Re: Betatest Guardian 2.0

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 8225 bytes --]

Hi,

On 19.07.2016 19:26, Stefan Schantl wrote:
> Hello Matthias,
> 
> also a big thanks for joining the testing team and sharing your
> experience with us.

No problem... ;-)

>>... 
>> 1. One bug(?).
>> On the first start after installation, I got a blank screen from
>> 'guardian.cgi'.
>> ...
> I recently installed the guardian-2.0-002.x86_64 tarball on a fresh
> test installation and everything worked as expected. If you previously
> installed the broken 002 tarball, there might be some permission issues
> left - especially the "/var/ipfire/guardian/" folder requires
> nobody:nobody as ownership.

Ok, you got me. It was root:root. Don't know why. *sigh* ;-)

>> 
>> ###########################################################
>> 
>> 2. Using 'syslog' as 'Log facility' I added some lines in
>> 'srv/web/ipfire/cgi-bin/logs.cgi/log.dat' (you mentioned this
>> below!?):
>> 
>> ...
>> my %sections = (
>> ...
>>         'snort' => '(snort\[.*\]: )',
>>         'guardian' => '(guardian\[.*\]: )'
>> ...
>> my %trsections = (
>> ...
>>         'snort' => "$Lang::tr{'intrusion detection'}",
>>         'guardian' => 'Guardian'
>> ...
> 
> This would be one of my next goals, if you have already a working
> patch, please send it the usual way to this list.

Work in progress.

>> ###########################################################
>> 
>> 3. Would it be possible to extrude the guardian-lang-strings from
>> 'de.pl' and 'en.pl' and add these to
>> '/var/ipfire/addon-lang/guardian.de.pl' and 'guardian.en.pl'
>> respectively?
>> 
> 
> Do you have any special reason why this should be done?

In my opinion, its much more simple - to handle and to maintain for both
users and developers.
Once in a while it happens that various (addon-)menu-entries are
suddenly missing or can't be read anymore because specific 'de.pl' or
'en.pl' lines are missing. E.G.: Core update with changed 'de/en.pl'.
In most of the cases I found in the forum that the specific addon had to
be uninstalled and installed again, leading to new trouble because it
came with an older lang-version. And so on...
If we would use the addon-lang directory like its meant to be, then
those problems would never arise.
One just has to bundle the needed addon-lang-strings in a matching
[addon_name].[language].pl-file and put it in '/var/log/addon-lang'.
Thats all - Jm2C!

