guardian: Rework checkaction subfunction.

* Fix blocking if count is set to "1".
* Fix ignoring the ignored elements in some cases.

diff --git a/config/guardian/guardian b/config/guardian/guardian
index aadb0af4d07bf12b6901434462090421b24dfae0..e5bf24515a23e1a9a2917404e1e0783583e443f9 100644 (file)
--- a/config/guardian/guardian
+++ b/config/guardian/guardian
@@ -374,13 +374,6 @@ sub init_fileposition {
 sub checkaction {
        my ($source, $message) = @_;
 
-       # Call block subfunction again if we got a higher count than the
-       # configured blockcount.
-       if ($addresshash{$source} >= $blockcount) {
-               &call_block($source);
-               return 0;
-       }
-
        # Check if the source address equals the hosts ip address.
        # This will prevent us from nuking ourselves.
        return 1 if ($source eq $hostipaddr);
@@ -389,7 +382,7 @@ sub checkaction {
        return 1 if ($source eq $gatewayaddr);
 
        # Watch if the source address is part of our ignore list.
-       if ($ignorehash{$source} == 1) {
+       if (exists $ignorehash{$source}) {
                &logger("info", "Ignoring attack because $source is in my ignore list!\n");
                return 1;
        }
@@ -413,30 +406,26 @@ sub checkaction {
        }
 
        # Start counting for new source addresses.
-       if ($addresshash{$source} eq "") {
-               # Set addresshash to "1".
-               $addresshash{$source} = 1;
-
+       unless (exists $addresshash{$source}) {
                &logger("debug", "Start counting for $source\n");
-               return 0;
+
+               # Set count to "1".
+               $addresshash{$source} = 1;
        } else {
                # Increase counting of existing addresses.
                $addresshash{$source} = $addresshash{$source} + 1;
                &logger("debug", "Source $source current count $addresshash{$source}.\n");
        }
 
-       # Check if the "source" reached our blocking count (default 3).
-       if ($addresshash{$source} eq $blockcount ) {
+       # Check if the "source" has reached or passed the block count (default 3).
+       if ($addresshash{$source} >= $blockcount ) {
                # Write out log message.
                &logger("info", "Blocking $source: $message\n");
 
                # Block the source address.
                &call_block($source);
-
-               # Update the addresshash.
-               $addresshash{$source} = $addresshash{$source} + 1;
-               return 0;
        }
+
 }
 
 #
@@ -857,7 +846,7 @@ sub call_block ($) {
        # Check if the address currently is not blocked.
        if ($blockhash{"$address"} eq "") {
                # Call guardianctrl to block the address.
-               system("$guardianctrl block $address");
+               system("$guardianctrl block $address >/dev/null 2>&1");
        }
 
        # Reblock an address if it already has been blocked,
@@ -867,10 +856,10 @@ sub call_block ($) {
        elsif (exists $blockhash{"$address"}) {
                # Try to unblock the address to prevent from
                # doubble entries in iptables chain.
-               system("$guardianctrl unblock $address");
+               system("$guardianctrl unblock $address >/dev/null 2>&1");
 
                # Call guardianctrl to block the address.
-               system("$guardianctrl block $address");
+               system("$guardianctrl block $address >/dev/null 2>&1");
        }
 
        # Store/update the generated expire time.
@@ -884,7 +873,7 @@ sub call_unblock ($) {
        my $address = $_[0];
 
        # Call guardianctrl to unblock the address.
-       system ("$guardianctrl unblock $address");
+       system ("$guardianctrl unblock $address >/dev/null 2>&1");
 }
 
 #