1.1) # NOTE: Changes made to this file will be lost: look at ltmain.sh. # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 diff -r 13b2e663b553 -r 0d65c3de34fd remote --- a/remote Sat Dec 24 06:27:00 2005 -0800 +++ b/remote Sun Jan 08 12:36:57 2006 -0800 @@ -8,20 +8,27 @@ ssh $a "$b" } -n=syslog2iptables -v=0.1 -t='ams ns1' -t='mbmg' +T=`grep AM_INIT_AUTOMAKE configure.in | cut -d'(' -f2` +NAME=`echo $T | cut -d, -f1` +VER=`echo $T | cut -d, -f2 | cut -d')' -f1` +BALL=$NAME-$VER.tar.gz +web=/home/httpd/html/510sg/$NAME +GZ=$web/packages/$BALL + +t='ams ns1 mbmg' for i in $t; do - scp $n*gz $i:/tmp - me $i "cd /tmp; tar xfz $n*gz" - me $i "cd /tmp/$n-$v; ./configure" - me $i "cd /tmp/$n-$v; make" - me $i "cd /tmp/$n-$v; make install" - me $i "/etc/rc.d/init.d/$n stop" + scp $GZ $i:/tmp + me $i "cd /tmp; tar xfz $BALL" + me $i "cd /tmp/$NAME-$VER; ./configure" + me $i "cd /tmp/$NAME-$VER; make" + me $i "cd /tmp/$NAME-$VER; make install" + me $i "/etc/rc.d/init.d/$NAME stop" me $i "/sbin/iptables -F INPUT" - me $i "cd /tmp/$n-$v; make chkconfig" + me $i "cd /tmp/$NAME-$VER; make chkconfig" if [ -f remote.$i ]; then - scp remote.$i $i:/etc/$n.conf + scp remote.$i $i:/etc/$NAME.conf + else + scp /etc/$NAME.conf $i:/etc/$NAME.conf fi + me $i "/etc/rc.d/init.d/$NAME start" done diff -r 13b2e663b553 -r 0d65c3de34fd src/syslog2iptables.cpp --- a/src/syslog2iptables.cpp Sat Dec 24 06:27:00 2005 -0800 +++ b/src/syslog2iptables.cpp Sun Jan 08 12:36:57 2006 -0800 @@ -20,7 +20,7 @@ // debug levels: // 4 - show syslog lines that match regex -// 3 - show iptables commands +// 3 - show addresses being dropped/released from the filter // 2 - show files open/close // 1 - show config files loading diff -r 13b2e663b553 -r 0d65c3de34fd src/syslogconfig.cpp --- a/src/syslogconfig.cpp Sat Dec 24 06:27:00 2005 -0800 +++ b/src/syslogconfig.cpp Sun Jan 08 12:36:57 2006 -0800 @@ -61,9 +61,10 @@ class IPR { ip_buckets violations; public: - void add(int ip, int amount, CONFIG &con); - void changed(CONFIG &con); + void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index); void leak(int amount, CONFIG &con); + void update(int ip, bool added, char *file_name, int pattern_index); + void changed(CONFIG &con, int ip, bool added); }; IPR recorder; @@ -71,14 +72,18 @@ //////////////////////////////////////////////// // -void IPR::add(int ip, int amount, CONFIG &con) { +void IPR::add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index) { if (con.looking(ip)) { ip_buckets::iterator i = violations.find(ip); if (i == violations.end()) { bucket b; b.count = amount; - b.latch = false; + b.latch = (con.get_threshold() <= b.count); violations[ip] = b; + if (b.latch) { + update(ip, true, file_name, pattern_index); + changed(con, ip, true); + } } else { bucket &b = (*i).second; @@ -88,7 +93,8 @@ b.count += amount; if ((!b.latch) && (c < t) && (t <= b.count)) { b.latch = true; - changed(con); + update(ip, true, file_name, pattern_index); + changed(con, ip, true); } } } @@ -102,7 +108,10 @@ int ip = (*i).first; bucket &b = (*i).second; if (b.count <= amount) { - ch |= b.latch; + if (b.latch) { + update(ip, false, NULL, 0); + ch = true; + } violations.erase(i++); } else { @@ -110,30 +119,50 @@ i++; } } - if (ch) changed(con); + if (ch) changed(con, 0, false); +} + + +void IPR::update(int ip, bool added, char *file_name, int pattern_index) { + if (debug_syslog > 2) { + char buf[maxlen]; + in_addr ad; + ad.s_addr = htonl(ip); + if (added) snprintf(buf, maxlen, "dropping traffic from/to %s based on pattern match %d in %s", inet_ntoa(ad), pattern_index, file_name); + else snprintf(buf, maxlen, "allowing traffic from/to %s", inet_ntoa(ad)); + my_syslog(buf); + } } -void IPR::changed(CONFIG &con) { +void