release 2.1.5 (#86)

* turning up the version number

* avoid runtime change of _syncObject in logger

* fixes #87

* fixes #90, Part 2

* fixed a typo

* readonly instance member

* fixes #91

* #92 added mor text to slow/overheated task warning

* #92 also, the gap is a bit low

* #92 also, dont spam the event log, write the warning once a day

* changed timing method to rule out measurement error #86

* release v2.1.5

Author: devnulli

NEWS.md

@@ -1,5 +1,9 @@
 ## NEWS 
 
+### 2022-04-14 release of v.2.1.5 was completed
+- fixes a bug where a windows misbehaviour could return 0.0.0.0 as offending IP, thus blocking all subnets
+- try to fix a bug where a false positive warning about tasks taking too long are spamming the event logs of EvlWatcher
+
 ### 2022-01-22 release of v.2.1.4 was completed
 - basic ipv6 support
 - certificate was renewed

README.md

@@ -5,7 +5,7 @@ It's basically a fail2ban for windows. Its goals are also mainly what we love ab
 - *no-initial-fucking-around-with-scripts-or-config-files*
 - *install-and-forget*
 
-You can download it [here](https://github.com/devnulli/EvlWatcher/raw/master/Versions/v2/EvlWatcher-v2.1.4-setup.exe) ( v2.1.4 - January 2022 ) .
+You can download it [here](https://github.com/devnulli/EvlWatcher/raw/master/Versions/v2/EvlWatcher-v2.1.5-setup.exe) ( v2.1.5 - April 2022 ) .
 
 ## Also, we love issues!
 

Source/EvlWatcher/EvlWatcher.WCF/Properties/AssemblyInfo.cs

@@ -10,7 +10,7 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
 [assembly: AssemblyProduct("EvlWatcher.WCF")]
-[assembly: AssemblyCopyright("Copyright © 2021 Michael Schönbauer")]
+[assembly: AssemblyCopyright("Copyright © 2022 Michael Schönbauer")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("2.1.4.0")]
-[assembly: AssemblyFileVersion("2.1.4.0")]
+[assembly: AssemblyVersion("2.1.5.0")]
+[assembly: AssemblyFileVersion("2.1.5.0")]

Source/EvlWatcher/EvlWatcher/EvlWatcher.cs

@@ -16,6 +16,7 @@
 using System.ServiceProcess;
 using System.Text.RegularExpressions;
 using System.Threading;
+using System.Diagnostics;
 
 namespace EvlWatcher
 {
@@ -45,6 +46,7 @@ public class EvlWatcher : ServiceBase, IEvlWatcherService
         /// all loaded tasks
         /// </summary>
         private static readonly List<LogTask> _logTasks = new List<LogTask>();
+        private static readonly Dictionary<LogTask, DateTime> _logTasksPerfWarningIssued = new Dictionary<LogTask, DateTime>();
 
         /// <summary>
         /// adds some extra output
@@ -331,6 +333,7 @@ private void PushBanList()
                     .Union(_serviceconfiguration.BlacklistAddresses)
                     .Distinct()
                     .Where(address => !IsWhiteListed(address))
+                    .Where(address => !address.Equals(IPAddress.Any))
                     .ToList();
 
                 _firewallApi.AdjustIPBanList(banList);
@@ -492,40 +495,48 @@ private void Run()
 
                                     if (eventsForThisTask.Count > 0)
                                     {
-                                        DateTime start = DateTime.Now;
+                                        var start = Stopwatch.GetTimestamp();
 
                                         t.ProvideEvents(eventsForThisTask);
 
-                                        if (DateTime.Now.Subtract(start).TotalMilliseconds > 500)
-                                            _logger.Dump($"Warning: Task {t.Name} takes a lot of resources. This can make your server vulnerable to DOS attacks. Try better boosters.", SeverityLevel.Warning);
+                                        var end = Stopwatch.GetTimestamp();
+
+                                        if (end - start > 50000000)
+                                        {
+                                            if (!_logTasksPerfWarningIssued.ContainsKey(t) || DateTime.Now > _logTasksPerfWarningIssued[t].AddHours(24))
+                                            {
+                                                _logger.Dump($"Warning: Task {t.Name} takes a lot of resources. This can have different reasons, maybe you get a lot of events (problems in domain configuration, stale hidden credentials..), or the event processing is too slow. This can cause EvlWatcher to produce CPU spikes. Try better boosters, or try to find the root problem,", SeverityLevel.Warning);
+                                                _logTasksPerfWarningIssued[t] = DateTime.Now;
+                                            }
+                                        }
                                     }
                                 }
                             }
                         }
 
