From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Betatest Guardian 2.0 Date: Tue, 19 Jul 2016 14:54:25 +0200 Message-ID: <7c9a4a64-4103-7cb8-1138-88c9056f3966@ipfire.org> In-Reply-To: <1468920284.13947.5.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7468808050448955751==" List-Id: --===============7468808050448955751== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hi, thanks Stefan - great work, it seems to work now. I'd still have a few suggestions. ########################################################### 1. One bug(?). On the first start after installation, I got a blank screen from 'guardian.cgi'. '/var/log/httpd/error_log' says: ... [Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] cannot touch '/var/ipfire/guardian/ignored': Permission denied, referer: https://192.168.100.254:444/cgi-bin/ids.cgi [Tue Jul 19 03:58:31 2016] [error] [client 192.XXX.YYY.ZZZ] Unable to read file /var/ipfire/guardian/ignored at /var/ipfire/general-functions.pl line 778., referer: https://192.168.100.254:444/cgi-bin/ids.cgi ... After I 'touched' this file manually, and 'chown'ing the correct rights, everything went ok. But the first initialization through 'guardian.cgi' failed for some reasons: Line 79: ... unless (-e "$ignoredfile") { system("touch $ignoredfile"); }). ... ########################################################### 2. Using 'syslog' as 'Log facility' I added some lines in 'srv/web/ipfire/cgi-bin/logs.cgi/log.dat' (you mentioned this below!?): ... my %sections = ( ... 'snort' => '(snort\[.*\]: )', 'guardian' => '(guardian\[.*\]: )' ... my %trsections = ( ... 'snort' => "$Lang::tr{'intrusion detection'}", 'guardian' => 'Guardian' ... ########################################################### 3. Would it be possible to extrude the guardian-lang-strings from 'de.pl' and 'en.pl' and add these to '/var/ipfire/addon-lang/guardian.de.pl' and 'guardian.en.pl' respectively? If you need these, they're attached. I searched with... cat guardian.cgi| grep "Lang::tr{'guardian" ...and extracted all found lang-strings in two seperate lang-files (de/en). I hope they're complete, testing seemed to be ok. Sad to say, the translation files are rather incomplete, but thats beyond my skills, sorry... Best, Matthias On 19.07.2016 11:24, Stefan Schantl wrote: > Hello Mark, > thanks for testing and your feedback. > The details why a host has been blocked or the time, can be grabbed > from the guardian logfile if configured or in the default settings from > syslog (/var/log/messages). I'll very soon the support in the IPFire > Webinterface to get the guardian related messages from the syslog on > the corresponding CGI. > Best regards, > -Stefan >> Everything seems to work well here Stefan. Is it possible to put the >> reason for the host being blocked in the UI. It would