From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Betatest Guardian 2.0 Date: Tue, 19 Jul 2016 20:01:45 +0200 Message-ID: <635f285b-f91a-c1e0-d03f-a92e1e0e99f7@ipfire.org> In-Reply-To: <1468949213.6060.6.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0648443524255443901==" List-Id: --===============0648443524255443901== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi, On 19.07.2016 19:26, Stefan Schantl wrote: > Hello Matthias, > > also a big thanks for joining the testing team and sharing your > experience with us. No problem... ;-) >>... >> 1. One bug(?). >> On the first start after installation, I got a blank screen from >> 'guardian.cgi'. >> ... > I recently installed the guardian-2.0-002.x86_64 tarball on a fresh > test installation and everything worked as expected. If you previously > installed the broken 002 tarball, there might be some permission issues > left - especially the "/var/ipfire/guardian/" folder requires > nobody:nobody as ownership. Ok, you got me. It was root:root. Don't know why. *sigh* ;-) >> >> ########################################################### >> >> 2. Using 'syslog' as 'Log facility' I added some lines in >> 'srv/web/ipfire/cgi-bin/logs.cgi/log.dat' (you mentioned this >> below!?): >> >> ... >> my %sections = ( >> ... >> 'snort' => '(snort\[.*\]: )', >> 'guardian' => '(guardian\[.*\]: )' >> ... >> my %trsections = ( >> ... >> 'snort' => "$Lang::tr{'intrusion detection'}", >> 'guardian' => 'Guardian' >> ... > > This would be one of my next goals, if you have already a working > patch, please send it the usual way to this list. Work in progress. >> ########################################################### >> >> 3. Would it be possible to extrude the guardian-lang-strings from >> 'de.pl' and 'en.pl' and add these to >> '/var/ipfire/addon-lang/guardian.de.pl' and 'guardian.en.pl' >> respectively? >> > > Do you have any special reason why this should be done? In my opinion, its much more simple - to handle and to maintain for both users and developers. Once in a while it happens that various (addon-)menu-entries are suddenly missing or can't be read anymore because specific 'de.pl' or 'en.pl' lines are missing. E.G.: Core update with changed 'de/en.pl'. In most of the cases I found in the forum that the specific addon had to be uninstalled and installed again, leading to new trouble because it came with an older lang-version. And so on... If we would use the addon-lang directory like its meant to be, then those problems would never arise. One just has to bundle the needed addon-lang-strings in a matching [addon_name].[language].pl-file and put it in '/var/log/addon-lang'. Thats all - Jm2C! Best, Matthias >> If you need these, they're attached. I searched with... >> >> cat guardian.cgi| grep "Lang::tr{'guardian" >> >> ...and extracted all found lang-strings in two seperate lang-files >> (de/en). I hope they're complete, testing seemed to be ok. >> >> Sad to say, the translation files are rather incomplete, but thats >> beyond my skills, sorry... >> >> Best, >> Matthias > > Best regards, > > -Stefan >> >> On 19.07.2016 11:24, Stefan Schantl wrote: >> > >> > Hello Mark, >> > thanks for testing and your feedback. >> > The details why a host has been blocked or the time, can be grabbed >> > from the guardian logfile if configured or in the default settings >> > from >> > syslog (/var/log/messages). I'll very soon the support in the >> > IPFire >> > Webinterface to get the guardian related messages from the syslog >> > on >> > the corresponding CGI. >> > Best regards, >> > -Stefan >> > > >> > > Everything seems to work well here Stefan. Is it possible to put >> > > the >> > > reason for the host being blocked in the UI. It would be very >> > > nice to >> > > know which ones, for instance, were custom-blocked. The snort log >> > > would give a reason why they were flagged. It would also be nice >> > > to >> > > know when the block was applied. >> > > I know you probably don't want to get the interface too crowded >> > > but >> > > those are just things I was thinking of. >> > > >> > > Thanks for this. >> > > >> > > On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl >> > > re.org> wrote: >> > > > >> > > > Hello mailing list followers, >> > > > >> > > > this