-                        List<IPAddress> blackList = new List<IPAddress>();
+                        List<IPAddress> polledTempBansOfThisCycle = new List<IPAddress>();
+                        List<IPAddress> polledPermaBansOfThisCycle = new List<IPAddress>();
 
                         //let the tasks poll which ips they want to have blocked / or permanently banned
                         foreach (LogTask t in _logTasks)
                         {
                             if (t is IPBlockingLogTask ipTask)
                             {
-                                SetPermanentBanInternal(ipTask.GetPermaBanVictims().ToArray());
-
-                                List<IPAddress> blockedIPs = ipTask.GetTempBanVictims();
+                                List<IPAddress> polledTempBansOfThisTask = ipTask.GetTempBanVictims();
+                                List<IPAddress> polledPermaBansOfThisTask = ipTask.GetPermaBanVictims();
 
-                                _logger.Dump($"Polled {t.Name} and got {blockedIPs.Count} temporary and {_serviceconfiguration.BlacklistAddresses.Count()} permanent ban(s)", SeverityLevel.Verbose);
+                                _logger.Dump($"Polled {t.Name} and got {polledTempBansOfThisTask.Count} temporary and {polledPermaBansOfThisTask.Count()} permanent ban(s)", SeverityLevel.Verbose);
 
-                                foreach (IPAddress blockedIP in blockedIPs)
-                                    if (!blackList.Contains(blockedIP))
-                                        blackList.Add(blockedIP);
+                                polledPermaBansOfThisCycle.AddRange(polledPermaBansOfThisTask.Where(ip => !polledPermaBansOfThisCycle.Contains(ip)).ToList());
+                                polledTempBansOfThisCycle.AddRange(polledTempBansOfThisTask.Where(ip => !polledTempBansOfThisCycle.Contains(ip)).ToList());
                             }
                         }
 
                         _logger.Dump($"\r\n-----Cycle complete, sleeping {_serviceconfiguration.EventLogInterval} s......\r\n", SeverityLevel.Debug);
-                        
-                        _lastPolledTempBans = blackList;
 
+                        SetPermanentBanInternal(polledPermaBansOfThisCycle.ToArray(), pushBanList: false);
+                        _lastPolledTempBans = polledTempBansOfThisCycle;
+                        
                         PushBanList();
                     }
                     catch (Exception executionException)
@@ -570,12 +581,13 @@ private void Run()
             }
         }
 
-        private void SetPermanentBanInternal(IPAddress[] addressList)
+        private void SetPermanentBanInternal(IPAddress[] addressList, bool pushBanList=true)
         {
             foreach (IPAddress address in addressList)
                 _serviceconfiguration.AddBlackListAddress(address);
 
-            PushBanList();
+            if (pushBanList)
+                PushBanList();
         }
 
 

Source/EvlWatcher/EvlWatcher/EvlWatcher.csproj

@@ -127,7 +127,7 @@
   </ItemGroup>
   <ItemGroup>
     <Content Include="config.xml">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
       <SubType>Designer</SubType>
     </Content>
     <Content Include="license.txt">

Source/EvlWatcher/EvlWatcher/Logging/DefaultLogger.cs

@@ -8,11 +8,11 @@ namespace EvlWatcher.Logging
 {
     internal class DefaultLogger : ILogger
     {
-        private object _syncObject = new object();
+        private readonly object _syncObject = new object();
         public SeverityLevel LogLevel { get; set; } = SeverityLevel.Warning;
 
         private int ConsoleHistoryMaxCount { get; set; } = 1000;
-        private IList<LogEntry> ConsoleHistory { get; set; } = new List<LogEntry>();
+        private IList<LogEntry> ConsoleHistory { get; } = new List<LogEntry>();
 
         private void ManageConsoleHistory(string message, SeverityLevel severity, DateTime date)
         {

Source/EvlWatcher/EvlWatcher/NSIS/make.nsi

@@ -2,7 +2,7 @@ Name "EvlWatcher"
 
 ; The file to write
 Icon EvlWatcher.ico
-OutFile "EvlWatcher-v2.1.4-setup.exe"
+OutFile "EvlWatcher-v2.1.5-setup.exe"
 
