You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
509 lines
14 KiB
509 lines
14 KiB
/* Copyright 2016 Alex 'AdUser' Z (ad_user@runbox.com) |
|
* |
|
* This program is free software; you can redistribute it and/or modify |
|
* it under the terms of the GNU General Public License version 2 as |
|
* published by the Free Software Foundation. |
|
*/ |
|
#include "common.h" |
|
#include "jail.h" |
|
|
|
#define DEFAULT_BANTIME 3600 /* in seconds, 1 hour */ |
|
#define DEFAULT_FINDTIME 300 /* in seconds, 5 min */ |
|
#define DEFAULT_EXPIRETIME 14400 /* in seconds, 4 hours */ |
|
#define DEFAULT_MAXRETRY 5 |
|
|
|
f2b_jail_t *jails = NULL; |
|
|
|
static f2b_jail_t defaults = { |
|
.bantime = DEFAULT_BANTIME, |
|
.findtime = DEFAULT_FINDTIME, |
|
.maxretry = DEFAULT_MAXRETRY, |
|
}; |
|
|
|
void |
|
f2b_jail_parse_compound_value(const char *value, char *name, char *init) { |
|
size_t len = 0; |
|
char *p = NULL; |
|
|
|
if ((p = strchr(value, ':')) == NULL) { |
|
/* param = name */ |
|
strlcpy(name, value, CONFIG_KEY_MAX); |
|
return; |
|
} |
|
|
|
/* param = name:init_string */ |
|
len = p - value; |
|
if (len >= CONFIG_KEY_MAX) { |
|
f2b_log_msg(log_warn, "'name' part of value exceeds max length %d bytes: %s", CONFIG_KEY_MAX, value); |
|
return; |
|
} |
|
|
|
strlcpy(name, value, len + 1); /* ':' acts as '\0' */ |
|
strlcpy(init, (p + 1), CONFIG_VAL_MAX); |
|
return; |
|
} |
|
|
|
bool |
|
f2b_jail_set_param(f2b_jail_t *jail, const char *param, const char *value) { |
|
assert(jail != NULL); |
|
assert(param != NULL); |
|
assert(value != NULL); |
|
|
|
if (strcmp(param, "enabled") == 0) { |
|
if (strcmp(value, "yes") == 0) { |
|
jail->flags |= JAIL_ENABLED; |
|
} else { |
|
jail->flags &= ~JAIL_ENABLED; |
|
} |
|
return true; |
|
} |
|
if (strcmp(param, "bantime") == 0) { |
|
jail->bantime = atoi(value); |
|
if (jail->bantime <= 0) |
|
jail->bantime = DEFAULT_BANTIME; |
|
return true; |
|
} |
|
if (strcmp(param, "findtime") == 0) { |
|
jail->findtime = atoi(value); |
|
if (jail->findtime <= 0) |
|
jail->findtime = DEFAULT_FINDTIME; |
|
return true; |
|
} |
|
if (strcmp(param, "expiretime") == 0) { |
|
jail->expiretime = atoi(value); |
|
if (jail->expiretime <= 0) |
|
jail->expiretime = DEFAULT_EXPIRETIME; |
|
return true; |
|
} |
|
if (strcmp(param, "maxretry") == 0) { |
|
jail->maxretry = atoi(value); |
|
if (jail->maxretry == 0) |
|
jail->maxretry = DEFAULT_MAXRETRY; |
|
return true; |
|
} |
|
if (strcmp(param, "incr_bantime") == 0) { |
|
jail->incr_bantime = atof(value); |
|
return true; |
|
} |
|
if (strcmp(param, "incr_findtime") == 0) { |
|
jail->incr_findtime = atof(value); |
|
return true; |
|
} |
|
return false; |
|
} |
|
|
|
void |
|
f2b_jail_apply_config(f2b_jail_t *jail, f2b_config_section_t *section) { |
|
f2b_config_param_t *param = NULL; |
|
|
|
assert(jail != NULL); |
|
assert(section != NULL); |
|
assert(section->type == t_jail || section->type == t_defaults); |
|
|
|
for (param = section->param; param != NULL; param = param->next) { |
|
