Re: Betatest Guardian 2.0

[Stefan Schantl <stefan.schantl@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7991 bytes --]

Hello Matthias,

also a big thanks for joining the testing team and sharing your
experience with us.
> Hi,
> 
> thanks Stefan - great work, it seems to work now. I'd still have a
> few
> suggestions.
> 
> ###########################################################
> 
> 1. One bug(?).
> On the first start after installation, I got a blank screen from
> 'guardian.cgi'.
> 
> '/var/log/httpd/error_log' says:
> 
> ...
> [Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] cannot
> touch
> '/var/ipfire/guardian/ignored': Permission denied, referer:
> https://192.168.100.254:444/cgi-bin/ids.cgi
> [Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] Unable to
> read file /var/ipfire/guardian/ignored at
> /var/ipfire/general-functions.pl line 778., referer:
> https://192.168.100.254:444/cgi-bin/ids.cgi
> ...
> 
> After I 'touched' this file manually, and 'chown'ing the correct
> rights,
> everything went ok. But the first initialization through
> 'guardian.cgi'
> failed for some reasons:
> 
> Line 79:
> ...
> unless (-e "$ignoredfile") { system("touch $ignoredfile"); }).
> ...
I recently installed the guardian-2.0-002.x86_64 tarball on a fresh
test installation and everything worked as expected. If you previously
installed the broken 002 tarball, there might be some permission issues
left - especially the "/var/ipfire/guardian/" folder requires
nobody:nobody as ownership.
> 
> ###########################################################
> 
> 2. Using 'syslog' as 'Log facility' I added some lines in
> 'srv/web/ipfire/cgi-bin/logs.cgi/log.dat' (you mentioned this
> below!?):
> 
> ...
> my %sections = (
> ...
>         'snort' => '(snort\[.*\]: )',
>         'guardian' => '(guardian\[.*\]: )'
> ...
> my %trsections = (
> ...
>         'snort' => "$Lang::tr{'intrusion detection'}",
>         'guardian' => 'Guardian'
> ...

This would be one of my next goals, if you have already a working
patch, please send it the usual way to this list.
> 
> ###########################################################
> 
> 3. Would it be possible to extrude the guardian-lang-strings from
> 'de.pl' and 'en.pl' and add these to
> '/var/ipfire/addon-lang/guardian.de.pl' and 'guardian.en.pl'
> respectively?
> 

Do you have any special reason why this should be done?
> If you need these, they're attached. I searched with...
> 
> cat guardian.cgi| grep "Lang::tr{'guardian"
> 
> ...and extracted all found lang-strings in two seperate lang-files
> (de/en). I hope they're complete, testing seemed to be ok.
> 
> Sad to say, the translation files are rather incomplete, but thats
> beyond my skills, sorry...
> 
> Best,
> Matthias

