# HG changeset patch # User carl # Date 1133574764 28800 # Node ID 276c4edc852180afe7a79ef880c5b6d270f2e7b4 # Parent 2737ab01659a06153b0d63ea02956841b7c15e1b initial coding diff -r 2737ab01659a -r 276c4edc8521 Doxyfile --- a/Doxyfile Thu Dec 01 17:17:37 2005 -0800 +++ b/Doxyfile Fri Dec 02 17:52:44 2005 -0800 @@ -123,7 +123,7 @@ *.moc \ *.xpm \ *.dox -RECURSIVE = yes +RECURSIVE = YES EXCLUDE = EXCLUDE_SYMLINKS = NO EXCLUDE_PATTERNS = @@ -195,14 +195,14 @@ #--------------------------------------------------------------------------- # configuration options related to the man page output #--------------------------------------------------------------------------- -GENERATE_MAN = NO +GENERATE_MAN = YES MAN_OUTPUT = man MAN_EXTENSION = .3 -MAN_LINKS = NO +MAN_LINKS = YES #--------------------------------------------------------------------------- # configuration options related to the XML output #--------------------------------------------------------------------------- -GENERATE_XML = yes +GENERATE_XML = YES XML_OUTPUT = xml XML_SCHEMA = XML_DTD = diff -r 2737ab01659a -r 276c4edc8521 Makefile.am diff -r 2737ab01659a -r 276c4edc8521 TODO --- a/TODO Thu Dec 01 17:17:37 2005 -0800 +++ b/TODO Fri Dec 02 17:52:44 2005 -0800 @@ -1,5 +1,3 @@ 1) Configurable limit on size of drop table 2) If size exceeded, mail to root but not more often than once per 6 hours. and only use the larger count items? -3) Configure an export file and command to allow pushing the filters - to other systems. diff -r 2737ab01659a -r 276c4edc8521 src/Makefile.am --- a/src/Makefile.am Thu Dec 01 17:17:37 2005 -0800 +++ b/src/Makefile.am Fri Dec 02 17:52:44 2005 -0800 @@ -1,6 +1,6 @@ -bin_PROGRAMS = syslog2iptables +sbin_PROGRAMS = syslog2iptables syslog2iptables_SOURCES = syslog2iptables.cpp tokenizer.cpp tokenizer.h \ - includes.h syslogconfig.cpp syslogconfig.h + includes.h syslogconfig.cpp syslogconfig.h syslog2iptables.h # set the include path found by configure INCLUDES= $(all_includes) diff -r 2737ab01659a -r 276c4edc8521 src/Makefile.in --- a/src/Makefile.in Thu Dec 01 17:17:37 2005 -0800 +++ b/src/Makefile.in Fri Dec 02 17:52:44 2005 -0800 @@ -38,7 +38,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -bin_PROGRAMS = syslog2iptables$(EXEEXT) +sbin_PROGRAMS = syslog2iptables$(EXEEXT) subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -48,9 +48,9 @@ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) +am__installdirs = "$(DESTDIR)$(sbindir)" +sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(sbin_PROGRAMS) am_syslog2iptables_OBJECTS = syslog2iptables.$(OBJEXT) \ tokenizer.$(OBJEXT) syslogconfig.$(OBJEXT) syslog2iptables_OBJECTS = $(am_syslog2iptables_OBJECTS) @@ -176,7 +176,7 @@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ syslog2iptables_SOURCES = syslog2iptables.cpp tokenizer.cpp tokenizer.h \ - includes.h syslogconfig.cpp syslogconfig.h + includes.h syslogconfig.cpp syslogconfig.h syslog2iptables.h # set the include path found by configure @@ -217,30 +217,30 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-binPROGRAMS: $(bin_PROGRAMS) +install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ + test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ if test -f $$p \ || test -f $$p1 \ ; then \ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ else :; fi; \ done -uninstall-binPROGRAMS: +uninstall-sbinPROGRAMS: @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ + echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ + rm -f "$(DESTDIR)$(sbindir)/$$f"; \ done -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ echo " rm -f $$p $$f"; \ rm -f $$p $$f ; \ @@ -369,7 +369,7 @@ check: check-am all-am: Makefile $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(bindir)"; do \ + for dir in "$(DESTDIR)$(sbindir)"; do \ test -z "$$dir" || $(mkdir_p) "$$dir"; \ done install: install-am @@ -398,7 +398,8 @@ @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -418,7 +419,7 @@ install-data-am: -install-exec-am: install-binPROGRAMS +install-exec-am: install-sbinPROGRAMS install-info: install-info-am @@ -444,19 +445,20 @@ ps-am: -uninstall-am: uninstall-binPROGRAMS uninstall-info-am +uninstall-am: uninstall-info-am uninstall-sbinPROGRAMS -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \ - clean-generic clean-libtool ctags distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-sbinPROGRAMS ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-exec \ install-exec-am install-info install-info-am install-man \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am + install-sbinPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-info-am \ + uninstall-sbinPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -r 2737ab01659a -r 276c4edc8521 src/syslog2iptables.cpp --- a/src/syslog2iptables.cpp Thu Dec 01 17:17:37 2005 -0800 +++ b/src/syslog2iptables.cpp Fri Dec 02 17:52:44 2005 -0800 @@ -18,6 +18,10 @@ * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ +// debug levels: +// 4 - show syslog lines that match regex +// 3 - show files open/close +// 1 - show config files loading #ifdef HAVE_CONFIG_H #include @@ -56,7 +60,7 @@ if (use_syslog) { pthread_mutex_lock(&syslog_mutex); if (!syslog_opened) { - openlog("syslog2iptables", LOG_PID, LOG_MAIL); + openlog("syslog2iptables", LOG_PID, LOG_AUTHPRIV); syslog_opened = true; } syslog(LOG_NOTICE, "%s", text); @@ -166,43 +170,15 @@ void usage(char *prog); void usage(char *prog) { + fprintf(stderr, "Usage: %s [-d [level]] [-c]\n", prog); + fprintf(stderr, "-c will load and dump the config to stdout\n"); + fprintf(stderr, "-d will set the syslog message level, currently 0 to 3\n"); } -int main(int argc, char *argv[]) +void worker(); +void worker() { - token_init(); - bool check = true; - int c; - const char *args = "ch"; - extern char *optarg; - - // Process command line options - while ((c = getopt(argc, argv, args)) != -1) { - switch (c) { - case 'c': - check = true; - break; - - case 'h': - default: - usage(argv[0]); - exit(EX_USAGE); - } - } - - if (check) { - use_syslog = false; - debug_syslog = 10; - config = new_conf(); - if (config) { - config->dump(); - { - // just for testing - // initialize the thread sync objects - pthread_mutex_init(&config_mutex, 0); - pthread_mutex_init(&syslog_mutex, 0); - time_t t = time(NULL); CONFIG *c; pthread_mutex_lock(&config_mutex); @@ -221,6 +197,41 @@ c->sleep(10, t); } } + + +int main(int argc, char *argv[]) +{ + token_init(); + bool check = false; + int c; + const char *args = "d:ch"; + extern char *optarg; + + // Process command line options + while ((c = getopt(argc, argv, args)) != -1) { + switch (c) { + case 'c': + check = true; + break; + + case 'd': + if (optarg == NULL || *optarg == '\0') debug_syslog = 1; + else debug_syslog = atoi(optarg); + break; + + case 'h': + default: + usage(argv[0]); + exit(EX_USAGE); + } + } + + if (check) { + use_syslog = false; + debug_syslog = 10; + config = new_conf(); + if (config) { + config->dump(); delete config; return 0; } @@ -284,6 +295,7 @@ if (pthread_detach(tid)) my_syslog("failed to detach config loader thread"); - loader_run = false; // eventually the config loader thread will terminate + worker(); + return EXIT_SUCCESS; } diff -r 2737ab01659a -r 276c4edc8521 src/syslog2iptables.h --- a/src/syslog2iptables.h Thu Dec 01 17:17:37 2005 -0800 +++ b/src/syslog2iptables.h Fri Dec 02 17:52:44 2005 -0800 @@ -1,1 +1,2 @@ void my_syslog(char *text); +extern int debug_syslog; diff -r 2737ab01659a -r 276c4edc8521 src/syslogconfig.cpp --- a/src/syslogconfig.cpp Thu Dec 01 17:17:37 2005 -0800 +++ b/src/syslogconfig.cpp Fri Dec 02 17:52:44 2005 -0800 @@ -101,11 +101,6 @@ for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { int ip = (*i).first; bucket &b = (*i).second; - // in_addr ad; - // ad.s_addr = htonl(ip); - // char buf[maxlen]; - // snprintf(buf, maxlen, "leak %s with %d count", inet_ntoa(ad), n); - // my_syslog(buf); if (b.count <= amount) { ch |= b.latch; violations.erase(i++); @@ -122,8 +117,11 @@ void IPR::changed(CONFIG &con) { char buf[maxlen]; snprintf(buf, maxlen, "%s -F INPUT", iptables); + if (debug_syslog > 2) { my_syslog(" "); my_syslog(buf); + } + system(buf); for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) { int ip = (*i).first; bucket &b = (*i).second; @@ -131,7 +129,8 @@ in_addr ad; ad.s_addr = htonl(ip); snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); - my_syslog(buf); + if (debug_syslog > 2) my_syslog(buf); + system(buf); } } } @@ -184,10 +183,10 @@ if (0 == regexec(&re, buf, nmatch, match, 0)) { int s = match[index].rm_so; int e = match[index].rm_eo; - // char bu[maxlen]; - // snprintf(bu, maxlen, "re match from %d to %d", s, e); - // my_syslog(bu); if (s != -1) { + if (debug_syslog > 3) { + my_syslog(buf); // show lines with matches + } buf[e] = '\0'; int ip = ip_address(buf+s); if (ip) { @@ -317,10 +316,13 @@ } } else { + if (debug_syslog > 1) { + snprintf(buf, sizeof(buf), "syslog file %s opened", file_name); + my_syslog(buf); + } lseek(fd, 0, SEEK_END); if (fstat(fd, &openfdstat)) { close(); - char buf[maxlen]; snprintf(buf, sizeof(buf), "syslog file %s cannot stat after open", file_name); tokp->token_error(buf); } @@ -369,6 +371,10 @@ void SYSLOGCONFIG::close() { + if (debug_syslog > 1) { + snprintf(buf, sizeof(buf), "syslog file %s closed", file_name); + my_syslog(buf); + } if (fd != -1) ::close(fd); fd = -1; } diff -r 2737ab01659a -r 276c4edc8521 src/tokenizer.h --- a/src/tokenizer.h Thu Dec 01 17:17:37 2005 -0800 +++ b/src/tokenizer.h Fri Dec 02 17:52:44 2005 -0800 @@ -63,8 +63,8 @@ int nextint(); void skipeol(); // skip to eol void push(char *token) {pending_tokens.push_front(token);}; - char *cur_fn() {return filenames.front();}; - int cur_line() {return linenumbers.front();}; + const char *cur_fn() {return filenames.empty() ? "" : filenames.front();}; + int cur_line() {return linenumbers.empty() ? 0 : linenumbers.front();}; void token_error(const char *err); void token_error(const char *fmt, int d, const char *s); void token_error(const char *fmt, const char *t, const char *h); diff -r 2737ab01659a -r 276c4edc8521 syslog2iptables.conf --- a/syslog2iptables.conf Thu Dec 01 17:17:37 2005 -0800 +++ b/syslog2iptables.conf Fri Dec 02 17:52:44 2005 -0800 @@ -7,14 +7,25 @@ 205.147.39.128/25; // ams }; -file "mycisco.log" { +file "/var/log/cisco.log" { pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { index 2; // zero based bucket 200; }; }; -file "mymessages.log" { +file "/var/log/secure" { + pattern "sshd.*Failed password .* from ::ffff:(.*) port" { + index 1; // zero based + bucket 300; + }; + pattern "sshd.*Failed password .* from (.*) port" { + index 1; // zero based + bucket 300; + }; +}; + +file "/var/log/messages" { pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { index 1; // zero based bucket 300;