Re: Betatest Guardian 2.0

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 6611 bytes --]

Hi,

thanks Stefan - great work, it seems to work now. I'd still have a few
suggestions.

###########################################################

1. One bug(?).
On the first start after installation, I got a blank screen from
'guardian.cgi'.

'/var/log/httpd/error_log' says:

...
[Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] cannot touch
'/var/ipfire/guardian/ignored': Permission denied, referer:
https://192.168.100.254:444/cgi-bin/ids.cgi
[Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] Unable to
read file /var/ipfire/guardian/ignored at
/var/ipfire/general-functions.pl line 778., referer:
https://192.168.100.254:444/cgi-bin/ids.cgi
...

After I 'touched' this file manually, and 'chown'ing the correct rights,
everything went ok. But the first initialization through 'guardian.cgi'
failed for some reasons:

Line 79:
...
unless (-e "$ignoredfile") { system("touch $ignoredfile"); }).
...

###########################################################

2. Using 'syslog' as 'Log facility' I added some lines in
'srv/web/ipfire/cgi-bin/logs.cgi/log.dat' (you mentioned this below!?):

...
my %sections = (
...
        'snort' => '(snort\[.*\]: )',
        'guardian' => '(guardian\[.*\]: )'
...
my %trsections = (
...
        'snort' => "$Lang::tr{'intrusion detection'}",
        'guardian' => 'Guardian'
...

###########################################################

3. Would it be possible to extrude the guardian-lang-strings from
'de.pl' and 'en.pl' and add these to
'/var/ipfire/addon-lang/guardian.de.pl' and 'guardian.en.pl' respectively?

If you need these, they're attached. I searched with...

cat guardian.cgi| grep "Lang::tr{'guardian"

...and extracted all found lang-strings in two seperate lang-files
(de/en). I hope they're complete, testing seemed to be ok.

Sad to say, the translation files are rather incomplete, but thats
beyond my skills, sorry...

Best,
Matthias

On 19.07.2016 11:24, Stefan Schantl wrote:
> Hello Mark,
> thanks for testing and your feedback.
> The details why a host has been blocked or the time, can be grabbed
> from the guardian logfile if configured or in the default settings from
> syslog (/var/log/messages). I'll very soon the support in the IPFire
> Webinterface to get the guardian related messages from the syslog on
> the corresponding CGI.
> Best regards,
> -Stefan
>> Everything seems to work well here Stefan. Is it possible to put the
>> reason for the host being blocked in the UI. It would be very nice to
>> know which ones, for instance, were custom-blocked. The snort log
>> would give a reason why they were flagged. It would also be nice to
>> know when the block was applied.
>> I know you probably don't want to get the interface too crowded but
>> those are just things I was thinking of.
>> 
>> Thanks for this.
>> 
>> On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl 
>> re.org> wrote:
>> > Hello mailing list followers,
>> > 
>> > this is the official release announcement for the first beta
>> > release of
>> > the new Guardian 2.0 approach.
>> > 
>> > 
>> > - What are the differences to the current version of guardian
>> > (legacy)
>> > and the first approach of guardian 2.0?
>> > 
>> > The most important difference is, that the new version of Guardian
>> > 2.0
>> > completely has been re-written from scratch and released under the
>> > terms of the GPLv3. The legacy version of guardian is not
>> > maintained
>> > anymore by it's developer and the software has been released
>> > without
>> > any license details at all.
>> > 
>> > Guardian 2.0 has a very modular code base and has been designed as
>> > a
>> > multi-threaded application. This allows a parallel parsing of all
>> > monitored logfiles and faster actions, if one of the used modules
>> > detects an attack.
>> > 
>> > A very important difference to the legacy version is the support of
>> > configuring and managing the entire service through the IPFire
>> > webinterface. The entire configuration, managing of current blocked
>> > hosts, unblocking them or editing the ignored hosts list now can be
>> > done in a graphical way. 
>> > 
>> > The legacy version of guardian only supported parsing snort alerts.
>> > HTTPD and SSH support has been patched by the IPFire development
>> > team
>> > some time ago. Guardian 2.0 supports all of them out of the box and
>> > includes a filter to detect owncloud login brute-force attempts. As
>> > a
>> > benefit of the new modular design, additional filters easily can be
>> > added.
>> > 
>> > Guardian 2.0 is able to reload it's configuration, reloading
>> > the ignore list during runtime and handle, if the logfiles will get
>> > rotated by logrotate. This actions can be called by using the
>> > webinterface or from the command line interface by using
>> > "guardianctrl".
>> > 
>> > These are just a handful of the changes and benefits which comes
>> > with
>> > Guardian 2.0, a complete list would be to long for this mailing
>> > list.
>> > 
>> > 
>> > - How to join testing?
>> > 
>> > To get part of the testing team, simple navigate to http://people.i
>> > pfir
>> > e.org/~stevee/guardian-2.0/ and download the latest tarball
>> > (currently
>> > 002). Please take care to download the correct one, based on your
>> > used
>> > architecture. The i585 packages are for 32Bit installations of
>> > IPFire,
>> > the x86_64 packages only can be used on 64Bit installations.
>> > 
>> > Put the downloaded file on your IPFire test system and extract the
>> > package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C /".
>> > 
>> > The final installation step would be to regenerate the language
>> > cache
>> > by executing "update-lang-cache" on the console.
>> > 
>> > From now you can find a new menu item called "Guardian" in your
>> > "Service" menu after you have logged-in into your IPFire's
>> > webinterface.
>> > 
>> > Documentation can be found on the IPFire wiki: http://wiki.ipfire.o
>> > rg/e
>> > n/addons/guardian/start#the_guardian_20_addon
>> > 
>> > 
>> > - Where to post bugs reports or provide feedback?
>> > 
>> > If you find any bugs, please report them as usual on the IPFire
>> > bugtracker, which can be found at https://bugzilla.ipfire.org.
>> > 
>> > To provide feedback or to join a discussion, please send your mails
>> > to
>> > "development(a)lists.ipfire.org" (Please register first at http://lis
>> > ts.i
>> > pfire.org if not yet done).
>> > 
>> > The source code can be found at http://git.ipfire.org/?p=people/ste
>> > vee/
>> > guardian.git;a=summary
>> > 
>> > 
>> > Happy testing,
>> > 
>> > -Stefan
>> > 
>> > 
>> 
>> 
> 






