Mercurial > hg > maltfilter

changeset 26:61b6d742c49c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
author Matti Hamalainen <ccr@tnsp.org>
date Sat, 15 Aug 2009 23:43:22 +0300
parents 34dcb7462043
children 632bce74cf38
files example.conf maltfilter
diffstat 2 files changed, 46 insertions(+), 23 deletions(-) [+]
line wrap: on
line diff
--- a/example.conf	Sat Aug 15 23:21:30 2009 +0300
+++ b/example.conf	Sat Aug 15 23:43:22 2009 +0300
@@ -24,9 +24,15 @@
 #############################################################################
 ### Actions, etc. settings
 #############################################################################
-## Weeding treshold in hours. Entries older than this will be "weeded"
-## off from current netfilter settings.
-#WEEDPERIOD = 150
+## Weeding treshold in hours. Entries older than this will be removed
+## off from current netfilter settings (e.g. they become unblocked again.)
+#WEED_BLOCK = 168
+
+## For how many hours to keep general information about IP. Affects from
+## how long period statistics dump shows data. Also hitcount tresholds
+## take the old data into account, meaning that if WEED_BLOCK < WEED_GLOBAL
+## hit data older than WEED_BLOCK will be counted towards THRESHOLD.
+#WEED_GLOBAL = 336
 
 ## How many "hits" the IP needs until it is eligible to be blocked.
 ## (the "hits" can be from any "source", e.g. sshd crack, httpd, etc.)
--- a/maltfilter	Sat Aug 15 23:21:30 2009 +0300
+++ b/maltfilter	Sat Aug 15 23:43:22 2009 +0300
@@ -22,7 +22,8 @@
 my %settings = (
   "VERBOSITY" => 3,
   "DRY_RUN" => 1,
-  "WEEDPERIOD" => 150,
+  "WEED_BLOCK" => 168,
+  "WEED_GLOBAL" => 336,
   "TRESHOLD" => 3,
   "ACTION" => "DROP",
   "LOGFILE" => "",
@@ -339,6 +340,26 @@
   return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"};
 }
 
+sub get_period($)
+{
+  my ($str, $r, $k);
+  if ($_[0] > 30 * 24) {
+    $r = $_[0] / (30 * 24);
+    $k = $_[0] % (30 * 24);
+    $str = sprintf("%d months", $r);
+    $str .= sprintf(", %d days", $k) if ($k > 0);
+  } elsif ($_[0] > 24 * 7) {
+    $str = sprintf("%1.1f weeks", $_[0] / 24);
+  } elsif ($_[0] > 24) {
+    $r = $_[0] / 24;
+    $k = $_[0] % 24;
+    $str = sprintf("%d days", $r);
+    $str .= sprintf(", %d hours", $k) if ($k > 0);
+  } else {
+    $str = sprintf("%d hours", $_[0]);
+  }
+  return $str;
+}
 
 sub generate_status($$)
 {
@@ -366,28 +387,19 @@
 ");
 
   printH($m, $f, 1, "Maltfilter v$progversion status report");
-  my $val = $settings{"WEEDPERIOD"};
-  my $period;
-
-  if ($val > 30 * 24) {
-    $period = sprintf("%1.1f months", $val / (30.0 * 24.0));
-  } elsif ($val > 24 * 7) {
-    $period = sprintf("%1.1f weeks", $val / 24);
-  } elsif ($val > 24) {
-    $period = sprintf("%d days", $val / 24);
-  } else {
-    $period = sprintf("%d hours", $val);
-  }
+  my $period = get_period($settings{"WEED_GLOBAL"});
 
   printP($m, $f,
   "Generated ".bb($m).$mtime.eb($m).". Data computed from ".
   ($reportmode ? "complete logfile scan" : "a period of last $period").".\n");
+
   printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n".
   "blocked IP that was in Netfilter before Maltfilter was started.\n");
 
   printH($m, $f, 2, "Currently blocked entries");
+  $period = get_period($settings{"WEED_BLOCK"});
   printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n".
-  "a report-only mode).");
+  "a report-only mode). Data from period of $period.\n");
   printTable1($m, $f, \%statlist, \%blocklist, \&cmp_hits);
 
   printH($m, $f, 2, "Summary of non-ignored entries");
@@ -478,9 +490,14 @@
 
 ### Check if given timestamp is _newer_ than weedperiod threshold.
 ### Returns false if timestamp is over weed period, e.g. needs weeding.
-sub check_time($)
+sub check_time1($)
 {
-  return ($_[0] >= time() - ($settings{"WEEDPERIOD"} * 60 * 60));
+  return ($_[0] >= time() - ($settings{"WEED_BLOCK"} * 60 * 60));
+}
+
+sub check_time2($)
+{
+  return ($_[0] >= time() - ($settings{"WEED_GLOBAL"} * 60 * 60));
 }
 
 ### Weed out old entries
@@ -504,7 +521,7 @@
   foreach my $mip (@mips) {
     if (defined($blocklist{$mip})) {
       if ($blocklist{$mip} >= 0) {
-        weed_do($mip) unless check_time($blocklist{$mip});
+        weed_do($mip) unless check_time1($blocklist{$mip});
       } else {
         weed_do($mip);
       }
@@ -515,7 +532,7 @@
   foreach my $mip (keys %statlist) {
     if (defined($statlist{$mip})) {
       my $mtime = $statlist{$mip}{"date2"};
-      if (!check_time($mtime) && !defined($blocklist{$mip})) {
+      if (!check_time2($mtime) && !defined($blocklist{$mip})) {
         mlog(3, "* Deleting stale $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n");
         delete($statlist{$mip});
       }
@@ -525,7 +542,7 @@
   foreach my $mip (keys %ignorelist) {
     if (defined($ignorelist{$mip})) {
       my $mtime = $ignorelist{$mip}{"date2"};
-      if (!check_time($mtime)) {
+      if (!check_time2($mtime)) {
         mlog(3, "* Deleting stale ignored $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n");
         delete($ignorelist{$mip});
       }
@@ -588,7 +605,7 @@
   }
 
   # Check if we have exceeded treshold etc.
-  if ($cnt >= $settings{"TRESHOLD"} && check_time($mdate)) {
+  if ($cnt >= $settings{"TRESHOLD"} && check_time1($mdate)) {
     # Add to blocklist, unless already there.
     if (!defined($blocklist{$mip})) {
       mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n");