mirror of https://github.com/jrbrtsn/ban2fail
Various optimizations
This commit is contained in:
parent
5aab1c091a
commit
1bb1ee5f86
|
@ -95,7 +95,7 @@ struct Global G= {
|
||||||
.version= {
|
.version= {
|
||||||
.major= 0,
|
.major= 0,
|
||||||
.minor= 11,
|
.minor= 11,
|
||||||
.patch= 5
|
.patch= 6
|
||||||
},
|
},
|
||||||
|
|
||||||
.bitTuples.flags= GlobalFlagBitTuples
|
.bitTuples.flags= GlobalFlagBitTuples
|
||||||
|
|
59
ban2fail.sh
59
ban2fail.sh
|
@ -1,11 +1,11 @@
|
||||||
#!/bin/bash -e
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
# JDR Wed 27 Nov 2019 01:30:29 PM EST
|
# JDR Wed 27 Nov 2019 01:30:29 PM EST
|
||||||
# The purpose of this script is to be run from a systemd service
|
# The purpose of this script is to be run from a systemd service
|
||||||
# file, or sysvinit script.
|
# file, or sysvinit script.
|
||||||
#
|
#
|
||||||
# BE CAREFUL not to monitor the log file to which output from this
|
# BE CAREFUL not to monitor the log file to which output from this
|
||||||
# script gets written - you will have a feedback loop!
|
# script is written - you will have a feedback loop!
|
||||||
#
|
#
|
||||||
|
|
||||||
BAN2FAIL=/usr/local/bin/ban2fail
|
BAN2FAIL=/usr/local/bin/ban2fail
|
||||||
|
@ -15,18 +15,27 @@ INOTIFYWAIT=/usr/bin/inotifywait
|
||||||
# Uncomment this if you wish to see output from the time command
|
# Uncomment this if you wish to see output from the time command
|
||||||
#TIME=time
|
#TIME=time
|
||||||
|
|
||||||
# Always do initial check
|
# Do not run again for at least this many deciseconds, to
|
||||||
echo "Initial run for $BAN2FAIL"
|
# avoid monopolizing CPU
|
||||||
$TIME $BAN2FAIL
|
MIN_PERIOD_DS=3
|
||||||
|
|
||||||
|
# Get period in nanoseconds for integer calculations
|
||||||
|
(( MIN_PERIOD_NS = MIN_PERIOD_DS * 100000000 ))
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
echo "Starting main loop"
|
echo "Starting main loop"
|
||||||
LOG_NAMES=$($BAN2FAIL --print-lfn | tr $'\n' ' ')
|
LOG_NAMES=$($BAN2FAIL --print-lfn | tr $'\n' ' ')
|
||||||
LOG_NAMES="$LOG_NAMES $BAN2FAIL_CFG"
|
LOG_NAMES="$LOG_NAMES $BAN2FAIL_CFG"
|
||||||
|
|
||||||
|
# Always do initial check
|
||||||
|
echo "Initial run for $BAN2FAIL"
|
||||||
|
RAN_NS=$(date +%s%N)
|
||||||
|
$TIME $BAN2FAIL
|
||||||
|
|
||||||
echo "Monitoring: $LOG_NAMES"
|
echo "Monitoring: $LOG_NAMES"
