From dc24ebb5d81844521d6c06aa31005b319145c0c7 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 5 Feb 2015 19:43:01 +0100 Subject: [PATCH] guardian: Rework checkaction subfunction. * Fix blocking if count is set to "1". * Fix ignoring the ignored elements in some cases. --- config/guardian/guardian | 35 ++++++++++++----------------------- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/config/guardian/guardian b/config/guardian/guardian index aadb0af4d0..e5bf24515a 100644 --- a/config/guardian/guardian +++ b/config/guardian/guardian @@ -374,13 +374,6 @@ sub init_fileposition { sub checkaction { my ($source, $message) = @_; - # Call block subfunction again if we got a higher count than the - # configured blockcount. - if ($addresshash{$source} >= $blockcount) { - &call_block($source); - return 0; - } - # Check if the source address equals the hosts ip address. # This will prevent us from nuking ourselves. return 1 if ($source eq $hostipaddr); @@ -389,7 +382,7 @@ sub checkaction { return 1 if ($source eq $gatewayaddr); # Watch if the source address is part of our ignore list. - if ($ignorehash{$source} == 1) { + if (exists $ignorehash{$source}) { &logger("info", "Ignoring attack because $source is in my ignore list!\n"); return 1; } @@ -413,30 +406,26 @@ sub checkaction { } # Start counting for new source addresses. - if ($addresshash{$source} eq "") { - # Set addresshash to "1". - $addresshash{$source} = 1; - + unless (exists $addresshash{$source}) { &logger("debug", "Start counting for $source\n"); - return 0; + + # Set count to "1". + $addresshash{$source} = 1; } else { # Increase counting of existing addresses. $addresshash{$source} = $addresshash{$source} + 1; &logger("debug", "Source $source current count $addresshash{$source}.\n"); } - # Check if the "source" reached our blocking count (default 3). - if ($addresshash{$source} eq $blockcount ) { + # Check if the "source" has reached or passed the block count (default 3). + if ($addresshash{$source} >= $blockcount ) { # Write out log message. &logger("info", "Blocking $source: $message\n"); # Block the source address. &call_block($source); - - # Update the addresshash. - $addresshash{$source} = $addresshash{$source} + 1; - return 0; } + } # @@ -857,7 +846,7 @@ sub call_block ($) { # Check if the address currently is not blocked. if ($blockhash{"$address"} eq "") { # Call guardianctrl to block the address. - system("$guardianctrl block $address"); + system("$guardianctrl block $address >/dev/null 2>&1"); } # Reblock an address if it already has been blocked, @@ -867,10 +856,10 @@ sub call_block ($) { elsif (exists $blockhash{"$address"}) { # Try to unblock the address to prevent from # doubble entries in iptables chain. - system("$guardianctrl unblock $address"); + system("$guardianctrl unblock $address >/dev/null 2>&1"); # Call guardianctrl to block the address. - system("$guardianctrl block $address"); + system("$guardianctrl block $address >/dev/null 2>&1"); } # Store/update the generated expire time. @@ -884,7 +873,7 @@ sub call_unblock ($) { my $address = $_[0]; # Call guardianctrl to unblock the address. - system ("$guardianctrl unblock $address"); + system ("$guardianctrl unblock $address >/dev/null 2>&1"); } # -- 2.39.5