IPR::changed(CONFIG &con, int ip, bool added) { + int t = con.get_threshold(); char buf[maxlen]; + if (added) { + bucket &b = violations[ip]; + if (con.looking(ip) && (b.count > t)) { + in_addr ad; + ad.s_addr = htonl(ip); + snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); + system(buf); + } + } + else { + // releasing some ip, redo the table snprintf(buf, maxlen, "%s -F INPUT", iptables); - if (debug_syslog > 2) { - my_syslog(" "); - my_syslog(buf); - } system(buf); for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) { int ip = (*i).first; bucket &b = (*i).second; - if (b.count > con.get_threshold()) { + if (con.looking(ip) && (b.count > t)) { in_addr ad; ad.s_addr = htonl(ip); snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); - if (debug_syslog > 2) my_syslog(buf); system(buf); } } } +} //////////////////////////////////////////////// @@ -176,7 +205,7 @@ } -bool PATTERN::process(char *buf, CONFIG &con) { +bool PATTERN::process(char *buf, CONFIG &con, char *file_name, int pattern_index) { if (pattern) { const int nmatch = index+1; regmatch_t match[nmatch]; @@ -190,7 +219,7 @@ buf[e] = '\0'; int ip = ip_address(buf+s); if (ip) { - recorder.add(ip, amount, con); + recorder.add(ip, amount, con, file_name, pattern_index); } return true; } @@ -385,9 +414,11 @@ void SYSLOGCONFIG::process(CONFIG &con) { + int pi=0; for (pattern_list::iterator i=patterns.begin(); i!=patterns.end(); i++) { PATTERN *p = *i; - if (p->process(buf, con)) break; + if (p->process(buf, con, file_name, pi)) break; + pi++; } } diff -r 13b2e663b553 -r 0d65c3de34fd src/syslogconfig.h --- a/src/syslogconfig.h Sat Dec 24 06:27:00 2005 -0800 +++ b/src/syslogconfig.h Sun Jan 08 12:36:57 2006 -0800 @@ -36,7 +36,7 @@ public: ~PATTERN(); PATTERN(TOKEN &tok, char *pattern_, int index_, int amount_); - bool process(char *buf, CONFIG &con); + bool process(char *buf, CONFIG &con, char *file_name, int pattern_index); void dump(int level); }; diff -r 13b2e663b553 -r 0d65c3de34fd syslog2iptables.conf --- a/syslog2iptables.conf Sat Dec 24 06:27:00 2005 -0800 +++ b/syslog2iptables.conf Sun Jan 08 12:36:57 2006 -0800 @@ -2,17 +2,14 @@ ignore { 127.0.0.0/8; // localhost - 205.147.40.32/26; // 510sg - 205.147.0.100/24; // digilink - 205.147.39.128/25; // ams }; -file "/var/log/cisco.log" { - pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { - index 2; // zero based - bucket 200; - }; -}; +// file "/var/log/cisco.log" { +// pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { +// index 2; // zero based +// bucket 200; +// }; +// }; file "/var/log/secure" { pattern "sshd.*Failed password .* from ::ffff:(.*) port" { @@ -25,6 +22,35 @@ }; }; +file "/var/log/httpd/access_log" { + pattern "(.*) - - .* /cgi-bin" { + index 1; // zero based + bucket 400; + }; + pattern "(.*) - - .*/index2.php" { + index 1; // zero based + bucket 400; + }; + pattern "(.*) - - .*/main.php" { + index 1; // zero based + bucket 400; + }; +}; + +file "/var/log/httpd/access_acia_log" { + pattern "(.*) - - .* /cgi-bin" { + index 1; // zero based + bucket 400; + }; +}; + +file "/var/log/httpd/access_510sg_log" { + pattern "(.*) - - .* /cgi-bin" { + index 1; // zero based + bucket 400; + }; +}; + // file "/var/log/messages" { // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { // index 1; // zero based diff -r 13b2e663b553 -r 0d65c3de34fd syslog2iptables.rc --- a/syslog2iptables.rc Sat Dec 24 06:27:00 2005 -0800 +++ b/syslog2iptables.rc Sun Jan 08 12:36:57 2006 -0800 @@ -22,7 +22,7 @@ echo -n "Starting syslog2iptables: " if [ ! -f /var/lock/subsys/syslog2iptables ]; then cd SYSCONFDIR # conf file is here - SBINDIR/syslog2iptables -d 2 + SBINDIR/syslog2iptables -d 3 RETVAL=$? pid=`pidof -s SBINDIR/syslog2iptables` if [ $pid ]