version 2.1.2 (Release: June 2021) (#43)

* turning up version numbers

* fixing a small issue in the license

* classify messages about found ips as verbose #44

* a small readability thing

* added_start_menu #42

* some beauty fixes for the console (icon..) (#51)

* removed dead code

* set icon for the app

* ability to remove temp bans (#47)

* service gets ability to remove temp bans

* forgetting IPS needs to ignore re-supplied events

* console feature to remove temporary bans

* tested and tweaked the server feature to remove temp ban #45

* fixed a bug with forgetting ips

fixed a bug where a task will not forget an ip it has already forgotten earlier

* replaced "middle finger" with safe for work image (#62)

* releasing 2.1.2

Author: devnulli

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019 Michael Schönbauer
+Copyright (c) 2019 Michael Schoenbauer
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

NEWS.md

@@ -1,5 +1,15 @@
 ## NEWS 
 
+### 2021-06-03 release of v.2. was completed
+- a small typo in the license was fixed
+- severity of some messages was adjusted (moved from info to verbose) to keep a cleaner event log
+- it contains minor bugfixes and corrections, but nothing interesting apart from that its signed now.
+- the console app now has a start menu entry
+- the console app had some beauty fixes
+- added ability to remove temp bans
+- fixes a bug with forgetting ips
+- replaces te old 'middle finger' with a more safe for work image
+
 ### 2020-12-28 preparing the release of v2.1 
 - first, i want to say THANK YOU, to everyone who donated
 - finally, we have received enough donations, so we can sign the next release. (and afford 3 beers on top of that)

Source/EvlWatcher/EvlWatcher.WCF/IEvlWatcherService.cs

@@ -42,5 +42,9 @@ public interface IEvlWatcherService
         [OperationContract]
         [FaultContract(typeof(ServiceFaultDTO))]
         void SaveGlobalConfig(SeverityLevelDTO logLevel, int consoleBackLog, int checkInterval);
+
+        [OperationContract]
+        [FaultContract(typeof(ServiceFaultDTO))]
+        void RemoveTemporaryBan(IPAddress address);
     }
 }

Source/EvlWatcher/EvlWatcher/EvlWatcher.cs

@@ -394,7 +394,6 @@ private void Run()
                     }
                 }
 
-
                 //start monitoring the logs
                 while (true)
                 {
@@ -469,7 +468,6 @@ private void Run()
 
                         _logger.Dump($"Scanning finished in {DateTime.Now.Subtract(scanStart).TotalMilliseconds}[ms] ", SeverityLevel.Debug);
 
-
                         //then supply the events to the requesting tasks
                         foreach (string key in requiredEventTypesToLogTasks.Keys)
                         {
@@ -514,7 +512,6 @@ private void Run()
 
                                 List<IPAddress> blockedIPs = ipTask.GetTempBanVictims();
 
-
                                 _logger.Dump($"Polled {t.Name} and got {blockedIPs.Count} temporary and {_serviceconfiguration.BlacklistAddresses.Count()} permanent ban(s)", SeverityLevel.Verbose);
 
                                 foreach (IPAddress blockedIP in blockedIPs)
@@ -611,6 +608,22 @@ public void SaveGlobalConfig(SeverityLevelDTO logLevel, int consoleBackLog, int
             _serviceconfiguration.EventLogInterval = checkInterval;
         }
 
+        public void RemoveTemporaryBan(IPAddress address)
+        {
+            EnsureClientPrivileges();
+
+            lock (_syncObject)
+            {
+                _logger.Dump($"Removing IP {address} from temporary ban list", SeverityLevel.Info);
+                foreach (var ipBlockingTask in _logTasks.Where(t => t is IPBlockingLogTask).Select(t => t as IPBlockingLogTask))
+                {
+                    ipBlockingTask.Forget(address);
+                }
+                _lastPolledTempBans.Remove(address);
+                PushBanList();
+            }
+        }
+
         #endregion
     }
 }

Source/EvlWatcher/EvlWatcher/NSIS/make.nsi

@@ -2,7 +2,7 @@ Name "EvlWatcher"
 
