Menu
▾
▴
[SSHGuard-users] PATCH: New heart beat facility (minimally effective)
|
From: Burton S. <Bu...@Bu...> - 2017-01-16 00:21:12
|
Allow me to offer a 'heart beat' patch for sshguard 1.7.1. It's not a great heart beat, as I did not want to add any overhead such as a timer. It's basically three counters that are checked when a message is received from the logging facility. Thus it's quite possible on a lightly attacked system for far longer periods to go past than the nominal seconds counter. ./configure --prefix= --with-firewall= --with-heartbeat=level Levels are none, debug (heartbeats all attacks) and small, medium and large - which attempt to provide a reasonable frequency of messages based on the volume of the sshguard process. For example, large logs every 600 seconds and/or 1,000,000 log lines and/or 1,000 attacks. Small is 180 seconds, 1,000 log lines and/or 100 attacks. If you build it with --with-heartbeat=none (or no parameter), the code is #IFDEFed out. If you build in a heartbeat, you need to enable it at runtime with the env SSHGUARD_HEARTBEAT=fu trick just like debug. The messages look like this in the log: Jan 15 18:02:06 wiseowl sshguard[12091]: sshguard <3beat active 3420 seconds (166 read, 70 attacks) Recommend the typical autoreconf -i first and then the ./configure. When you do make, since I'm changing the lexer and parser, those both take a while during the compiles. Enjoy! -----Burton Burton Strauss III, PMP eMail: Bu...@Bu... <mailto:Bu...@Bu...> or BSt...@ac... <mailto:BSt...@ac...> LinkedIn: http://www.linkedin.com/in/BurtonStrauss --- /home/burton/sshguard-1.7.1/configure.ac 2016-10-11 11:24:19.000000000 -0500 +++ /home/burton/sshguard-1.7.1bs/configure.ac 2017-01-15 11:25:13.459065430 -0600 @@ -46,6 +46,45 @@ [hostsfilepath=$withval], [hostsfilepath=/etc/hosts.allow]) +AC_ARG_WITH([heartbeat], [AS_HELP_STRING([--with-heartbeat=setting], + [Enable heartbeat (none, small, medium or large system, default is none)])], +[ + # Substitute the correct commands into the firewall script. + case "$withval" in + none) + heartbeatsetting=none + ;; + debug) + heartbeatsetting=debug + heartbeatseconds=60 + heartbeatloglines=100 + heartbeatattacks=1 + ;; + small) + heartbeatsetting=small + heartbeatseconds=180 + heartbeatloglines=1000 + heartbeatattacks=100 + ;; + medium) + heartbeatsetting=medium + heartbeatseconds=300 + heartbeatloglines=100000 + heartbeatattacks=500 + ;; + large) + heartbeatsetting=large + heartbeatseconds=600 + heartbeatloglines=1000000 + heartbeatattacks=1000 + ;; + *) + AC_MSG_ERROR([Invalid heartbeat value (see help)]) + ;; + esac +], + [heartbeatsetting=none]) + ############################################################################ ## AS_BOX([Program Checks]) @@ -77,4 +116,12 @@ AC_DEFINE_UNQUOTED(HOSTSFILE_PATH, "$hostsfilepath", [Path to hosts.allow]) +if test "x$heartbeatsetting" != xnone; then + AC_DEFINE_UNQUOTED(HEARTBEAT_TYPE, "${heartbeatsetting}", [Setting of heartbeat]) + AC_DEFINE_UNQUOTED(HEARTBEAT, "<3beat", [heartbeat search flag in log]) + AC_DEFINE_UNQUOTED(HEARTBEAT_SECONDS, ${heartbeatseconds}, [Number of seconds between heartbeat loggings]) + AC_DEFINE_UNQUOTED(HEARTBEAT_LOGLINES, ${heartbeatloglines}, [Number of log lines (reads) between heartbeat loggings]) + AC_DEFINE_UNQUOTED(HEARTBEAT_ATTACKS, ${heartbeatattacks}, [Number of attacks between heartbeat loggings]) +fi + AC_OUTPUT([Makefile src/Makefile src/fwalls/sshg-fw]) --- /home/burton/sshguard-1.7.1/configure 2016-10-20 18:32:50.000000000 -0500 +++ /home/burton/sshguard-1.7.1bs/configure 2017-01-15 11:25:36.545880640 -0600 @@ -727,6 +727,7 @@ enable_silent_rules with_firewall with_hosts +with_heartbeat enable_dependency_tracking ' ac_precious_vars='build_alias @@ -1368,6 +1369,9 @@ or null) --with-hosts=file Path to allowed hosts file (default /etc/hosts.allow) + --with-heartbeat=setting + Enable heartbeat (none, small, medium or large + system, default is none) Some influential environment variables: CC C compiler command @@ -2800,6 +2804,49 @@ fi + +# Check whether --with-heartbeat was given. +if test "${with_heartbeat+set}" = set; then : + withval=$with_heartbeat; + # Substitute the correct commands into the firewall script. + case "$withval" in + none) + heartbeatsetting=none + ;; + debug) + heartbeatsetting=debug + heartbeatseconds=60 + heartbeatloglines=100 + heartbeatattacks=1 + ;; + small) + heartbeatsetting=small + heartbeatseconds=180 + heartbeatloglines=1000 + heartbeatattacks=100 + ;; + medium) + heartbeatsetting=medium + heartbeatseconds=300 + heartbeatloglines=100000 + heartbeatattacks=500 + ;; + large) + heartbeatsetting=large + heartbeatseconds=600 + heartbeatloglines=1000000 + heartbeatattacks=1000 + ;; + *) + as_fn_error $? "Invalid heartbeat value (see help)" "$LINENO" 5 + ;; + esac + +else + heartbeatsetting=none +fi + + ############################################################################ ## $as_echo "## -------------- ## ## Program Checks ## @@ -5161,6 +5208,34 @@ _ACEOF +if test "x$heartbeatsetting" != xnone; then + +cat >>confdefs.h <<_ACEOF +#define HEARTBEAT_TYPE "${heartbeatsetting}" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HEARTBEAT "<3beat" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HEARTBEAT_SECONDS ${heartbeatseconds} +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HEARTBEAT_LOGLINES ${heartbeatloglines} +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HEARTBEAT_ATTACKS ${heartbeatattacks} +_ACEOF + +fi + ac_config_files="$ac_config_files Makefile src/Makefile src/fwalls/sshg-fw" cat >confcache <<\_ACEOF --- /home/burton/sshguard-1.7.1/src/sshguard.c 2016-10-11 11:22:37.000000000 -0500 +++ /home/burton/sshguard-1.7.1bs/src/sshguard.c 2017-01-15 16:52:00.000766396 -0600 @@ -27,6 +27,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <sys/time.h> #include "fwalls/fw.h" #include "parser/parser.h" @@ -41,6 +42,10 @@ #define MAX_LOGLINE_LEN 1000 +#ifdef HEARTBEAT +int sshg_heartbeat = 0; +#endif + /** Keep track of the exit signal received. */ static volatile sig_atomic_t exit_sig = 0; @@ -120,12 +125,23 @@ char buf[MAX_LOGLINE_LEN]; int sshg_debugging = (getenv("SSHGUARD_DEBUG") != NULL); +#ifdef HEARTBEAT + sshg_heartbeat = (getenv("SSHGUARD_HEARTBEAT") != NULL); +#endif sshguard_log_init(sshg_debugging); yy_flex_debug = sshg_debugging; yydebug = sshg_debugging; srand(time(NULL)); +#ifdef HEARTBEAT + if (sshg_heartbeat) + sshguard_log(LOG_INFO, "sshguard version %s (%ss are %d seconds, %d loglines and %d attack(s))", + PACKAGE_VERSION, HEARTBEAT, HEARTBEAT_SECONDS, HEARTBEAT_LOGLINES, HEARTBEAT_ATTACKS); + else +#endif + sshguard_log(LOG_INFO, "sshguard version %s", PACKAGE_VERSION); + /* pending, blocked, and offender address lists */ list_init(&limbo); list_attributes_seeker(& limbo, attack_addr_seeker); @@ -183,14 +199,46 @@ sshguard_log(LOG_INFO, "Monitoring attacks from %s", opts.has_polled_files ? "log files" : "stdin"); +#ifdef HEARTBEAT + unsigned long read_count = 0, matched_count = 0, tv_delta, tv_delta_min = 1; + struct timeval s_tv, e_tv; + if (sshg_heartbeat) { + gettimeofday(&s_tv, NULL); + } +#endif + while (log_getline(buf, &source_id) == 0) { attack_t parsed_attack; +#ifdef HEARTBEAT + if (sshg_heartbeat) { + gettimeofday(&e_tv, NULL); + ++read_count; + tv_delta = e_tv.tv_sec - s_tv.tv_sec; + if ((tv_delta % HEARTBEAT_SECONDS == 0) && (tv_delta > tv_delta_min)) { + sshguard_log(LOG_INFO, "sshguard %s active %u seconds (%u read, %u