if (strcmp(param->name, "source") == 0) { |
|
f2b_jail_parse_compound_value(param->value, jail->source_name, jail->source_init); |
|
continue; |
|
} |
|
if (strcmp(param->name, "filter") == 0) { |
|
f2b_jail_parse_compound_value(param->value, jail->filter_name, jail->filter_init); |
|
continue; |
|
} |
|
if (strcmp(param->name, "backend") == 0) { |
|
f2b_jail_parse_compound_value(param->value, jail->backend_name, jail->backend_init); |
|
continue; |
|
} |
|
if (f2b_jail_set_param(jail, param->name, param->value)) |
|
continue; |
|
f2b_log_msg(log_warn, "jail '%s': unrecognized parameter: %s", jail->name, param->name); |
|
} |
|
|
|
return; |
|
} |
|
|
|
void |
|
f2b_jail_set_defaults(f2b_config_section_t *section) { |
|
assert(section != NULL); |
|
assert(section->type == t_defaults); |
|
|
|
f2b_jail_apply_config(&defaults, section); |
|
|
|
return; |
|
} |
|
|
|
bool |
|
f2b_jail_ban(f2b_jail_t *jail, f2b_ipaddr_t *addr) { |
|
time_t bantime = 0; |
|
assert(jail != NULL); |
|
assert(addr != NULL); |
|
|
|
addr->matches.hits = 0; |
|
addr->matches.used = 0; |
|
addr->banned = true; |
|
addr->banned_at = addr->lastseen; |
|
if (jail->incr_bantime > 0) { |
|
bantime = jail->bantime + (int) (addr->bancount * (jail->bantime * jail->incr_bantime)); |
|
} else { |
|
bantime = jail->bantime; |
|
} |
|
addr->bancount++; |
|
addr->release_at = addr->banned_at + bantime; |
|
jail->bancount++; |
|
|
|
if (f2b_backend_check(jail->backend, addr->text)) { |
|
f2b_log_msg(log_warn, "jail '%s': ip %s was already banned", jail->name, addr->text); |
|
return true; |
|
} |
|
|
|
if (f2b_backend_ban(jail->backend, addr->text)) { |
|
f2b_log_msg(log_note, "jail '%s': banned ip %s for %.1fhrs", |
|
jail->name, addr->text, (float) bantime / 3600); |
|
return true; |
|
} |
|
|
|
f2b_log_msg(log_error, "jail '%s': can't ban ip %s -- %s", |
|
jail->name, addr->text, f2b_backend_error(jail->backend)); |
|
return false; |
|
} |
|
|
|
bool |
|
f2b_jail_unban(f2b_jail_t *jail, f2b_ipaddr_t *addr) { |
|
assert(jail != NULL); |
|
assert(addr != NULL); |
|
|
|
addr->banned = false; |
|
addr->banned_at = 0; |
|
addr->release_at = 0; |
|
|
|
if (f2b_backend_unban(jail->backend, addr->text)) { |
|
f2b_log_msg(log_note, "jail '%s': released ip %s", jail->name, addr->text); |
|
return true; |
|
} |
|
|
|
f2b_log_msg(log_error, "jail '%s': can't release ip %s -- %s", |
|
jail->name, addr->text, f2b_backend_error(jail->backend)); |
|
return false; |
|
} |
|
|
|
f2b_jail_t * |
|
f2b_jail_create(f2b_config_section_t *section) { |
|
f2b_jail_t *jail = NULL; |
|
|
|
assert(section != NULL); |
|
assert(section->type == t_jail); |
|
|
|
if ((jail = calloc(1, sizeof(f2b_jail_t))) == NULL) { |
|
f2b_log_msg(log_error, "calloc() for new jail failed"); |
|
return NULL; |
|
} |
|
|
|
memcpy(jail, &defaults, sizeof(f2b_jail_t)); |
|
strlcpy(jail->name, section->name, sizeof(jail->name)); |
|
f2b_jail_apply_config(jail, section); |
|
|
|
return jail; |
|
} |
|
|
|
f2b_jail_t * |
|
f2b_jail_find(f2b_jail_t *list, const char *name) { |