 ; The file to write
 Icon EvlWatcher.ico
-OutFile "EvlWatcher-v2.0 setup.exe"
+OutFile "EvlWatcher-v2.1.2-setup.exe"
 
 ; The default installation directory
 InstallDir $PROGRAMFILES\EvlWatcher
@@ -43,20 +43,12 @@ Section "EvlWatcher Service"
 
   ;;;;;;;;MODULES HERE;;;;;;;;;;
 
-  Delete $INSTDIR\BlockRDPBruters.dll
-  Delete $INSTDIR\BlockFTPBruters.dll
-  Delete $INSTDIR\BlockFTPBruters.cfg
-
   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-  Delete $INSTDIR\Interop.NetFwTypeLib.dll
   Delete $INSTDIR\EvlWatcher.exe
-  Delete $INSTDIR\gpl-3.0.txt
   Delete $INSTDIR\license.txt
-  Delete $INSTDIR\source.zip
   Delete $INSTDIR\config.xml
   Delete $INSTDIR\EvlWatcherConsole.exe
-  Delete $INSTDIR\EvlWatcher.ico
   Delete $INSTDIR\EvlWatcher.WCF.dll
 
   ; Set output path to the installation directory.
@@ -91,6 +83,13 @@ Section "EvlWatcher Service"
 
 SectionEnd
 
+Section "Start Menu Entry"
+
+  CreateDirectory "$SMPROGRAMS\EvlWatcher"
+  CreateShortCut "$SMPROGRAMS\EvlWatcher\EvlWatcherConsole.lnk" "$INSTDIR\EvlWatcherConsole.exe"
+
+SectionEnd
+
 ;;;;;;;MODULES HERE;;;;;;;;;;
 
 
@@ -108,6 +107,9 @@ Section "Uninstall"
 
   Sleep 5000
 
+	Delete "$SMPROGRAMS\EvlWatcher\EvlWatcherConsole.lnk"
+	rmDir "$SMPROGRAMS\EvlWatcher"
+
   ; Remove registry keys
   DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\EvlWatcher"
   DeleteRegKey HKLM SOFTWARE\EvlWatcher
@@ -116,36 +118,14 @@ Section "Uninstall"
 
   ;;;;;;;;MODULES HERE;;;;;;;;;;;
 
-  Delete $INSTDIR\BlockRDPBruters.dll
-  Delete $INSTDIR\BlockFTPBruters.dll
-  Delete $INSTDIR\BlockFTPBruters.cfg
-
   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-  Delete $INSTDIR\Interop.NetFwTypeLib.dll
   Delete $INSTDIR\EvlWatcher.exe
-  Delete $INSTDIR\gpl-3.0.txt
   Delete $INSTDIR\license.txt
   Delete $INSTDIR\config.xml
   Delete $INSTDIR\EvlWatcherConsole.exe
-  Delete $INSTDIR\source.zip
-  Delete $INSTDIR\EvlWatcher.ico
   Delete $INSTDIR\EvlWatcher.WCF.dll
-
-  Delete $INSTDIR\Source\Constants.cs
-  Delete $INSTDIR\Source\FirewallAPI.cs
-  Delete $INSTDIR\Source\Installer.cs
-  Delete $INSTDIR\Source\IPBlockingLogTask.cs
-  Delete $INSTDIR\Source\EvlWatcher.cs
-  Delete $INSTDIR\Source\LogTask.cs
 
-  ;;;;;;;;;MODULES HERE;;;;;;;;;;;;;;;;
-  
-  Delete $INSTDIR\Source\LogTaskBlockRDPBruters.cs
-  Delete $INSTDIR\Source\LogTaskBlockFTPBruters.cs
-  Delete $INSTDIR\Source\BlockFTPBruters.cfg
-
-  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
   Delete $INSTDIR\uninstall.exe
 

Source/EvlWatcher/EvlWatcher/Properties/AssemblyInfo.cs

@@ -28,5 +28,5 @@
 //      Build Number
 //      Revision
 //
-[assembly: AssemblyVersion("2.0.0.0")]
-[assembly: AssemblyFileVersion("2.0.0.0")]
+[assembly: AssemblyVersion("2.1.2.0")]
+[assembly: AssemblyFileVersion("2.1.2.0")]

