Browse Source

Expanded security detection

  We now block an ip if it attempts to use a username of all numbers,
  We now block an ip if it contains a bad username (root123 would
contain root thus get's blocked)

  Also added test to defaults as it was found test and test123 were used
in live hack attempts.
david 3 years ago
parent
commit
dffc3896b7
1 changed files with 25 additions and 2 deletions
  1. 25 2
      failUser.py

+ 25 - 2
failUser.py

@@ -58,6 +58,27 @@ def unblocker(ip):
 #         except JSONDecodeError:
 #             log.error("Failed to decode line, '{0}'".format(line))
 
+def numeric_check(name):
+    """ Attempt's to convert name into a integer or rather float
+        If it succeeds then either we have a really dumb user or
+        we have a hacker.
+    """
+    try:
+        name = float(name)
+        return True
+    except TypeError:
+        return False
+
+def contains_bad(name):
+    """ Checks each of the bad names to see if the bad name is in the
+        name given.
+        I.E. root123 would trigger because root is in the name.
+    """
+    for b in myConfig["bad_users"]:
+        if b in name:
+            return True
+    return False
+
 struct = {}
 state = 0
 def is_bad(line):
@@ -96,7 +117,8 @@ class EventHandler(ProcessEvent):
                 if(luser):
                     if luser["ip"] in myConfig["whitelist"]:
                         return # Don't block ourselves
-                    if luser["user"] in myConfig["bad_users"]:
+                    if luser["user"] in myConfig["bad_users"] or numeric_check(luser["user"]) or contains_bad(luser["user"]):
+                        # The user either is directly in the bad users list, either all numbers or contains a bad username.
                         blocker(luser["ip"])
                         now = pendulum.now().to_atom_string()
                         log.info("Blocked {0} at {1}".format(luser["ip"], now))
@@ -117,7 +139,8 @@ class EventHandler(ProcessEvent):
                 if(luser):
                     if luser["ip"] in myConfig["whitelist"]:
                         return # Don't block ourselves
-                    if luser["user"] in myConfig["bad_users"]:
+                    if luser["user"] in myConfig["bad_users"] or numeric_check(luser["user"]) or contains_bad(luser["user"]):
+                        # The user either is directly in the bad users list, either all numbers or contains a bad username.
                         blocker(luser["ip"])
                         now = pendulum.now().to_atom_string()
                         log.info("Blocked {0} at {1}".format(luser["ip"], now))