EFTEC / Cyberarms

It is a library
https://www.eftec.cl
MIT License
55 stars 44 forks source link

Lock for aaa.bbb.ccc.dd does not work, if aaa.bbb.ccc.ddd is already locked? #13

Open stiinek opened 4 years ago

stiinek commented 4 years ago

Hello, IDDS have already hard locked 176.113.115.151. Intrusion from 176.113.115.15 detected, after 10 attempts IP listed as hard locked in Current locks tab, but no line about hard lock in Security log tab, and also IP not added to FW rule.

Same situation also with pair 92.63.194.36 and 92.63.194.3

maxemilian commented 4 years ago

Is Windows Firewall running?

How many IP addresses are already locked out?

Max

Von: stiinek notifications@github.com Gesendet: Mittwoch, 8. April 2020 11:39 An: EFTEC/Cyberarms Cyberarms@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Betreff: [EFTEC/Cyberarms] Lock for aaa.bbb.ccc.dd does not work, if aaa.bbb.ccc.ddd is already locked? (#13)

Hello, IDDS have already hard locked 176.113.115.151. Intrusion from 176.113.115.15 detected, after 10 attempts IP listed as hard locked in Current locks tab, but no line about hard lock in Security log tab, and also IP not added to FW rule.

Same situation also with pair 92.63.194.36 and 92.63.194.3

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/EFTEC/Cyberarms/issues/13 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEA5QFIJJUHY54XG6E5UITRLRA2TANCNFSM4MDZDZ6Q . https://github.com/notifications/beacon/ABEA5QHOWISCQORUWZAYVW3RLRA2TA5CNFSM4MDZDZ62YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4I4NAUOA.gif

stiinek commented 4 years ago

Yes, FW is running, and other new IPs are blocked correctly. Pair 176.113.115.151/176.113.115.15 spotted on two different machines, 300 hard locks on first, 600 on second.

JuanmaSP commented 3 years ago

Hi, i confirm that issue. I think the mistake is in the function IsLocked To fix it we have to change how we check if an address is already blocked

somethig like this

    internal bool IsLocked(string ipAddress) {
        string AddressList;
        try {
            INetFwRule rule = GetRule(GetRuleName("BlockAttacker", 0));
            AddressList = "," + rule.RemoteAddresses + ",";
            return AddressList.Contains("," + ipAddress + ",");
            //return rule.RemoteAddresses.Contains(ipAddress);
        } catch (Exception ex) {
            System.Diagnostics.EventLog.WriteEntry("IsLocked encountered an error: ", ex.Message, System.Diagnostics.EventLogEntryType.Error);
        }
        return false;
    }