|
assert(name != NULL); |
|
|
|
for (; list != NULL; list = list->next) |
|
if (strcmp(list->name, name) == 0) |
|
return list; |
|
|
|
return NULL; |
|
} |
|
|
|
size_t |
|
f2b_jail_process(f2b_jail_t *jail) { |
|
f2b_ipaddr_t *prev = NULL; |
|
f2b_ipaddr_t *addr = NULL; |
|
size_t processed = 0; |
|
char line[LOGLINE_MAX] = ""; |
|
char matchbuf[IPADDR_MAX] = ""; |
|
time_t now = time(NULL); |
|
time_t findtime = 0; |
|
time_t expiretime = 0; |
|
bool remove = false; |
|
bool reset = true; /* source reset */ |
|
|
|
assert(jail != NULL); |
|
|
|
f2b_log_msg(log_debug, "jail '%s': processing", jail->name); |
|
|
|
f2b_backend_ping(jail->backend); |
|
|
|
while (f2b_source_next(jail->source, line, sizeof(line), reset)) { |
|
reset = false; |
|
if (!f2b_filter_match(jail->filter, line, matchbuf, sizeof(matchbuf))) |
|
continue; |
|
/* some regex matches the line */ |
|
jail->matchcount++; |
|
addr = f2b_addrlist_lookup(jail->ipaddrs, matchbuf); |
|
if (!addr) { |
|
addr = f2b_ipaddr_create(matchbuf, jail->maxretry); |
|
jail->ipaddrs = f2b_addrlist_append(jail->ipaddrs, addr); |
|
f2b_log_msg(log_debug, "jail '%s': new ip found -- %s", jail->name, matchbuf); |
|
} |
|
addr->lastseen = now; |
|
if (addr->banned) { |
|
if (addr->banned_at != now) |
|
f2b_log_msg(log_warn, "jail '%s': ip %s was already banned", jail->name, matchbuf); |
|
continue; |
|
} |
|
if (jail->incr_findtime > 0 && addr->matches.hits > jail->maxretry) { |
|
findtime = now - jail->findtime; |
|
findtime -= (int) ((addr->matches.hits - jail->maxretry) * |
|
(jail->findtime * jail->incr_findtime)); |
|
} else { |
|
findtime = now - jail->findtime; |
|
} |
|
f2b_matches_expire(&addr->matches, findtime); |
|
f2b_matches_append(&addr->matches, now); |
|
if (addr->matches.used < jail->maxretry) { |
|
f2b_log_msg(log_info, "jail '%s': new ip match -- %s (%zu/%zu)", |
|
jail->name, matchbuf, addr->matches.used, addr->matches.max); |
|
continue; |
|
} |
|
/* limit reached, ban ip */ |
|
f2b_jail_ban(jail, addr); |
|
} /* while(1) */ |
|
|
|
for (addr = jail->ipaddrs, prev = NULL; addr != NULL; ) { |
|
remove = false; |
|
/* check release time */ |
|
if (addr->banned && now > addr->release_at) |
|
f2b_jail_unban(jail, addr); |
|
/* check expiration */ |
|
expiretime = (addr->lastseen >= addr->release_at) |
|
? addr->lastseen |
|
: addr->release_at; |
|
expiretime += jail->expiretime; |
|
if (now > expiretime) { |
|
f2b_log_msg(log_info, "jail '%s': expired ip -- %s", |
|
jail->name, addr->text); |
|
remove = true; |
|
} |
|
/* list cleanup */ |
|
if (!remove) { |
|
prev = addr, addr = addr->next; |
|
continue; |
|
} |
|
/* remove from list */ |
|
if (prev == NULL) { |
|
/* first item in list */ |
|
jail->ipaddrs = addr->next; |
|
f2b_ipaddr_destroy(addr); |
|
addr = jail->ipaddrs; |
|
} else { |
|
/* somewhere in list */ |
|
prev->next = addr->next; |
|
f2b_ipaddr_destroy(addr); |
|
addr = prev->next; |
|
} |
|
} |
|
|
|
return processed; |
|
} |
|
|
|
bool |
|
f2b_jail_init(f2b_jail_t *jail, f2b_config_t *config) { |
