cleanup & optimisation

pldubouilh · Aug 19, 2022 · 4f93f20 · 4f93f20
1 parent 89e6d2b
commit 4f93f20
Show file tree

Hide file tree

Showing 8 changed files with 245 additions and 243 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "blockfast"
-version = "0.1.0"
+version = "0.1.1"
 authors = ["Pierre Dubouilh <[email protected]>"]
 edition = "2018"
 

diff --git a/Makefile b/Makefile
@@ -1,23 +1,41 @@
-build:
+build::
 	cargo build
-	cargo clippy
-	cargo fmt
+	cargo clippy --all
+	cargo fmt --all
 
-run:
+run::
+	touch /tmp/sshdtest
+	touch /tmp/clftest
 	cargo run -- -s=/tmp/sshdtest -c=/tmp/clftest
 
-watch:
+ci:: test
+	cargo fmt --all -- --check
+	cargo clippy -- -D warnings
+
+publish:: ci
+	cargo publish
+
+watch::
 	ls src/*.rs | entr -rc -- make run
 
-test:
+test::
 	cargo test
 
-watch-test:
+watch-test::
 	ls src/*.rs | entr -rc -- make test
 
-release:
+release::
 	cargo build --target x86_64-unknown-linux-musl --release
 
-ci: test
-	cargo fmt --all -- --check
-	cargo clippy -- -D warnings
+hit-sshd::
+	echo "Sep 26 06:25:32 livecompute sshd[23254]: Invalid user neal from 9.124.36.195" >> /tmp/sshdtest
+
+ok-sshd::
+	echo "Sep 26 06:25:19 livecompute sshd[23246]: successful login 8.124.36.195 port 41883 ssh2" >> /tmp/sshdtest
+
+hit-clf::
+	echo "1.124.36.195 - p [25/Sep/2021:13:49:56 +0200] \"POST /some/rpc HTTP/2.0\" 401 923" >> /tmp/clftest
+
+ok-clf::
+	echo "2.124.36.195 - p [25/Sep/2021:13:49:56 +0200] \"POST /some/rpc HTTP/2.0\" 200 23012" >> /tmp/clftest
+
diff --git a/src/clf.rs b/src/clf.rs
@@ -1,28 +1,35 @@
 use crate::utils::ParsingStatus;
-use anyhow::Result;
+use anyhow::*;
 use lazy_static::lazy_static;
-use std::net::IpAddr;
+use regex::Regex;
+use std::{net::IpAddr, str::FromStr};
 
-// TODO: allow user-provided list
-// TODO: match different error-levels (10 404, but only 5 401, etc...)
 lazy_static! {
     static ref BAD_STATUSES: [u32; 2] = [401, 429];
+    static ref RE_IP: Regex = Regex::new(r"^(\S+)\s").unwrap();
+    static ref RE_STATUS: Regex = Regex::new(r"(\d+)\s(\w+)$").unwrap();
 }
 
+#[allow(clippy::bind_instead_of_map)]
 pub fn parse(line: &str) -> Result<ParsingStatus> {
-    // TODO: Use a proper parser ?
-    let elts: Vec<&str> = line.split_whitespace().collect();
+    let ip = RE_IP
+        .captures(line)
+        .and_then(|c| c.get(1))
+        .and_then(|g| Some(g.as_str()))
+        .and_then(|e| IpAddr::from_str(e).ok())
+        .ok_or_else(|| anyhow!("cant parse clf line - ip"))?;
 
-    let ip_str = elts[0];
-    let ip = ip_str.parse::<IpAddr>()?;
+    let status = RE_STATUS
+        .captures(line)
+        .and_then(|c| c.get(1))
+        .and_then(|g| Some(g.as_str()))
+        .and_then(|e| e.parse::<u32>().ok())
+        .ok_or_else(|| anyhow!("cant parse clf line - status"))?;
 
-    let http_code_str = elts[elts.len() - 2] as &str;
-    let http_code = http_code_str.parse::<u32>()?;
+    let is_bad_status = BAD_STATUSES.iter().any(|s| s == &status);
 
-    for status in BAD_STATUSES.iter() {
-        if *status == http_code {
-            return Ok(ParsingStatus::BadEntry(ip));
-        }
+    if is_bad_status {
+        return Ok(ParsingStatus::BadEntry(ip));
     }
 
     Ok(ParsingStatus::OkEntry)

diff --git a/src/jail.rs b/src/jail.rs
@@ -5,8 +5,6 @@ use std::sync::Mutex;
 
 use anyhow::*;
 
-use crate::utils::JailStatus;
-
 pub struct Jail {
     jailtime: u32,
     allowance: u8,
@@ -15,10 +13,9 @@ pub struct Jail {
 
 const JAIL_NAME: &str = "blockfast_jail";
 