|
||||||
|
|
||||||
while read; do
|
while read; do
|
||||||
|
|
||||||
# if a file gets renamed, logrotate is doing it's thing.
|
# if a file gets renamed, logrotate is doing it's thing.
|
||||||
[[ "$REPLY" =~ MOVE_SELF ]] && break
|
[[ "$REPLY" =~ MOVE_SELF ]] && break
|
||||||
[[ "$REPLY" == $BAN2FAIL_CFG\ MODIFY ]] && break
|
[[ "$REPLY" == $BAN2FAIL_CFG\ MODIFY ]] && break
|
||||||
|
@ -36,18 +45,46 @@ while true; do
|
||||||
# Uncomment this to see the inotifywait output which triggered this cycle
|
# Uncomment this to see the inotifywait output which triggered this cycle
|
||||||
#echo "REPLY= '$REPLY'"
|
#echo "REPLY= '$REPLY'"
|
||||||
|
|
||||||
# Avoid running ban2fail multiple times if possible
|
NOW_NS=$(date +%s%N)
|
||||||
while read -t 0; do
|
(( SINCE_NS = NOW_NS - RAN_NS ))
|
||||||
read
|
#echo "RAN_NS= $RAN_NS, NOW_NS= $NOW_NS, SINCE_NS= $SINCE_NS, MIN_PERIOD_NS= $MIN_PERIOD_NS"
|
||||||
done
|
if (( SINCE_NS < MIN_PERIOD_NS )); then
|
||||||
|
|
||||||
|
(( REMAINING_NS = MIN_PERIOD_NS - SINCE_NS ))
|
||||||
|
|
||||||
|
# break sleep time into seconds and nanosecond remainder components
|
||||||
|
(( REMAINING_SEC = REMAINING_NS / 1000000000 ))
|
||||||
|
(( REMAINING_NS_REM = REMAINING_NS % 1000000000 ))
|
||||||
|
|
||||||
|
#echo "REMAINING_NS= $REMAINING_NS, REMAINING_SEC= $REMAINING_SEC, REMAINING_NS_REM= $REMAINING_NS_REM"
|
||||||
|
|
||||||
|
if (( REMAINING_SEC || REMAINING_NS_REM > 1000000 )); then
|
||||||
|
|
||||||
|
# use printf command to format as floating point string
|
||||||
|
remaining_sec_fp=$(printf '%d.%09d' $REMAINING_SEC $REMAINING_NS_REM)
|
||||||
|
|
||||||
|
#echo "sleeping for $remaining_sec_fp seconds"
|
||||||
|
|
||||||
|
# sleep for floating point period of seconds
|
||||||
|
sleep $remaining_sec_fp
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Consume queued input to avoid running ban2fail more than necessary
|
||||||
|
while read -t 0; do read; done
|
||||||
|
|
||||||
echo "Running $BAN2FAIL"
|
echo "Running $BAN2FAIL"
|
||||||
|
|
||||||
# Check for offenses
|
# Check for offenses
|
||||||
# If ban2fail failed, then pause to avoid DOS on CPU
|
# If ban2fail failed, then pause to avoid monopolizing CPU
|
||||||
|
RAN_NS=$(date +%s%N)
|
||||||
while ! $TIME $BAN2FAIL; do
|
while ! $TIME $BAN2FAIL; do
|
||||||
sleep 1
|
sleep .5
|
||||||
|
RAN_NS=$(date +%s%N)
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
done < <(exec $INOTIFYWAIT -m $LOG_NAMES)
|
done < <(exec $INOTIFYWAIT -m $LOG_NAMES)
|
||||||
|
|
||||||
echo ' Exiting main loop'
|
echo ' Exiting main loop'
|
||||||
|
|
|
@ -49,7 +49,7 @@ initialize (void)
|
||||||
const static struct ipv {
|
const static struct ipv {
|
||||||
const char *cmd,
|
const char *cmd,
|
||||||
*pattern;
|
*pattern;
|
||||||
} Ipv[] = {
|
} ipv_arr[] = {
|
||||||
{ .cmd= IPTABLES " -nL INPUT 2>/dev/null",
|
{ .cmd= IPTABLES " -nL INPUT 2>/dev/null",
|
||||||
.pattern= "DROP[[:space:]]+all[[:space:]]+--[[:space:]]+([0-9.]+)[[:space:]]+0\\.0\\.0\\.0/0"
|
.pattern= "DROP[[:space:]]+all[[:space:]]+--[[:space:]]+([0-9.]+)[[:space:]]+0\\.0\\.0\\.0/0"
|
||||||
},
|
},
|
||||||
|
@ -59,7 +59,8 @@ initialize (void)
|
||||||