|
f2b_config_section_t * s_section = NULL; |
|
f2b_config_section_t * b_section = NULL; |
|
f2b_config_section_t * f_section = NULL; |
|
|
|
assert(jail != NULL); |
|
assert(config != NULL); |
|
|
|
/* source */ |
|
if (jail->source_name[0] == '\0') { |
|
f2b_log_msg(log_error, "jail '%s': missing 'source' parameter", jail->name); |
|
return false; |
|
} |
|
if ((s_section = f2b_config_section_find(config->sources, jail->source_name)) == NULL) { |
|
f2b_log_msg(log_error, "jail '%s': no source with name '%s'", jail->name, jail->source_name); |
|
return false; |
|
} |
|
|
|
/* filter */ |
|
if (jail->filter_name[0] == '\0') { |
|
f2b_log_msg(log_error, "jail '%s': missing 'filter' parameter", jail->name); |
|
return false; |
|
} |
|
if ((f_section = f2b_config_section_find(config->filters, jail->filter_name)) == NULL) { |
|
f2b_log_msg(log_error, "jail '%s': no filter with name '%s'", jail->name, jail->filter_name); |
|
return false; |
|
} |
|
|
|
/* backend */ |
|
if (jail->backend_name[0] == '\0') { |
|
f2b_log_msg(log_error, "jail '%s': missing 'backend' parameter", jail->name); |
|
return false; |
|
} |
|
if ((b_section = f2b_config_section_find(config->backends, jail->backend_name)) == NULL) { |
|
f2b_log_msg(log_error, "jail '%s': no backend with name '%s'", jail->name, jail->backend_name); |
|
return false; |
|
} |
|
|
|
/* init all */ |
|
if ((jail->source = f2b_source_create(s_section, jail->source_init, f2b_log_error_cb)) == NULL) { |
|
f2b_log_msg(log_error, "jail '%s': no regexps loaded from '%s'", jail->name, jail->source_init); |
|
goto cleanup; |
|
} |
|
if (!f2b_source_start(jail->source)) { |
|
f2b_log_msg(log_warn, "jail '%s': source action 'start' failed -- %s", |
|
jail->name, f2b_source_error(jail->source)); |
|
goto cleanup; |
|
} |
|
|
|
if ((jail->filter = f2b_filter_create(f_section, jail->filter_init)) == NULL) { |
|
f2b_log_msg(log_error, "jail '%s': no regexps loaded from '%s'", jail->name, jail->filter_init); |
|
goto cleanup; |
|
} |
|
|
|
if ((jail->backend = f2b_backend_create(b_section, jail->backend_init)) == NULL) { |
|
f2b_log_msg(log_error, "jail '%s': can't init backend '%s' with %s", |
|
jail->name, jail->backend_name, jail->backend_init); |
|
goto cleanup; |
|
} |
|
if (!f2b_backend_start(jail->backend)) { |
|
f2b_log_msg(log_warn, "jail '%s': backend action 'start' failed -- %s", |
|
jail->name, f2b_backend_error(jail->backend)); |
|
goto cleanup; |
|
} |
|
|
|
f2b_log_msg(log_debug, "jail '%s' init complete", jail->name); |
|
|
|
return true; |
|
|
|
cleanup: |
|
if (jail->source) |
|
f2b_source_destroy(jail->source); |
|
if (jail->filter) |
|
f2b_filter_destroy(jail->filter); |
|
if (jail->backend) |
|
f2b_backend_destroy(jail->backend); |
|
return false; |
|
} |
|
|
|
bool |
|
f2b_jail_stop(f2b_jail_t *jail) { |
|
bool errors = false; |
|
|
|
assert(jail != NULL); |
|
|
|
f2b_log_msg(log_info, "jail '%s': gracefull shutdown", jail->name); |
|
|
|
if (!f2b_source_stop(jail->source)) { |
|