 ; The default installation directory
 InstallDir $PROGRAMFILES\EvlWatcher

Source/EvlWatcher/EvlWatcher/Properties/AssemblyInfo.cs

@@ -9,7 +9,7 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("Michael Schönbauer")]
 [assembly: AssemblyProduct("EvlWatcher")]
-[assembly: AssemblyCopyright("2021 Michael Schönbauer")]
+[assembly: AssemblyCopyright("2022 Michael Schönbauer")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
@@ -28,5 +28,5 @@
 //      Build Number
 //      Revision
 //
-[assembly: AssemblyVersion("2.1.4.0")]
-[assembly: AssemblyFileVersion("2.1.4.0")]
+[assembly: AssemblyVersion("2.1.5.0")]
+[assembly: AssemblyFileVersion("2.1.5.0")]

Source/EvlWatcher/EvlWatcher/config.xml

@@ -31,7 +31,13 @@
 				3600
 			</LockTime>
 
-			<!-- this is used for rules that only need new events for evaluating. If you dont know what this does, leave it set to false-->
+			<!-- this is used for rules that only need new events for evaluating.
+			      - If you dont know what this does, leave it set to false
+				  
+				  - If you set this to true, it means that the task will only receive events it has not already received
+				  
+				  - If you set this to false, it means that the task will receive all events of its timeframe, everytime it is polled 
+				     (e.g. task gets events provided until they fall out of the timeframe)-->
 			<OnlyNew>
 				False
 			</OnlyNew>
@@ -81,7 +87,13 @@
 				3600
 			</LockTime>
 
-			<!-- this is used for rules that only need new events for evaluating. If you dont know what this does, leave it set to false-->
+			<!-- this is used for rules that only need new events for evaluating.
+			      - If you dont know what this does, leave it set to false
+				  
+				  - If you set this to true, it means that the task will only receive events it has not already received
+				  
+				  - If you set this to false, it means that the task will receive all events of its timeframe, everytime it is polled 
+				     (e.g. task gets events provided until they fall out of the timeframe)-->
 			<OnlyNew>
 				False
 			</OnlyNew>
@@ -130,7 +142,13 @@
 				3600
 			</LockTime>
 
-			<!-- this is used for rules that only need new events for evaluating. If you dont know what this does, leave it set to false-->
+			<!-- this is used for rules that only need new events for evaluating.
+			      - If you dont know what this does, leave it set to false
+				  
+				  - If you set this to true, it means that the task will only receive events it has not already received
+				  
+				  - If you set this to false, it means that the task will receive all events of its timeframe, everytime it is polled 
+				     (e.g. task gets events provided until they fall out of the timeframe)-->
 			<OnlyNew>
 				False
 			</OnlyNew>
@@ -177,10 +195,18 @@
 			<LockTime>
 				3600
 			</LockTime>
-			<!-- this is used for rules that only need new events for evaluating. If you dont know what this does, leave it set to false-->
+			
+			<!-- this is used for rules that only need new events for evaluating.
+			      - If you dont know what this does, leave it set to false
+				  
+				  - If you set this to true, it means that the task will only receive events it has not already received
+				  
+				  - If you set this to false, it means that the task will receive all events of its timeframe, everytime it is polled 
+				     (e.g. task gets events provided until they fall out of the timeframe)-->
 			<OnlyNew>
 				False
 			</OnlyNew>
+			
 			<!-- this is the timeframe (in seconds) to be inspected-->
 			<EventAge>
 				120
@@ -217,7 +243,14 @@
 			<LockTime>
 				3600
 			</LockTime>
-			<!-- this is used for rules that only need new events for evaluating. If you dont know what this does, leave it set to false-->
+			
+			<!-- this is used for rules that only need new events for evaluating.
+			      - If you dont know what this does, leave it set to false
+				  
+				  - If you set this to true, it means that the task will only receive events it has not already received
+				  
+				  - If you set this to false, it means that the task will receive all events of its timeframe, everytime it is polled 
+				     (e.g. task gets events provided until they fall out of the timeframe)-->
 			<OnlyNew>
 				False
 			</OnlyNew>

Source/EvlWatcherConsole/EvlWatcherConsole/Properties/AssemblyInfo.cs

@@ -10,7 +10,7 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
 [assembly: AssemblyProduct("EvlWatcherConsole")]
-[assembly: AssemblyCopyright("2020 Michael Schönbauer")]
+[assembly: AssemblyCopyright("2022 Michael Schönbauer")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
@@ -49,5 +49,5 @@
 // Sie können alle Werte angeben oder die standardmäßigen Build- und Revisionsnummern 
 // übernehmen, indem Sie "*" eingeben:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("2.1.4.0")]
-[assembly: AssemblyFileVersion("2.1.4.0")]
+[assembly: AssemblyVersion("2.1.5.0")]
+[assembly: AssemblyFileVersion("2.1.5.0")]