[-- Attachment #2: guardian.de.pl --]
[-- Type: text/plain, Size: 1561 bytes --]

%tr = ( 
%tr,

'guardian' => 'Guardian',
'guardian block a host' => 'Host blocken',
'guardian block httpd brute-force' => 'HTTPD Brute-Force Erkennung',
'guardian block owncloud brute-force' => 'Owncloud Brute-Force Erkennung',
'guardian block ssh brute-force' => 'SSH Brute-Force Erkennung',
'guardian blocked hosts' => 'Aktuell geblockte Hosts',
'guardian blockcount' => 'Blockzähler',
'guardian blocktime' => 'Blockzeit',
'guardian common settings' => 'Allgemeine Einstellungen',
'guardian configuration' => 'Guardian Konfiguration',
'guardian daemon' => 'Daemon',
'guardian enabled' => 'Guardian aktivieren',
'guardian empty input' => 'Fehlende Eingabe: Bitte geben Sie einen gültigen Host oder ein gültiges Netzwerk an.',
'guardian firewallaction' => 'Firewall-Aktion',
'guardian invalid address or subnet' => 'Ungültige Addresse oder Netzwerk.',
'guardian invalid blockcount' => 'Ungültige Anzahl: Bitte verwenden Sie eine natürliche Zahl größer als Null.',
'guardian invalid blocktime' => 'Ungültige Blockzeit: Bitte verwenden Sie eine natürliche Zahl größer als Null.',
'guardian invalid logfile' => 'Der angegebene Pfad zum "Ignore file" ist ungültig.',
'guardian ignored hosts' => 'Ignorierte Hosts',
'guardian logfacility' => 'Logziel',
'guardian logfile' => 'Logfile',
'guardian loglevel' => 'Loglevel',
'guardian no entries' => 'Aktuell sind keine Einträge vorhanden.',
'guardian priority level' => 'Prioritätslevel',
'guardian service' => 'Guardian Service',
'guardian watch snort alertfile' => 'Monitor Snort alertfile',

);

#EOF

[-- Attachment #3: guardian.en.pl --]
[-- Type: text/plain, Size: 1468 bytes --]

%tr = ( 
%tr,

'guardian' => 'Guardian',
'guardian block a host' => 'Block Host',
'guardian block httpd brute-force' => 'HTTPD Brute-force detection',
'guardian block owncloud brute-force' => 'Owncloud Brute-force detection',
'guardian block ssh brute-force' => 'SSH Brute-force detection',
'guardian blocked hosts' => 'Currently blocked hosts',
'guardian blockcount' => 'Blockcount',
'guardian blocktime' => 'Blocktime',
'guardian common settings' => 'Common settings',
'guardian configuration' => 'Guardian Configuration',
'guardian daemon' => 'Daemon',
'guardian enabled' => 'Enable guardian',
'guardian empty input' => 'Empty input: Please enter a valid host address or subnet.',
'guardian firewallaction' => 'Firewall action',
'guardian invalid address or subnet' => 'Invalid host address or subnet.',
'guardian invalid blockcount' => 'Invalid BlockCount: Please provide a natural number higher than zero.',
'guardian invalid blocktime' => 'Invalid BlockTime: Please provide a natural number higher than zero.',
'guardian invalid logfile' => 'The provided path for the logfile is not valid.',
'guardian ignored hosts' => 'Ignored Hosts',
'guardian logfacility' => 'Log facility',
'guardian logfile' => 'Logfile',
'guardian loglevel' => 'Loglevel',
'guardian no entries' => 'No entries at the moment.',
'guardian priority level' => 'Prioritylevel',
'guardian service' => 'Guardian Service',
'guardian watch snort alertfile' => 'Monitor Snort alertfile',

);

#EOF