Source/EvlWatcher/EvlWatcher/license.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Michael Schönbauer
+Copyright (c) 2020 Michael Schoenbauer
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Source/EvlWatcher/EvlWatcher/systemapi/FirewallAPI.cs

@@ -64,7 +64,7 @@ private INetFwRule GetOrCreateEvlWatcherRule(bool create)
                 rule.EdgeTraversal = false;
                 rule.LocalAddresses = "*";
                 rule.Name = "EvlWatcher";
-                rule.Profiles = 2147483647; // = means all Profiles
+                rule.Profiles = int.MaxValue;// = means all Profiles
                 rule.Protocol = 256;
                 policies.Rules.Add(rule);
             }

Source/EvlWatcher/EvlWatcher/tasks/GenericIPBlockingTask.cs

@@ -36,7 +36,9 @@ internal static GenericIPBlockingTask FromConfiguration(IPersistentTaskConfigura
 
         #region private members
 
+        private readonly object _syncObject = new object();
         private readonly Dictionary<IPAddress, DateTime> _blockedIPsToDate = new Dictionary<IPAddress, DateTime>();
+        private readonly Dictionary<IPAddress, DateTime> _forgetIPsToDate = new Dictionary<IPAddress, DateTime>();
         private readonly Dictionary<IPAddress, int> _bannedCount = new Dictionary<IPAddress, int>();
         private readonly ILogger _logger;
 
@@ -64,40 +66,51 @@ internal GenericIPBlockingTask(ILogger logger)
         #region public operations
         public override List<IPAddress> GetTempBanVictims()
         {
-            List<IPAddress> ipsToRemove = new List<IPAddress>();
-            List<IPAddress> ipsToBlock = new List<IPAddress>();
-
-            //also remove IPS from ban list when they have been blocked "long enough"
-            foreach (KeyValuePair<IPAddress, DateTime> kvp in _blockedIPsToDate)
+            lock (_syncObject)
             {
-                if (kvp.Value.Add(new TimeSpan(0, 0, LockTime)) < System.DateTime.Now)
-                {
-                    ipsToRemove.Add(kvp.Key);
-                }
-                else
+                List<IPAddress> ipsToRemove = new List<IPAddress>();
+                List<IPAddress> ipsToBlock = new List<IPAddress>();
+
+                //also remove IPS from ban list when they have been blocked "long enough"
+                foreach (KeyValuePair<IPAddress, DateTime> kvp in _blockedIPsToDate)
                 {
-                    ipsToBlock.Add(kvp.Key);
+                    if (kvp.Value.Add(new TimeSpan(0, 0, LockTime)) < DateTime.Now)
+                    {
+                        ipsToRemove.Add(kvp.Key);
+                    }
+                    else
+                    {
+                        ipsToBlock.Add(kvp.Key);
+                    }
                 }
-            }
 
-            foreach (IPAddress ipToRemove in ipsToRemove)
-                _blockedIPsToDate.Remove(ipToRemove);
+                //also remove forgotten IPs when its been a while
+                List<IPAddress> removeFromForgottenList = _forgetIPsToDate.Where(p => DateTime.Now.AddHours(-1) > p.Value).Select(p=>p.Key).ToList();
+                foreach (var ip in removeFromForgottenList)
+                    removeFromForgottenList.Remove(ip);
+
+                foreach (IPAddress ipToRemove in ipsToRemove)
+                    _blockedIPsToDate.Remove(ipToRemove);
 