f2b_log_msg(log_error, "jail '%s': action 'stop' for source failed: %s", |
|
jail->name, f2b_source_error(jail->source)); |
|
errors = true; |
|
} |
|
|
|
f2b_source_destroy(jail->source); |
|
f2b_filter_destroy(jail->filter); |
|
|
|
for (f2b_ipaddr_t *addr = jail->ipaddrs; addr != NULL; addr = addr->next) { |
|
if (!addr->banned) |
|
continue; |
|
if (f2b_jail_unban(jail, addr)) |
|
continue; |
|
errors = true; |
|
} |
|
f2b_addrlist_destroy(jail->ipaddrs); |
|
|
|
if (!f2b_backend_stop(jail->backend)) { |
|
f2b_log_msg(log_error, "jail '%s': action 'stop' for backend failed: %s", |
|
jail->name, f2b_backend_error(jail->backend)); |
|
errors = true; |
|
} |
|
|
|
return errors; |
|
} |
|
|
|
void |
|
f2b_jail_cmd_status(char *res, size_t ressize, f2b_jail_t *jail) { |
|
const char *fmt = |
|
"name: %s\n" |
|
"flags:\n" |
|
" enabled: %s\n" |
|
"maxretry: %d\n" |
|
"times:\n" |
|
" bantime: %d\n" |
|
" findtime: %d\n" |
|
" expiretime: %d\n" |
|
"incr:\n" |
|
" bantime: %.1f\n" |
|
" findtime: %.1f\n" |
|
"stats:\n" |
|
" banned: %d\n" |
|
" matched: %d\n"; |
|
|
|
assert(res != NULL); |
|
assert(jail != NULL); |
|
|
|
snprintf(res, ressize, fmt, jail->name, |
|
jail->flags & JAIL_ENABLED ? "yes" : "no", |
|
jail->maxretry, |
|
jail->bantime, jail->findtime, jail->expiretime, |
|
jail->incr_bantime, jail->incr_findtime, |
|
jail->bancount, jail->matchcount); |
|
} |
|
|
|
void |
|
f2b_jail_cmd_set(char *res, size_t ressize, f2b_jail_t *jail, const char *param, const char *value) { |
|
assert(res != NULL); |
|
assert(jail != NULL); |
|
assert(param != NULL); |
|
assert(value != NULL); |
|
|
|
if (f2b_jail_set_param(jail, param, value)) |
|
return; |
|
snprintf(res, ressize, "parameter not found: %s", param); |
|
} |
|
|
|
/** |
|
* @brief misc operations on ip in given jail |
|
* @param res response buffer (don't change if no error) |
|
* @param ressize response buffer size |
|
* @param jail selected jail |
|
* @param op Type of operation: >0 - ban, 0 - status, <0 - unban |
|
* @param ip IP address |
|
*/ |
|
void |
|
f2b_jail_cmd_ip_xxx(char *res, size_t ressize, f2b_jail_t *jail, int op, const char *ip) { |
|
f2b_ipaddr_t *addr = NULL; |
|
|
|
assert(res != NULL); |
|
assert(jail != NULL); |
|
assert(ip != NULL); |
|
|
|
if ((addr = f2b_addrlist_lookup(jail->ipaddrs, ip)) == NULL) { |
|
/* address not found in list */ |
|
if (op > 0) { |
|
/* ban */ |
|
time_t now = time(NULL); |
|
addr = f2b_ipaddr_create(ip, jail->maxretry); |
|
if (!addr) { |
|
snprintf(res, ressize, "can't parse ip address: %s", ip); |
|
return; |
|
} |
|
addr->lastseen = now; |
|
f2b_matches_append(&addr->matches, now); |
|
jail->ipaddrs = f2b_addrlist_append(jail->ipaddrs, addr); |
|
} else { |
|
/* unban & status */ |
|
snprintf(res, ressize, "can't find ip '%s' in jail '%s'", ip, jail->name); |
|
return; |
|
} |
|
} |
|
|
|
if (op > 0) { |
|
f2b_jail_ban(jail, addr); |
|
} else if (op < 0) { |
|
f2b_jail_unban(jail, addr); |
|
} else { |
|
f2b_ipaddr_status(addr, res, ressize); |
|
} |
|
}
|
|
|