be very nice to >> know which ones, for instance, were custom-blocked. The snort log >> would give a reason why they were flagged. It would also be nice to >> know when the block was applied. >> I know you probably don't want to get the interface too crowded but >> those are just things I was thinking of. >> >> Thanks for this. >> >> On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl >> re.org> wrote: >> > Hello mailing list followers, >> > >> > this is the official release announcement for the first beta >> > release of >> > the new Guardian 2.0 approach. >> > >> > >> > - What are the differences to the current version of guardian >> > (legacy) >> > and the first approach of guardian 2.0? >> > >> > The most important difference is, that the new version of Guardian >> > 2.0 >> > completely has been re-written from scratch and released under the >> > terms of the GPLv3. The legacy version of guardian is not >> > maintained >> > anymore by it's developer and the software has been released >> > without >> > any license details at all. >> > >> > Guardian 2.0 has a very modular code base and has been designed as >> > a >> > multi-threaded application. This allows a parallel parsing of all >> > monitored logfiles and faster actions, if one of the used modules >> > detects an attack. >> > >> > A very important difference to the legacy version is the support of >> > configuring and managing the entire service through the IPFire >> > webinterface. The entire configuration, managing of current blocked >> > hosts, unblocking them or editing the ignored hosts list now can be >> > done in a graphical way. >> > >> > The legacy version of guardian only supported parsing snort alerts. >> > HTTPD and SSH support has been patched by the IPFire development >> > team >> > some time ago. Guardian 2.0 supports all of them out of the box and >> > includes a filter to detect owncloud login brute-force attempts. As >> > a >> > benefit of the new modular design, additional filters easily can be >> > added. >> > >> > Guardian 2.0 is able to reload it's configuration, reloading >> > the ignore list during runtime and handle, if the logfiles will get >> > rotated by logrotate. This actions can be called by using the >> > webinterface or from the command line interface by using >> > "guardianctrl". >> > >> > These are just a handful of the changes and benefits which comes >> > with >> > Guardian 2.0, a complete list would be to long for this mailing >> > list. >> > >> > >> > - How to join testing? >> > >> > To get part of the testing team, simple navigate to http://people.i >> > pfir >> > e.org/~stevee/guardian-2.0/ and download the latest tarball >> > (currently >> > 002). Please take care to download the correct one, based on your >> > used >> > architecture. The i585 packages are for 32Bit