# HG changeset patch # User Matti Hamalainen # Date 1250369002 -10800 # Node ID 61b6d742c49cc9e8530d9b1262cfac9df4cb56e2 # Parent 34dcb7462043592f5cd066d3fc23424045c3cd12 Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. diff -r 34dcb7462043 -r 61b6d742c49c example.conf --- a/example.conf Sat Aug 15 23:21:30 2009 +0300 +++ b/example.conf Sat Aug 15 23:43:22 2009 +0300 @@ -24,9 +24,15 @@ ############################################################################# ### Actions, etc. settings ############################################################################# -## Weeding treshold in hours. Entries older than this will be "weeded" -## off from current netfilter settings. -#WEEDPERIOD = 150 +## Weeding treshold in hours. Entries older than this will be removed +## off from current netfilter settings (e.g. they become unblocked again.) +#WEED_BLOCK = 168 + +## For how many hours to keep general information about IP. Affects from +## how long period statistics dump shows data. Also hitcount tresholds +## take the old data into account, meaning that if WEED_BLOCK < WEED_GLOBAL +## hit data older than WEED_BLOCK will be counted towards THRESHOLD. +#WEED_GLOBAL = 336 ## How many "hits" the IP needs until it is eligible to be blocked. ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.) diff -r 34dcb7462043 -r 61b6d742c49c maltfilter --- a/maltfilter Sat Aug 15 23:21:30 2009 +0300 +++ b/maltfilter Sat Aug 15 23:43:22 2009 +0300 @@ -22,7 +22,8 @@ my %settings = ( "VERBOSITY" => 3, "DRY_RUN" => 1, - "WEEDPERIOD" => 150, + "WEED_BLOCK" => 168, + "WEED_GLOBAL" => 336, "TRESHOLD" => 3, "ACTION" => "DROP", "LOGFILE" => "", @@ -339,6 +340,26 @@ return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"}; } +sub get_period($) +{ + my ($str, $r, $k); + if ($_[0] > 30 * 24) { + $r = $_[0] / (30 * 24); + $k = $_[0] % (30 * 24); + $str = sprintf("%d months", $r); + $str .= sprintf(", %d days", $k) if ($k > 0); + } elsif ($_[0] > 24 * 7) { + $str = sprintf("%1.1f weeks", $_[0] / 24); + } elsif ($_[0] > 24) { + $r = $_[0] / 24; + $k = $_[0] % 24; + $str = sprintf("%d days", $r); + $str .= sprintf(", %d hours", $k) if ($k > 0); + } else { + $str = sprintf("%d hours", $_[0]); + } + return $str; +} sub generate_status($$) { @@ -366,28 +387,19 @@ "); printH($m, $f, 1, "Maltfilter v$progversion status report"); - my $val = $settings{"WEEDPERIOD"}; - my $period; - - if ($val > 30 * 24) { - $period = sprintf("%1.1f months", $val / (30.0 * 24.0)); - } elsif ($val > 24 * 7) { - $period = sprintf("%1.1f weeks", $val / 24); - } elsif ($val > 24) { - $period = sprintf("%d days", $val / 24); - } else { - $period = sprintf("%d hours", $val); - } + my $period = get_period($settings{"WEED_GLOBAL"}); printP($m, $f, "Generated ".bb($m).$mtime.eb($m).". Data computed from ". ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); + printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". "blocked IP that was in Netfilter before Maltfilter was started.\n"); printH($m, $f, 2, "Currently blocked entries"); + $period = get_period($settings{"WEED_BLOCK"}); printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n". - "a report-only mode)."); + "a report-only mode). Data from period of $period.\n"); printTable1($m, $f, \%statlist, \%blocklist, \&cmp_hits); printH($m, $f, 2, "Summary of non-ignored entries"); @@ -478,9 +490,14 @@ ### Check if given timestamp is _newer_ than weedperiod threshold. ### Returns false if timestamp is over weed period, e.g. needs weeding. -sub check_time($) +sub check_time1($) { - return ($_[0] >= time() - ($settings{"WEEDPERIOD"} * 60 * 60)); + return ($_[0] >= time() - ($settings{"WEED_BLOCK"} * 60 * 60)); +} + +sub check_time2($) +{ + return ($_[0] >= time() - ($settings{"WEED_GLOBAL"} * 60 * 60)); } ### Weed out old entries @@ -504,7 +521,7 @@ foreach my $mip (@mips) { if (defined($blocklist{$mip})) { if ($blocklist{$mip} >= 0) { - weed_do($mip) unless check_time($blocklist{$mip}); + weed_do($mip) unless check_time1($blocklist{$mip}); } else { weed_do($mip); } @@ -515,7 +532,7 @@ foreach my $mip (keys %statlist) { if (defined($statlist{$mip})) { my $mtime = $statlist{$mip}{"date2"}; - if (!check_time($mtime) && !defined($blocklist{$mip})) { + if (!check_time2($mtime) && !defined($blocklist{$mip})) { mlog(3, "* Deleting stale $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); delete($statlist{$mip}); } @@ -525,7 +542,7 @@ foreach my $mip (keys %ignorelist) { if (defined($ignorelist{$mip})) { my $mtime = $ignorelist{$mip}{"date2"}; - if (!check_time($mtime)) { + if (!check_time2($mtime)) { mlog(3, "* Deleting stale ignored $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); delete($ignorelist{$mip}); } @@ -588,7 +605,7 @@ } # Check if we have exceeded treshold etc. - if ($cnt >= $settings{"TRESHOLD"} && check_time($mdate)) { + if ($cnt >= $settings{"TRESHOLD"} && check_time1($mdate)) { # Add to blocklist, unless already there. if (!defined($blocklist{$mip})) { mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n");