-            return ipsToBlock;
+                return ipsToBlock;
+            }
         }
 
         public override List<IPAddress> GetPermaBanVictims()
         {
-            List<IPAddress> permaList = new List<IPAddress>();
-            foreach (KeyValuePair<IPAddress, int> kvp in _bannedCount.Where(p=>p.Value>=PermaBanCount))
+            lock (_syncObject)
             {
-                permaList.Add(kvp.Key);
-                _logger.Dump($"Permanently banned {kvp.Value} (strike count was over {PermaBanCount}) ", SeverityLevel.Info);
-            }
-            foreach (IPAddress ip in permaList)
-                _bannedCount.Remove(ip);
+                List<IPAddress> permaList = new List<IPAddress>();
+                foreach (KeyValuePair<IPAddress, int> kvp in _bannedCount.Where(p => p.Value >= PermaBanCount))
+                {
+                    permaList.Add(kvp.Key);
+                    _logger.Dump($"Permanently banned {kvp.Value} (strike count was over {PermaBanCount}) ", SeverityLevel.Info);
+                }
+                foreach (IPAddress ip in permaList)
+                    _bannedCount.Remove(ip);
 
-            return permaList;
+                return permaList;
+            }
         }
 
         protected override void OnComputeEvents(List<ExtractedEventRecord> events)
@@ -133,32 +146,55 @@ protected override void OnComputeEvents(List<ExtractedEventRecord> events)
                 {
                     if (m.Groups.Count == 2 && IPAddress.TryParse(m.Groups[1].Value, out IPAddress ipAddress))
                     {
+                        if (_forgetIPsToDate.ContainsKey(ipAddress) && _forgetIPsToDate[ipAddress] > e.TimeCreated )
+                        {
+                            _logger.Dump($"{Name}: found {ipAddress} but ignored it (was recently removed from autoban list)", SeverityLevel.Info);
+                            continue;
+                        }
 
                         if (!sourceToCount.ContainsKey(ipAddress))
                             sourceToCount.Add(ipAddress, 1);
                         else
                             sourceToCount[ipAddress]++;
 
-                        _logger.Dump($"{Name}: found {ipAddress}, trigger count is {sourceToCount[ipAddress]}", SeverityLevel.Info);
+                        _logger.Dump($"{Name}: found {ipAddress}, trigger count is {sourceToCount[ipAddress]}", SeverityLevel.Verbose);
                     }
                 }
             }
 
-            foreach (KeyValuePair<IPAddress, int> kvp in sourceToCount)
+            lock (_syncObject)
             {
-                if (kvp.Value >= TriggerCount && !_blockedIPsToDate.ContainsKey(kvp.Key))
+                foreach (KeyValuePair<IPAddress, int> kvp in sourceToCount)
                 {
-                    _blockedIPsToDate.Add(kvp.Key, DateTime.Now);
-                    if (!_bannedCount.ContainsKey(kvp.Key))
-                        _bannedCount[kvp.Key] = 1;
-                    else
-                        _bannedCount[kvp.Key] += 1;
+                    if (kvp.Value >= TriggerCount && !_blockedIPsToDate.ContainsKey(kvp.Key))
+                    {
+                        _blockedIPsToDate.Add(kvp.Key, DateTime.Now);
+                        if (!_bannedCount.ContainsKey(kvp.Key))
+                            _bannedCount[kvp.Key] = 1;
+                        else
+                            _bannedCount[kvp.Key] += 1;
 
-                    _logger.Dump($"Temporarily banning {kvp.Key}, this is strike {_bannedCount[kvp.Key]}", SeverityLevel.Info);
+                        _logger.Dump($"Temporarily banning {kvp.Key}, this is strike {_bannedCount[kvp.Key]}", SeverityLevel.Info);
+                    }
                 }
             }
         }
 
+        public override void Forget(IPAddress address)
+        {
+            lock (_syncObject)
+            {
+                _blockedIPsToDate.Remove(address);
+
+                if (!_forgetIPsToDate.ContainsKey(address))
+                    _forgetIPsToDate.Add(address, DateTime.Now);
+                else
+                    _forgetIPsToDate[address] = DateTime.Now;
+
+                _bannedCount.Remove(address);
+            }
+        }
+
         #endregion
     }
 }

Source/EvlWatcher/EvlWatcher/tasks/IPBlockingLogTask.cs

@@ -10,5 +10,7 @@ public abstract class IPBlockingLogTask : LogTask
     {
         public abstract List<IPAddress> GetTempBanVictims();
         public abstract List<IPAddress> GetPermaBanVictims();
+
+        public abstract void Forget(IPAddress address);
     }
 }