installations of >> > IPFire, >> > the x86_64 packages only can be used on 64Bit installations. >> > >> > Put the downloaded file on your IPFire test system and extract the >> > package by using "tar -xvf guardian-2.0-002..tar.gz -C /". >> > >> > The final installation step would be to regenerate the language >> > cache >> > by executing "update-lang-cache" on the console. >> > >> > From now you can find a new menu item called "Guardian" in your >> > "Service" menu after you have logged-in into your IPFire's >> > webinterface. >> > >> > Documentation can be found on the IPFire wiki: http://wiki.ipfire.o >> > rg/e >> > n/addons/guardian/start#the_guardian_20_addon >> > >> > >> > - Where to post bugs reports or provide feedback? >> > >> > If you find any bugs, please report them as usual on the IPFire >> > bugtracker, which can be found at https://bugzilla.ipfire.org. >> > >> > To provide feedback or to join a discussion, please send your mails >> > to >> > "development(a)lists.ipfire.org" (Please register first at http://lis >> > ts.i >> > pfire.org if not yet done). >> > >> > The source code can be found at http://git.ipfire.org/?p=people/ste >> > vee/ >> > guardian.git;a=summary >> > >> > >> > Happy testing, >> > >> > -Stefan >> > >> > >> >> > --===============7468808050448955751== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="guardian.de.pl" MIME-Version: 1.0 JXRyID0gKCAKJXRyLAoKJ2d1YXJkaWFuJyA9PiAnR3VhcmRpYW4nLAonZ3VhcmRpYW4gYmxvY2sg YSBob3N0JyA9PiAnSG9zdCBibG9ja2VuJywKJ2d1YXJkaWFuIGJsb2NrIGh0dHBkIGJydXRlLWZv cmNlJyA9PiAnSFRUUEQgQnJ1dGUtRm9yY2UgRXJrZW5udW5nJywKJ2d1YXJkaWFuIGJsb2NrIG93 bmNsb3VkIGJydXRlLWZvcmNlJyA9PiAnT3duY2xvdWQgQnJ1dGUtRm9yY2UgRXJrZW5udW5nJywK J2d1YXJkaWFuIGJsb2NrIHNzaCBicnV0ZS1mb3JjZScgPT4gJ1NTSCBCcnV0ZS1Gb3JjZSBFcmtl bm51bmcnLAonZ3VhcmRpYW4gYmxvY2tlZCBob3N0cycgPT4gJ0FrdHVlbGwgZ2VibG9ja3RlIEhv c3RzJywKJ2d1YXJkaWFuIGJsb2NrY291bnQnID0+ICdCbG9ja3rDpGhsZXInLAonZ3VhcmRpYW4g YmxvY2t0aW1lJyA9PiAnQmxvY2t6ZWl0JywKJ2d1YXJkaWFuIGNvbW1vbiBzZXR0aW5ncycgPT4g J0FsbGdlbWVpbmUgRWluc3RlbGx1bmdlbicsCidndWFyZGlhbiBjb25maWd1cmF0aW9uJyA9PiAn R3VhcmRpYW4gS29uZmlndXJhdGlvbicsCidndWFyZGlhbiBkYWVtb24nID0+ICdEYWVtb24nLAon Z3VhcmRpYW4gZW5hYmxlZCcgPT4gJ0d1YXJkaWFuIGFrdGl2aWVyZW4nLAonZ3VhcmRpYW4gZW1w dHkgaW5wdXQnID0+ICdGZWhsZW5kZSBFaW5nYWJlOiBCaXR0ZSBnZWJlbiBTaWUgZWluZW4gZ8O8 bHRpZ2VuIEhvc3Qgb2RlciBlaW4gZ8O8bHRpZ2VzIE5ldHp3ZXJrIGFuLicsCidndWFyZGlhbiBm aXJld2FsbGFjdGlvbicgPT4gJ0ZpcmV3YWxsLUFrdGlvbicsCidndWFyZGlhbiBpbnZhbGlkIGFk ZHJlc3Mgb3Igc3VibmV0JyA9PiAnVW5nw7xsdGlnZSBBZGRyZXNzZSBvZGVyIE5ldHp3ZXJrLics CidndWFyZGlhbiBpbnZhbGlkIGJsb2NrY291bnQnID0+ICdVbmfDvGx0aWdlIEFuemFobDogQml0 dGUgdmVyd2VuZGVuIFNpZSBlaW5lIG5hdMO8cmxpY2hlIFphaGwgZ3LDtsOfZXIgYWxzIE51bGwu JywKJ2d1YXJkaWFuIGludmFsaWQgYmxvY2t0aW1lJyA9PiAnVW5nw7xsdGlnZSBCbG9ja3plaXQ6 IEJpdHRlIHZlcndlbmRlbiBTaWUgZWluZSBuYXTDvHJsaWNoZSBaYWhsIGdyw7bDn2VyIGFscyBO