attacks)", + HEARTBEAT, tv_delta, read_count, matched_count); + tv_delta_min = ((tv_delta + HEARTBEAT_SECONDS) / HEARTBEAT_SECONDS) * HEARTBEAT_SECONDS; + } else if(read_count % HEARTBEAT_LOGLINES == 0) { + sshguard_log(LOG_INFO, "sshguard %s read %u (%u attacks)", HEARTBEAT, read_count, matched_count); + } + } +#endif + if (parse_line(source_id, buf, &parsed_attack) != 0) { // Skip lines that don't match any attack. continue; } +#ifdef HEARTBEAT + if (sshg_heartbeat){ + ++matched_count; + #if HEARTBEAT_ATTACKS > 1 + if (matched_count % HEARTBEAT_ATTACKS == 0) + sshguard_log(LOG_INFO, "sshguard %s matched %u attacks", HEARTBEAT, matched_count); + #endif + } +#endif if (parsed_attack.source != 0 && procauth_isauthoritative( parsed_attack.service, parsed_attack.source) == -1) { sshguard_log(LOG_NOTICE, @@ -199,7 +247,13 @@ continue; } - sshguard_log(LOG_DEBUG, "Attack from %s on service %d with danger %u", + sshguard_log( +#ifdef HEARTBEAT + sshg_heartbeat ? LOG_INFO : LOG_DEBUG, +#else + LOG_DEBUG, +#endif + "Attack from %s on service %d with danger %u", parsed_attack.address.value, parsed_attack.service, parsed_attack.dangerousness); report_address(parsed_attack); @@ -376,7 +430,13 @@ /* process hosts with finite pardon time */ if (now - tmpel->whenlast > tmpel->pardontime) { /* pardon time passed, release block */ - sshguard_log(LOG_DEBUG, "Unblocking %s after %lld secs", + sshguard_log( +#ifdef HEARTBEAT + sshg_heartbeat ? LOG_INFO : LOG_DEBUG, +#else + LOG_DEBUG, +#endif + "Unblocking %s after %lld secs", tmpel->attack.address.value, (long long)(now - tmpel->whenlast)); ret = fw_release(&tmpel->attack); --- /home/burton/sshguard-1.7.1/src/config.h.in 2016-10-20 18:32:50.000000000 -0500 +++ /home/burton/sshguard-1.7.1bs/src/config.h.in 2017-01-15 11:25:50.629303798 -0600 @@ -30,6 +30,21 @@ /* Define to 1 if you have the <unistd.h> header file. */ #undef HAVE_UNISTD_H +/* heartbeat search flag in log */ +#undef HEARTBEAT + +/* Number of attacks between heartbeat loggings */ +#undef HEARTBEAT_ATTACKS + +/* Number of log lines (reads) between heartbeat loggings */ +#undef HEARTBEAT_LOGLINES + +/* Number of seconds between heartbeat loggings */ +#undef HEARTBEAT_SECONDS + +/* Setting of heartbeat */ +#undef HEARTBEAT_TYPE + /* Path to hosts.allow */ #undef HOSTSFILE_PATH --- /home/burton/sshguard-1.7.1/doc/sshguard.8 2016-10-11 11:25:57.000000000 -0500 +++ /home/burton/sshguard-1.7.1bs/doc/sshguard.8 2017-01-15 16:58:59.350035144 -0600 @@ -80,6 +80,9 @@ .sp Other features, attack signatures, and additional documentation can be found at \fI\%http://www.sshguard.net/\fP\&. +.sp +Shorewall logs messages to facility 0 (kern) which must be included in those +being monitored by sshguard (auth and authpriv). .SH OPTIONS .INDENT 0.0 .TP @@ -130,6 +133,8 @@ .TP .B SSHGUARD_DEBUG Enable additional debugging information. +.B SSHGUARD_HEARTBEAT +Enable heartbeat, also changes Attack and Unblock messages to log_info from log_debug. .UNINDENT .SH WHITELISTING .sp --- /home/burton/sshguard-1.7.1/doc/sshguard.8.rst 2016-10-11 11:25:47.000000000 -0500 +++ /home/burton/sshguard-1.7.1bs/doc/sshguard.8.rst 2017-01-15 16:59:43.726977020 -0600 @@ -55,6 +55,9 @@ Other features, attack signatures, and additional documentation can be found at http://www.sshguard.net/. +Shorewall logs messages to facility 0 (kern) which must be included in those +being monitored by sshguard (auth and authpriv). + OPTIONS ======= **-a** `thresh` (default 30) @@ -104,6 +107,9 @@ SSHGUARD_DEBUG Enable additional debugging information. +SSHGUARD_HEARTBEAT + Enable heartbeat logging, also changes Attack and Unblock messages to log_info from log_debug. + WHITELISTING ============ **sshguard** supports address whitelisting. Whitelisted addresses are not |