-const ERR_MSG: &str =
-    "error using ipset/iptables, maybe it's not installed, this program isn't running as root ?";
-
 fn ipset_init() -> Result<()> {
+    const ERR_MSG: &str = "error using ipset/iptables, maybe it's not installed, this program isn't running as root ?";
+
     let init0 = format!("ipset create {} hash:ip timeout 0", JAIL_NAME);
     let init1 = format!(
         "iptables -I INPUT 1 -m set -j DROP --match-set {} src",
@@ -65,18 +62,12 @@ fn ipset_init() -> Result<()> {
 }
 
 fn ipset_block(jailtime: u32, ip: IpAddr) -> Result<()> {
-    let sentence = format!(
-        "ipset add {} {} timeout {}",
-        JAIL_NAME,
-        ip.to_string(),
-        jailtime
-    );
+    let sentence = format!("ipset add {} {} timeout {}", JAIL_NAME, ip, jailtime);
     let sentence_sl: Vec<&str> = sentence.split_whitespace().collect();
 
     let out = Command::new("sudo").args(sentence_sl).output()?;
     if out.status.code() != Some(0) {
-        eprintln!("{:?}", out);
-        bail!("error executing ipset ban");
+        bail!("executing ipset ban for {} - {:?}", ip, out.stderr);
     }
 
     Ok(())
@@ -85,6 +76,7 @@ fn ipset_block(jailtime: u32, ip: IpAddr) -> Result<()> {
 impl Jail {
     pub fn new(allowance: u8, jailtime: u32) -> Result<Jail> {
         ipset_init()?;
+        eprintln!("+ jail setup, allowance {}, time {}s", allowance, jailtime);
 
         Ok(Jail {
             allowance,
@@ -93,7 +85,7 @@ impl Jail {
         })
     }
 
-    pub fn probe(&self, ip: IpAddr) -> Result<JailStatus> {
+    pub fn sentence(&self, ip: IpAddr, target: &str) -> Result<()> {
         let should_ban = {
             let mut locked_map = self.remand.lock().map_err(|_| anyhow!("cant lock"))?;
 
@@ -109,10 +101,10 @@ impl Jail {
         };
 
         if should_ban {
+            eprintln!("~ {} jailtime for: {}", target, ip);
             ipset_block(self.jailtime, ip)?;
-            Ok(JailStatus::Jailed(ip))
-        } else {
-            Ok(JailStatus::Remand)
         }
+
+        Ok(())
     }
 }
diff --git a/src/main.rs b/src/main.rs
@@ -1,5 +1,8 @@
+use std::path::PathBuf;
+use std::result::Result::Ok;
+
 use anyhow::*;
-use linemux::MuxedLines;
+use linemux::{Line, MuxedLines};
 
 mod clf;
 mod sshd;
@@ -9,38 +12,6 @@ mod jail;
 use crate::jail::Jail;
 use crate::utils::*;
 
-fn judge(
-    path_sshd: &str,
-    path_clf: &str,
-    payload: &str,
-    path: &str,
-    jail: &Jail,
-) -> Result<Judgment> {
-    let do_sshd = !path_sshd.is_empty();
-    let do_clf = !path_clf.is_empty();
-    let mut target = "";
-
-    let ret_parse = if do_sshd && path.ends_with(path_sshd) {
-        target = "sshd";
-        sshd::parse(payload)
-    } else if do_clf && path.ends_with(path_clf) {
-        target = "clf ";
-        clf::parse(payload)
-    } else {
-        Err(anyhow!("cant locate file !"))
-    };
-
-    let ip = match ret_parse? {
-        ParsingStatus::OkEntry => return Ok(Judgment::Good),
-        ParsingStatus::BadEntry(ip) => ip,
-    };
-
-    match jail.probe(ip)? {
-        JailStatus::Remand => Ok(Judgment::Remand),
-        JailStatus::Jailed(ip) => Ok(Judgment::Bad(target, ip)),
-    }
-}
-
 async fn run() -> Result<()> {
     let args = utils::cli().get_matches();
     let mut lines = MuxedLines::new()?;
@@ -53,46 +24,54 @@ async fn run() -> Result<()> {
     let allowance = allowance_str.parse().context("parsing allowance")?;
 
     let jail = Jail::new(allowance, jailtime)?;
-    eprintln!(
-        "+ jail setup, offences allowed: {}, jailtime {}s",
-        allowance, jailtime
-    );
 
     // sshd
-    let path_sshd = args.value_of("sshd_logpath").unwrap_or("");
-    if !path_sshd.is_empty() {
-        lines.add_file(path_sshd).await?;
-        eprintln!("+ starting with sshd parsing at {}", path_sshd);
+    let mut path_sshd: PathBuf = args.value_of("sshd_logpath").unwrap_or("").into();
+    if path_sshd.exists() {
+        path_sshd = std::fs::canonicalize(path_sshd)?;
+        lines.add_file(&path_sshd).await?;
+        eprintln!("+ starting with sshd parsing at {:?}", &path_sshd);
     }
 