Best,
Matthias

>> If you need these, they're attached. I searched with...
>> 
>> cat guardian.cgi| grep "Lang::tr{'guardian"
>> 
>> ...and extracted all found lang-strings in two seperate lang-files
>> (de/en). I hope they're complete, testing seemed to be ok.
>> 
>> Sad to say, the translation files are rather incomplete, but thats
>> beyond my skills, sorry...
>> 
>> Best,
>> Matthias
> 
> Best regards,
> 
> -Stefan
>> 
>> On 19.07.2016 11:24, Stefan Schantl wrote:
>> > 
>> > Hello Mark,
>> > thanks for testing and your feedback.
>> > The details why a host has been blocked or the time, can be grabbed
>> > from the guardian logfile if configured or in the default settings
>> > from
>> > syslog (/var/log/messages). I'll very soon the support in the
>> > IPFire
>> > Webinterface to get the guardian related messages from the syslog
>> > on
>> > the corresponding CGI.
>> > Best regards,
>> > -Stefan
>> > > 
>> > > Everything seems to work well here Stefan. Is it possible to put
>> > > the
>> > > reason for the host being blocked in the UI. It would be very
>> > > nice to
>> > > know which ones, for instance, were custom-blocked. The snort log
>> > > would give a reason why they were flagged. It would also be nice
>> > > to
>> > > know when the block was applied.
>> > > I know you probably don't want to get the interface too crowded
>> > > but
>> > > those are just things I was thinking of.
>> > > 
>> > > Thanks for this.
>> > > 
>> > > On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl 
>> > > re.org> wrote:
>> > > > 
>> > > > Hello mailing list followers,
>> > > > 
>> > > > this is the official release announcement for the first beta
>> > > > release of
>> > > > the new Guardian 2.0 approach.
>> > > > 
>> > > > 
>> > > > - What are the differences to the current version of guardian
>> > > > (legacy)
>> > > > and the first approach of guardian 2.0?
>> > > > 
>> > > > The most important difference is, that the new version of
>> > > > Guardian
>> > > > 2.0
>> > > > completely has been re-written from scratch and released under
>> > > > the
>> > > > terms of the GPLv3. The legacy version of guardian is not
>> > > > maintained
>> > > > anymore by it's developer and the software has been released
>> > > > without
>> > > > any license details at all.
>> > > > 
>> > > > Guardian 2.0 has a very modular code base and has been designed
>> > > > as
>> > > > a
>> > > > multi-threaded application. This allows a parallel parsing of
>> > > > all
>> > > > monitored logfiles and faster actions, if one of the used
>> > > > modules
>> > > > detects an attack.
>> > > > 
>> > > > A very important difference to the legacy version is the
>> > > > support of
>> > > > configuring and managing the entire service through the IPFire
>> > > > webinterface. The entire configuration, managing of current
>> > > > blocked
>> > > > hosts, unblocking them or editing the ignored hosts list now
>> > > > can be
>> > > > done in a graphical way. 
>> > > > 
>> > > > The legacy version of guardian only supported parsing snort
>> > > > alerts.
>> > > > HTTPD and SSH support has been patched by the IPFire
>> > > > development
>> > > > team
>> > > > some time ago. Guardian 2.0 supports all of them out of the box
>> > > > and
>> > > > includes a filter to detect owncloud login brute-force
>> > > > attempts. As
>> > > > a
>> > > > benefit of the new modular design, additional filters easily
>> > > > can be
>> > > > added.
>> > > > 
>> > > > Guardian 2.0 is able to reload it's configuration, reloading
>> > > > the ignore list during runtime and handle, if the logfiles will
>> > > > get
>> > > > rotated by logrotate. This actions can be called by using the
>> > > > webinterface or from the command line interface by using
>> > > > "guardianctrl".
>> > > > 
>> > > > These are just a handful of the changes and benefits which
>> > > > comes
>> > > > with
>> > > > Guardian 2.0, a complete list would be to long for this mailing
>> > > > list.
>> > > > 
>> > > > 
>> > > > - How to join testing?
>> > > > 
>> > > > To get part of the testing team, simple navigate to http://peop
>> > > > le.i
>> > > > pfir
>> > > > e.org/~stevee/guardian-2.0/ and download the latest tarball
>> > > > (currently
>> > > > 002). Please take care to download the correct one, based on
>> > > > your
>> > > > used
>> > > > architecture. The i585 packages are for 32Bit installations of
>> > > > IPFire,
>> > > > the x86_64 packages only can be used on 64Bit installations.
>> > > > 
>> > > > Put the downloaded file on your IPFire test system and extract
>> > > > the
>> > > > package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C
>> > > > /".
>> > > > 
>> > > > The final installation step would be to regenerate the language
>> > > > cache
>> > > > by executing "update-lang-cache" on the console.
>> > > > 
>> > > > From now you can find a new menu item called "Guardian" in your
>> > > > "Service" menu after you have logged-in into your IPFire's
>> > > > webinterface.
>> > > > 
>> > > > Documentation can be found on the IPFire wiki: http://wiki.ipfi
>> > > > re.o
>> > > > rg/e
>> > > > n/addons/guardian/start#the_guardian_20_addon
>> > > > 
>> > > > 
>> > > > - Where to post bugs reports or provide feedback?
>> > > > 
>> > > > If you find any bugs, please report them as usual on the IPFire
>> > > > bugtracker, which can be found at https://bugzilla.ipfire.org.
>> > > > 
>> > > > To provide feedback or to join a discussion, please send your
>> > > > mails
>> > > > to
>> > > > "development(a)lists.ipfire.org" (Please register first at http:/
>> > > > /lis
>> > > > ts.i
>> > > > pfire.org if not yet done).
>> > > > 
>> > > > The source code can be found at http://git.ipfire.org/?p=people
>> > > > /ste
>> > > > vee/
>> > > > guardian.git;a=summary
>> > > > 
>> > > > 
>> > > > Happy testing,
>> > > > 
>> > > > -Stefan
>> > > > 
>> > > > 
>> > > 
>