Best regards,

-Stefan
> 
> On 19.07.2016 11:24, Stefan Schantl wrote:
> > 
> > Hello Mark,
> > thanks for testing and your feedback.
> > The details why a host has been blocked or the time, can be grabbed
> > from the guardian logfile if configured or in the default settings
> > from
> > syslog (/var/log/messages). I'll very soon the support in the
> > IPFire
> > Webinterface to get the guardian related messages from the syslog
> > on
> > the corresponding CGI.
> > Best regards,
> > -Stefan
> > > 
> > > Everything seems to work well here Stefan. Is it possible to put
> > > the
> > > reason for the host being blocked in the UI. It would be very
> > > nice to
> > > know which ones, for instance, were custom-blocked. The snort log
> > > would give a reason why they were flagged. It would also be nice
> > > to
> > > know when the block was applied.
> > > I know you probably don't want to get the interface too crowded
> > > but
> > > those are just things I was thinking of.
> > > 
> > > Thanks for this.
> > > 
> > > On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl 
> > > re.org> wrote:
> > > > 
> > > > Hello mailing list followers,
> > > > 
> > > > this is the official release announcement for the first beta
> > > > release of
> > > > the new Guardian 2.0 approach.
> > > > 
> > > > 
> > > > - What are the differences to the current version of guardian
> > > > (legacy)
> > > > and the first approach of guardian 2.0?
> > > > 
> > > > The most important difference is, that the new version of
> > > > Guardian
> > > > 2.0
> > > > completely has been re-written from scratch and released under
> > > > the
> > > > terms of the GPLv3. The legacy version of guardian is not
> > > > maintained
> > > > anymore by it's developer and the software has been released
> > > > without
> > > > any license details at all.
> > > > 
> > > > Guardian 2.0 has a very modular code base and has been designed
> > > > as
> > > > a
> > > > multi-threaded application. This allows a parallel parsing of
> > > > all
> > > > monitored logfiles and faster actions, if one of the used
> > > > modules
> > > > detects an attack.
> > > > 
> > > > A very important difference to the legacy version is the
> > > > support of
> > > > configuring and managing the entire service through the IPFire
> > > > webinterface. The entire configuration, managing of current
> > > > blocked
> > > > hosts, unblocking them or editing the ignored hosts list now
> > > > can be
> > > > done in a graphical way. 
> > > > 
> > > > The legacy version of guardian only supported parsing snort
> > > > alerts.
> > > > HTTPD and SSH support has been patched by the IPFire
> > > > development
> > > > team
> > > > some time ago. Guardian 2.0 supports all of them out of the box
> > > > and
> > > > includes a filter to detect owncloud login brute-force
> > > > attempts. As
> > > > a
> > > > benefit of the new modular design, additional filters easily
> > > > can be
> > > > added.
> > > > 
> > > > Guardian 2.0 is able to reload it's configuration, reloading
> > > > the ignore list during runtime and handle, if the logfiles will
> > > > get
> > > > rotated by logrotate. This actions can be called by using the
> > > > webinterface or from the command line interface by using
> > > > "guardianctrl".
> > > > 
> > > > These are just a handful of the changes and benefits which
> > > > comes
> > > > with
> > > > Guardian 2.0, a complete list would be to long for this mailing
> > > > list.
> > > > 
> > > > 
> > > > - How to join testing?
> > > > 
> > > > To get part of the testing team, simple navigate to http://peop
> > > > le.i
> > > > pfir
> > > > e.org/~stevee/guardian-2.0/ and download the latest tarball
> > > > (currently
> > > > 002). Please take care to download the correct one, based on
> > > > your
> > > > used
> > > > architecture. The i585 packages are for 32Bit installations of
> > > > IPFire,
> > > > the x86_64 packages only can be used on 64Bit installations.
> > > > 
> > > > Put the downloaded file on your IPFire test system and extract
> > > > the
> > > > package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C
> > > > /".
> > > > 
> > > > The final installation step would be to regenerate the language
> > > > cache
> > > > by executing "update-lang-cache" on the console.
> > > > 
> > > > From now you can find a new menu item called "Guardian" in your
> > > > "Service" menu after you have logged-in into your IPFire's
> > > > webinterface.
> > > > 
> > > > Documentation can be found on the IPFire wiki: http://wiki.ipfi
> > > > re.o
> > > > rg/e
> > > > n/addons/guardian/start#the_guardian_20_addon
> > > > 
> > > > 
> > > > - Where to post bugs reports or provide feedback?
> > > > 
> > > > If you find any bugs, please report them as usual on the IPFire
> > > > bugtracker, which can be found at https://bugzilla.ipfire.org.
> > > > 
> > > > To provide feedback or to join a discussion, please send your
> > > > mails
> > > > to
> > > > "development(a)lists.ipfire.org" (Please register first at http:/
> > > > /lis
> > > > ts.i
> > > > pfire.org if not yet done).
> > > > 
> > > > The source code can be found at http://git.ipfire.org/?p=people
> > > > /ste
> > > > vee/
> > > > guardian.git;a=summary
> > > > 
> > > > 
> > > > Happy testing,
> > > > 
> > > > -Stefan
> > > > 
> > > > 
> > > 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]