is the official release announcement for the first beta >> > > > release of >> > > > the new Guardian 2.0 approach. >> > > > >> > > > >> > > > - What are the differences to the current version of guardian >> > > > (legacy) >> > > > and the first approach of guardian 2.0? >> > > > >> > > > The most important difference is, that the new version of >> > > > Guardian >> > > > 2.0 >> > > > completely has been re-written from scratch and released under >> > > > the >> > > > terms of the GPLv3. The legacy version of guardian is not >> > > > maintained >> > > > anymore by it's developer and the software has been released >> > > > without >> > > > any license details at all. >> > > > >> > > > Guardian 2.0 has a very modular code base and has been designed >> > > > as >> > > > a >> > > > multi-threaded application. This allows a parallel parsing of >> > > > all >> > > > monitored logfiles and faster actions, if one of the used >> > > > modules >> > > > detects an attack. >> > > > >> > > > A very important difference to the legacy version is the >> > > > support of >> > > > configuring and managing the entire service through the IPFire >> > > > webinterface. The entire configuration, managing of current >> > > > blocked >> > > > hosts, unblocking them or editing the ignored hosts list now >> > > > can be >> > > > done in a graphical way. >> > > > >> > > > The legacy version of guardian only supported parsing snort >> > > > alerts. >> > > > HTTPD and SSH support has been patched by the IPFire >> > > > development >> > > > team >> > > > some time ago. Guardian 2.0 supports all of them out of the box >> > > > and >> > > > includes a filter to detect owncloud login brute-force >> > > > attempts. As >> > > > a >> > > > benefit of the new modular design, additional filters easily >> > > > can be >> > > > added. >> > > > >> > > > Guardian 2.0 is able to reload it's configuration, reloading >> > > > the ignore list during runtime and handle, if the logfiles will >> > > > get >> > > > rotated by logrotate. This actions can be called by using the >> > > > webinterface or from the command line interface by using >> > > > "guardianctrl". >> > > > >> > > > These are just a handful of the changes and benefits which >> > > > comes >> > > > with >> > > > Guardian 2.0, a complete list would be to long for this mailing >> > > > list. >> > > > >> > > > >> > > > - How to join testing? >> > > > >> > > > To get part of the testing team, simple navigate to http://peop >> > > > le.i >> > > > pfir >> > > > e.org/~stevee/guardian-2.0/ and download the latest tarball >> > > > (currently >> > > > 002). Please take care to download the correct one, based on >> > > > your >> > > > used >> > > > architecture. The i585 packages are for 32Bit installations of >> > > > IPFire, >> > > > the x86_64 packages only can be used on 64Bit installations. >> > > > >> > > > Put the downloaded file on your IPFire test system and extract >> > > > the >> > > > package by using "tar -xvf guardian-2.0-002..tar.gz -C >> > > > /". >> > > > >> > > > The final installation step would be to regenerate the language >> > > > cache >> > > > by executing "update-lang-cache" on the console. >> > > > >> > > > From now you can find a new menu item called "Guardian" in your >> > > > "Service" menu after you have logged-in into your IPFire's >> > > > webinterface. >> > > > >> > > > Documentation can be found on the IPFire wiki: http://wiki.ipfi >> > > > re.o >> > > > rg/e >> > > > n/addons/guardian/start#the_guardian_20_addon >> > > > >> > > > >> > > > - Where to post bugs reports or provide feedback? >> > > > >> > > > If you find any bugs, please report them as usual on the IPFire >> > > > bugtracker, which can be found at https://bugzilla.ipfire.org. >> > > > >> > > > To provide feedback or to join a discussion, please send your >> > > > mails >> > > > to >> > > > "development(a)lists.ipfire.org" (Please register first at http:/ >> > > > /lis >> > > > ts.i >> > > > pfire.org if not yet done). >> > > > >> > > > The source code can be found at http://git.ipfire.org/?p=people >> > > > /ste >> > > > vee/ >> > > > guardian.git;a=summary >> > > > >> > > > >> > > > Happy testing, >> > > > >> > > > -Stefan >> > > > >> > > > >> > > > --===============0648443524255443901==--