dWxsLicsCidndWFyZGlhbiBpbnZhbGlkIGxvZ2ZpbGUnID0+ICdEZXIgYW5nZWdlYmVuZSBQZmFk IHp1bSAiSWdub3JlIGZpbGUiIGlzdCB1bmfDvGx0aWcuJywKJ2d1YXJkaWFuIGlnbm9yZWQgaG9z dHMnID0+ICdJZ25vcmllcnRlIEhvc3RzJywKJ2d1YXJkaWFuIGxvZ2ZhY2lsaXR5JyA9PiAnTG9n emllbCcsCidndWFyZGlhbiBsb2dmaWxlJyA9PiAnTG9nZmlsZScsCidndWFyZGlhbiBsb2dsZXZl bCcgPT4gJ0xvZ2xldmVsJywKJ2d1YXJkaWFuIG5vIGVudHJpZXMnID0+ICdBa3R1ZWxsIHNpbmQg a2VpbmUgRWludHLDpGdlIHZvcmhhbmRlbi4nLAonZ3VhcmRpYW4gcHJpb3JpdHkgbGV2ZWwnID0+ ICdQcmlvcml0w6R0c2xldmVsJywKJ2d1YXJkaWFuIHNlcnZpY2UnID0+ICdHdWFyZGlhbiBTZXJ2 aWNlJywKJ2d1YXJkaWFuIHdhdGNoIHNub3J0IGFsZXJ0ZmlsZScgPT4gJ01vbml0b3IgU25vcnQg YWxlcnRmaWxlJywKCik7CgojRU9GCg== --===============7468808050448955751== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="guardian.en.pl" MIME-Version: 1.0 JXRyID0gKCAKJXRyLAoKJ2d1YXJkaWFuJyA9PiAnR3VhcmRpYW4nLAonZ3VhcmRpYW4gYmxvY2sg YSBob3N0JyA9PiAnQmxvY2sgSG9zdCcsCidndWFyZGlhbiBibG9jayBodHRwZCBicnV0ZS1mb3Jj ZScgPT4gJ0hUVFBEIEJydXRlLWZvcmNlIGRldGVjdGlvbicsCidndWFyZGlhbiBibG9jayBvd25j bG91ZCBicnV0ZS1mb3JjZScgPT4gJ093bmNsb3VkIEJydXRlLWZvcmNlIGRldGVjdGlvbicsCidn dWFyZGlhbiBibG9jayBzc2ggYnJ1dGUtZm9yY2UnID0+ICdTU0ggQnJ1dGUtZm9yY2UgZGV0ZWN0 aW9uJywKJ2d1YXJkaWFuIGJsb2NrZWQgaG9zdHMnID0+ICdDdXJyZW50bHkgYmxvY2tlZCBob3N0 cycsCidndWFyZGlhbiBibG9ja2NvdW50JyA9PiAnQmxvY2tjb3VudCcsCidndWFyZGlhbiBibG9j a3RpbWUnID0+ICdCbG9ja3RpbWUnLAonZ3VhcmRpYW4gY29tbW9uIHNldHRpbmdzJyA9PiAnQ29t bW9uIHNldHRpbmdzJywKJ2d1YXJkaWFuIGNvbmZpZ3VyYXRpb24nID0+ICdHdWFyZGlhbiBDb25m aWd1cmF0aW9uJywKJ2d1YXJkaWFuIGRhZW1vbicgPT4gJ0RhZW1vbicsCidndWFyZGlhbiBlbmFi bGVkJyA9PiAnRW5hYmxlIGd1YXJkaWFuJywKJ2d1YXJkaWFuIGVtcHR5IGlucHV0JyA9PiAnRW1w dHkgaW5wdXQ6IFBsZWFzZSBlbnRlciBhIHZhbGlkIGhvc3QgYWRkcmVzcyBvciBzdWJuZXQuJywK J2d1YXJkaWFuIGZpcmV3YWxsYWN0aW9uJyA9PiAnRmlyZXdhbGwgYWN0aW9uJywKJ2d1YXJkaWFu IGludmFsaWQgYWRkcmVzcyBvciBzdWJuZXQnID0+ICdJbnZhbGlkIGhvc3QgYWRkcmVzcyBvciBz dWJuZXQuJywKJ2d1YXJkaWFuIGludmFsaWQgYmxvY2tjb3VudCcgPT4gJ0ludmFsaWQgQmxvY2tD b3VudDogUGxlYXNlIHByb3ZpZGUgYSBuYXR1cmFsIG51bWJlciBoaWdoZXIgdGhhbiB6ZXJvLics CidndWFyZGlhbiBpbnZhbGlkIGJsb2NrdGltZScgPT4gJ0ludmFsaWQgQmxvY2tUaW1lOiBQbGVh c2UgcHJvdmlkZSBhIG5hdHVyYWwgbnVtYmVyIGhpZ2hlciB0aGFuIHplcm8uJywKJ2d1YXJkaWFu IGludmFsaWQgbG9nZmlsZScgPT4gJ1RoZSBwcm92aWRlZCBwYXRoIGZvciB0aGUgbG9nZmlsZSBp cyBub3QgdmFsaWQuJywKJ2d1YXJkaWFuIGlnbm9yZWQgaG9zdHMnID0+ICdJZ25vcmVkIEhvc3Rz JywKJ2d1YXJkaWFuIGxvZ2ZhY2lsaXR5JyA9PiAnTG9nIGZhY2lsaXR5JywKJ2d1YXJkaWFuIGxv Z2ZpbGUnID0+ICdMb2dmaWxlJywKJ2d1YXJkaWFuIGxvZ2xldmVsJyA9PiAnTG9nbGV2ZWwnLAon Z3VhcmRpYW4gbm8gZW50cmllcycgPT4gJ05vIGVudHJpZXMgYXQgdGhlIG1vbWVudC4nLAonZ3Vh cmRpYW4gcHJpb3JpdHkgbGV2ZWwnID0+ICdQcmlvcml0eWxldmVsJywKJ2d1YXJkaWFuIHNlcnZp Y2UnID0+ICdHdWFyZGlhbiBTZXJ2aWNlJywKJ2d1YXJkaWFuIHdhdGNoIHNub3J0IGFsZXJ0Zmls ZScgPT4gJ01vbml0b3IgU25vcnQgYWxlcnRmaWxlJywKCik7CgojRU9GCg== --===============7468808050448955751==--