     // common log format
-    let path_clf = args.value_of("clf_logpath").unwrap_or("");
-    if !path_clf.is_empty() {
-        lines.add_file(path_clf).await?;
-        eprintln!("+ starting with clf parsing at {}", path_clf);
+    let mut path_clf: PathBuf = args.value_of("clf_logpath").unwrap_or("").into();
+    if path_clf.exists() {
+        path_clf = std::fs::canonicalize(path_clf)?;
+        lines.add_file(&path_clf).await?;
+        eprintln!("+ starting with clf parsing at {:?}", &path_clf);
     }
 
-    while let Ok(Some(line)) = lines.next_line().await {
+    let assess_line = |line: Line| {
         let payload = line.line();
-        let path = line.source().display().to_string();
-
-        match judge(path_sshd, path_clf, payload, &path, &jail) {
-            Err(err) => eprintln!("! ERR {:?} - file {}", err, path),
-            Ok(Judgment::Good) => {}
-            Ok(Judgment::Remand) => {}
-            Ok(Judgment::Bad(target, ip)) => {
-                eprintln!("~ too many infraction, {} jailtime for: {}", target, ip)
-            }
+        let path = line.source();
+
+        let (target, ret) = if path == path_sshd {
+            ("sshd", sshd::parse(payload)?)
+        } else if path == path_clf {
+            ("clf", clf::parse(payload)?)
+        } else {
+            bail!("file {:?} unknown", path)
         };
+
+        if let ParsingStatus::BadEntry(ip) = ret {
+            jail.sentence(ip, target)?;
+        }
+
+        Ok(())
+    };
+
+    while let Ok(Some(line)) = lines.next_line().await {
+        if let Err(e) = assess_line(line) {
+            println!("! ERR {:?}", e)
+        }
     }
 
     Ok(())
 }
 
 #[tokio::main]
-async fn main() -> std::io::Result<()> {
-    let ret = run().await;
-    let _ = ret.map_err(|e| eprintln!("! ERROR {:?}", e));
+async fn main() -> Result<()> {
+    run().await?;
     eprintln!("\n");
     let _ = utils::cli().print_help();
     Ok(())

diff --git a/src/sshd.rs b/src/sshd.rs
@@ -1,8 +1,7 @@
 use anyhow::*;
 use lazy_static::lazy_static;
 use regex::Regex;
-use std::net::IpAddr;
-use std::str::FromStr;
+use std::{net::IpAddr, str::FromStr};
 
 use crate::utils::ParsingStatus;
 
@@ -15,40 +14,35 @@ lazy_static! {
     static ref SSHD_BAD: [Rule; 3] = [
         Rule {
             matcher: "Failed password".to_string(),
-            extractor: Regex::new(r"(from.)(.*)(.port)").unwrap(),
+            extractor: Regex::new(r"(from.)(\S+)").unwrap(),
         },
         Rule {
             matcher: "Invalid user ".to_string(),
-            extractor: Regex::new(r"(from.)(.*)").unwrap(),
+            extractor: Regex::new(r"(from.)(\S+)").unwrap(),
         },
         Rule {
             matcher: "authentication failure".to_string(),
-            extractor: Regex::new(r"(rhost=)(.*)").unwrap()
+            extractor: Regex::new(r"(rhost=)(\S+)").unwrap()
         },
     ];
 }
 
 pub fn parse(line: &str) -> Result<ParsingStatus> {
-    let hits = SSHD_BAD.iter().find_map(|rule| {
-        if line.contains(&rule.matcher) {
-            rule.extractor.captures(line)
-        } else {
-            None
-        }
-    });
+    let hits = SSHD_BAD
+        .iter()
+        .find(|rule| line.contains(&rule.matcher))
+        .and_then(|r| r.extractor.captures(line));
 
     if hits.is_none() {
         return Ok(ParsingStatus::OkEntry);
     }
 
     let ip = hits
         .and_then(|c| c.get(2))
-        .and_then(|m| IpAddr::from_str(m.as_str()).ok());
+        .and_then(|m| IpAddr::from_str(m.as_str()).ok())
+        .ok_or_else(|| anyhow!("cant parse sshd line"))?;
 
-    match ip {
-        Some(ip) => Ok(ParsingStatus::BadEntry(ip)),
-        None => Err(anyhow!("cant parse sshd entry")),
-    }
+    Ok(ParsingStatus::BadEntry(ip))
 }
 
 #[cfg(test)]
@@ -93,12 +87,10 @@ mod tests {
     fn malformed() {
         let vectors = [
             "Sep 26 06:25:19 livecompute sshd[23246]: Failed password for root from 179.124.36.195.232 port 41883 ssh2",
-            "Sep 26 06:26:14 livecompute sshd[23292]: pam_unix(sshd:auth): authentication failure; logname= u =0 tty=ssh ruser= rhost=",
         ];
 
         vectors.iter().for_each(|e| {
-            let ret = parse(*e);
-            assert!(ret.is_err());
+            parse(*e).expect_err("");
         })
     }
 }