{ /* Terminating member */ }
|
{ /* Terminating member */ }
|
||||||
};
|
};
|
||||||
|
|
||||||
for(const struct ipv *ipv= Ipv; ipv->cmd; ++ipv) {
|
/* Take care of all ip versions ... */
|
||||||
|
for(const struct ipv *ipv= ipv_arr; ipv->cmd; ++ipv) {
|
||||||
|
|
||||||
static char lbuf[1024];
|
static char lbuf[1024];
|
||||||
static char addr[43];
|
static char addr[43];
|
||||||
|
|
21
logType.c
21
logType.c
|
@ -104,8 +104,15 @@ LOGTYPE_proto_constructor(LOGTYPE *self, const struct logProtoType *proto)
|
||||||
self->dir= strdup(proto->dir);
|
self->dir= strdup(proto->dir);
|
||||||
self->pfix= strdup(proto->pfix);
|
self->pfix= strdup(proto->pfix);
|
||||||
|
|
||||||
if(G.flags & GLB_PRINT_LOGFILE_NAMES_FLG)
|
if(G.flags & GLB_PRINT_LOGFILE_NAMES_FLG) {
|
||||||
|
|
||||||
ez_fprintf(G.listing_fh, "%s/%s\n", proto->dir, proto->pfix);
|
ez_fprintf(G.listing_fh, "%s/%s\n", proto->dir, proto->pfix);
|
||||||
|
/* We're going to save time here and short circuit the remainder
|
||||||
|
* of the process; because this object will not get used for
|
||||||
|
* anything other than listing the file names.
|
||||||
|
*/
|
||||||
|
return self;
|
||||||
|
}
|
||||||
|
|
||||||
size_t pfix_len= strlen(self->pfix);
|
size_t pfix_len= strlen(self->pfix);
|
||||||
|
|
||||||
|
@ -192,6 +199,10 @@ LOGTYPE_proto_constructor(LOGTYPE *self, const struct logProtoType *proto)
|
||||||
/* Now we have the checksum of the log file */
|
/* Now we have the checksum of the log file */
|
||||||
/* See if the cached results exist */
|
/* See if the cached results exist */
|
||||||
rc= snprintf(CacheFname, sizeof(CacheFname), "%s/%s", CacheDname, sumStr);
|
rc= snprintf(CacheFname, sizeof(CacheFname), "%s/%s", CacheDname, sumStr);
|
||||||
|
if(sizeof(CacheFname) == rc) {
|
||||||
|
eprintf("FATAL: File path truncated!");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
LOGFILE *f;
|
LOGFILE *f;
|
||||||
|
|
||||||
if(!access(CacheFname, F_OK)) {
|
if(!access(CacheFname, F_OK)) {
|
||||||
|
@ -248,6 +259,10 @@ LOGTYPE_proto_constructor(LOGTYPE *self, const struct logProtoType *proto)
|
||||||
if(f) continue;
|
if(f) continue;
|
||||||
|
|
||||||
rc= snprintf(CacheFname, sizeof(CacheFname), "%s/%s", CacheDname, entry->d_name);
|
rc= snprintf(CacheFname, sizeof(CacheFname), "%s/%s", CacheDname, entry->d_name);
|
||||||
|
if(sizeof(CacheFname) == rc) {
|
||||||
|
eprintf("FATAL: File path truncated!");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
ez_unlink(CacheFname);
|
ez_unlink(CacheFname);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -337,6 +352,10 @@ LOGTYPE_init(CFGMAP *h_map, char *pfix)
|
||||||
LOGTYPE_proto_create(obj, &proto);
|
LOGTYPE_proto_create(obj, &proto);
|
||||||
assert(obj);
|
assert(obj);
|
||||||
|
|
||||||
|
/* Short circuit remainder of process if only printing file names */
|
||||||
|
if(G.flags & GLB_PRINT_LOGFILE_NAMES_FLG)
|
||||||
|
return 0;
|
||||||
|
|
||||||
/* Place int the global map */
|
/* Place int the global map */
|
||||||
MAP_addStrKey(&G.logType_map, LOGTYPE_cacheName(obj), obj);
|
MAP_addStrKey(&G.logType_map, LOGTYPE_cacheName(obj), obj);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue