Hello Matthias, also a big thanks for joining the testing team and sharing your experience with us. > Hi, > > thanks Stefan - great work, it seems to work now. I'd still have a > few > suggestions. > > ########################################################### > > 1. One bug(?). > On the first start after installation, I got a blank screen from > 'guardian.cgi'. > > '/var/log/httpd/error_log' says: > > ... > [Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] cannot > touch > '/var/ipfire/guardian/ignored': Permission denied, referer: > https://192.168.100.254:444/cgi-bin/ids.cgi > [Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] Unable to > read file /var/ipfire/guardian/ignored at > /var/ipfire/general-functions.pl line 778., referer: > https://192.168.100.254:444/cgi-bin/ids.cgi > ... > > After I 'touched' this file manually, and 'chown'ing the correct > rights, > everything went ok. But the first initialization through > 'guardian.cgi' > failed for some reasons: > > Line 79: > ... > unless (-e "$ignoredfile") { system("touch $ignoredfile"); }). > ... I recently installed the guardian-2.0-002.x86_64 tarball on a fresh test installation and everything worked as expected. If you previously installed the broken 002 tarball, there might be some permission issues left - especially the "/var/ipfire/guardian/" folder requires nobody:nobody as ownership. > > ########################################################### > > 2. Using 'syslog' as 'Log facility' I added some lines in > 'srv/web/ipfire/cgi-bin/logs.cgi/log.dat' (you mentioned this > below!?): > > ... > my %sections = ( > ... >         'snort' => '(snort\[.*\]: )', >         'guardian' => '(guardian\[.*\]: )' > ... > my %trsections = ( > ... >         'snort' => "$Lang::tr{'intrusion detection'}", >         'guardian' => 'Guardian' > ... This would be one of my next goals, if you have already a working patch, please send it the usual way to this list. > > ########################################################### > > 3. Would it be possible to extrude the guardian-lang-strings from > 'de.pl' and 'en.pl' and add these to > '/var/ipfire/addon-lang/guardian.de.pl' and 'guardian.en.pl' > respectively? > Do you have any special reason why this should be done? > If you need these, they're attached. I searched with... > > cat guardian.cgi| grep "Lang::tr{'guardian" > > ...and extracted all found lang-strings in two seperate lang-files > (de/en). I hope they're complete, testing seemed to be ok. > > Sad to say, the translation files are rather incomplete, but thats > beyond my skills, sorry... > > Best, > Matthias Best regards, -Stefan > > On 19.07.2016 11:24, Stefan Schantl wrote: > > > > Hello Mark, > > thanks for testing and your feedback. > > The details why a host has been blocked or the time, can be grabbed > > from the guardian logfile if configured or in the default settings > > from > > syslog (/var/log/messages). I'll very soon the support in the > > IPFire > > Webinterface to get the guardian related messages from the syslog > > on > > the corresponding CGI. > > Best regards, > > -Stefan > > > > > > Everything seems to work well here Stefan. Is it possible to put > > > the > > > reason for the host being blocked in the UI. It would be very > > > nice to > > > know which ones, for instance, were custom-blocked. The snort log > > > would give a reason why they were flagged. It would also be nice > > > to > > > know when the block was applied. > > > I know you probably don't want to get the interface too crowded > > > but > > > those are just things I was thinking of. > > > > > > Thanks for this. > > > > > > On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl  > > > re.org> wrote: > > > > > > > > Hello mailing list followers, > > > > > > > > this is the official release announcement for the first beta > > > > release of > > > > the new Guardian 2.0 approach. > > > > > > > > > > > > - What are the differences to the current version of guardian > > > > (legacy) > > > > and the first approach of guardian 2.0? > > > > > > > > The most important difference is, that the new version of > > > > Guardian > > > > 2.0 > > > > completely has been re-written from scratch and released under > > > > the > > > > terms of the GPLv3. The legacy version of guardian is not > > > > maintained > > > > anymore by it's developer and the software has been released > > > > without > > > > any license details at all. > > > > > > > > Guardian 2.0 has a very modular code base and has been designed > > > > as > > > > a > > > > multi-threaded application. This allows a parallel parsing of > > > > all > > > > monitored logfiles and faster actions, if one of the used > > > > modules > > > > detects an attack. > > > > > > > > A very important difference to the legacy version is the > > > > support of > > > > configuring and managing the entire service through the IPFire > > > > webinterface. The entire configuration, managing of current > > > > blocked > > > > hosts, unblocking them or editing the ignored hosts list now > > > > can be > > > > done in a graphical way.  > > > > > > > > The legacy version of guardian only supported parsing snort > > > > alerts. > > > > HTTPD and SSH support has been patched by the IPFire > > > > development > > > > team > > > > some time ago. Guardian 2.0 supports all of them out of the box > > > > and > > > > includes a filter to detect owncloud login brute-force > > > > attempts. As > > > > a > > > > benefit of the new modular design, additional filters easily > > > > can be > > > > added. > > > > > > > > Guardian 2.0 is able to reload it's configuration, reloading > > > > the ignore list during runtime and handle, if the logfiles will > > > > get > > > > rotated by logrotate. This actions can be called by using the > > > > webinterface or from the command line interface by using > > > > "guardianctrl". > > > > > > > > These are just a handful of the changes and benefits which > > > > comes > > > > with > > > > Guardian 2.0, a complete list would be to long for this mailing > > > > list. > > > > > > > > > > > > - How to join testing? > > > > > > > > To get part of the testing team, simple navigate to http://peop > > > > le.i > > > > pfir > > > > e.org/~stevee/guardian-2.0/ and download the latest tarball > > > > (currently > > > > 002). Please take care to download the correct one, based on > > > > your > > > > used > > > > architecture. The i585 packages are for 32Bit installations of > > > > IPFire, > > > > the x86_64 packages only can be used on 64Bit installations. > > > > > > > > Put the downloaded file on your IPFire test system and extract > > > > the > > > > package by using "tar -xvf guardian-2.0-002..tar.gz -C > > > > /". > > > > > > > > The final installation step would be to regenerate the language > > > > cache > > > > by executing "update-lang-cache" on the console. > > > > > > > > From now you can find a new menu item called "Guardian" in your > > > > "Service" menu after you have logged-in into your IPFire's > > > > webinterface. > > > > > > > > Documentation can be found on the IPFire wiki: http://wiki.ipfi > > > > re.o > > > > rg/e > > > > n/addons/guardian/start#the_guardian_20_addon > > > > > > > > > > > > - Where to post bugs reports or provide feedback? > > > > > > > > If you find any bugs, please report them as usual on the IPFire > > > > bugtracker, which can be found at https://bugzilla.ipfire.org. > > > > > > > > To provide feedback or to join a discussion, please send your > > > > mails > > > > to > > > > "development(a)lists.ipfire.org" (Please register first at http:/ > > > > /lis > > > > ts.i > > > > pfire.org if not yet done). > > > > > > > > The source code can be found at http://git.ipfire.org/?p=people > > > > /ste > > > > vee/ > > > > guardian.git;a=summary > > > > > > > > > > > > Happy testing, > > > > > > > > -Stefan > > > > > > > > > > >