From b7f635aed7e859c1a5f145d3ef89179964cd598d Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 19 Oct 2014 15:39:02 +0200 Subject: [PATCH] guardian: Introduce BlockCount. It is now possible to define the blocking count when an attacker should be blocked in the configfile. --- config/guardian/guardian.pl | 43 ++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl index 5432d5d1ba..86775fe696 100644 --- a/config/guardian/guardian.pl +++ b/config/guardian/guardian.pl @@ -34,6 +34,7 @@ require "${General::swroot}/network-functions.pl"; # Used variables and default values.. my $configfile = "$General::swroot/guardian/guardian.conf"; +my $blockcount; my $ignorefile; my $loglevel; my $logfile; @@ -339,7 +340,7 @@ sub checkaction { my ($source, $message) = @_; # Do nothing if the source allready has been blocked. - return 0 if ($addresshash{$source} > 4); + return 0 if ($addresshash{$source} >= $blockcount); # Check if the source address equals the hosts ip address. # This will prevent us from nuking ourselves. @@ -372,20 +373,8 @@ sub checkaction { } } - # Check if the "source" reached our blocking count (4). - if ( $addresshash{$source} == 4 ) { - # Write out log message. - &logger("info", "Blocking $source: $message\n"); - - # Block the source address. - &call_block($source); - - # Update the addresshash. - $addresshash{$source} = $addresshash{$source}+1; - return 0; - } # Start counting for new source addresses. - elsif ($addresshash{$source} eq "") { + if ($addresshash{$source} eq "") { # Set addresshash to "1". $addresshash{$source} = 1; @@ -394,7 +383,20 @@ sub checkaction { } else { # Increase counting of existing addresses. $addresshash{$source} = $addresshash{$source}+1; - &logger("debug", "Source $source count $addresshash{$source} - No action done yet.\n"); + &logger("debug", "Source $source current count $addresshash{$source}.\n"); + } + + # Check if the "source" reached our blocking count (default 3). + if ( $addresshash{$source} eq $blockcount ) { + # Write out log message. + &logger("info", "Blocking $source: $message\n"); + + # Block the source address. + &call_block($source); + + # Update the addresshash. + $addresshash{$source} = $addresshash{$source}+1; + return 0; } } @@ -537,6 +539,11 @@ sub load_conf { $TimeLimit = $1; } + # Omit BlockCount, when a host shoult be blocked. + if (/BlockCount\s+(.*)/) { + $blockcount = $1; + } + # HostGatewayByte for automatically adding the gateway to # the ignore hash. if (/HostGatewayByte\s+(.*)/) { @@ -585,6 +592,12 @@ sub load_conf { $options{"d"} = 1; } + # Check if the BlockCount is a valid number. + if (! $blockcount =~ /^\d+$/) { + &logger("debug", "Got no or invalid BlockCount from config file. Using default one (5).\n"); + $blockcount = "3"; + } + # Check if guardianctrl is available. if (! -e $guardianctrl) { print "Error! Could not find $guardianctrl. Exiting. \n"; -- 2.39.5