From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Betatest Guardian 2.0 Date: Wed, 20 Jul 2016 16:28:48 +0200 Message-ID: In-Reply-To: <1469021628.22228.8.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3045499741109500842==" List-Id: --===============3045499741109500842== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 20.07.2016 15:33, Stefan Schantl wrote: > Hello testers, Hi Stefan, > I've uploaded a new test version (003). Thanks! ;-) > Update or fresh install works like described in the announcement mail. > > The Changelog can be found here: > > http://people.ipfire.org/~stevee/guardian-2.0/Changelog.txt > > At the moment I'm missing feedback for the following functions: > > * Manually blocking / unblocking addresses. Tested - seems to work. Manually added to block list: "Connection timed out". Unblocked: Runs at once. Logs says: " Socket - User-requested action." > * Dealing with the ignore list. Added my own IP and tried to login - with wrong password. Log says: "16:12:37 guardian[5773]: Reloading ignore list... 16:12:57 guardian[5773]: Ignoring event for 192.XXX.YYY.ZZZ, because it is part of the ignore list. 16:13:01 guardian[5773]: Ignoring event for 192.XXX.YYY.ZZZ, because it is part of the ignore list. 16:13:05 guardian[5773]: Ignoring event for 192.XXX.YYY.ZZZ, because it is part of the ignore list. " After deleting this entry and after the second attempt (Blockcount = 2) the IP was blocked - tested with my daughter... > * Owncloud message parser. Can't test this here, sorry. > * Logrotate, there should be an corresponding log entry in the guardian > logfile after rotation of the logfiles have been done. Using 'syslog' there were NO rotation entry yesterday, the log just went on. > * Reload of the ignore list after "Red" has been reconnected. There > also a corresponding log entry should be logged to the logfile and the > new "Red-address" should also be logged as part of the ignore list (If > you own an dynamic assigned one). I'm "static", sorry. ;-) > As always please report your bugs or experience with the new version to > this list. One suggestion: The 'ids.cgi' contains the old 'snortrules'-version and an outdated license link (patch attached). Best, Matthias > Best regards, > > -Stefan > >> Hello mailing list followers, >> >> this is the official release announcement for the first beta release >> of >> the new Guardian 2.0 approach. >> >> >> - What are the differences to the current version of guardian >> (legacy) >> and the first approach of guardian 2.0? >> >> The most important difference is, that the new version of Guardian >> 2.0 >> completely has been re-written from scratch and released under the >> terms of the GPLv3. The legacy version of guardian is not maintained >> anymore by it's developer and the software has been released without >> any license details at all. >> >> Guardian 2.0 has a very modular code base and has been designed as a >> multi-threaded application. This allows a parallel parsing of all >> monitored logfiles and faster actions, if one of the used modules >> detects an attack. >> >> A very important difference to the legacy version is the support of >> configuring and managing the entire service through the IPFire >> webinterface. The entire configuration, managing of current blocked >> hosts, unblocking them or editing the ignored hosts list now can be >> done in a graphical way. >> >> The legacy version of guardian only supported parsing snort alerts. >> HTTPD and SSH support has been patched by the IPFire development team >> some time ago. Guardian 2.0 supports all of them out of the box and >> includes a filter to detect owncloud login brute-force attempts. As a >> benefit of the new modular design, additional filters easily can be >> added. >> >> Guardian 2.0 is able to reload it's configuration, reloading >> the ignore list during runtime and handle, if the logfiles will get >> rotated by logrotate. This actions can be called by using the >> webinterface or from the command line interface by using >> "guardianctrl". >> >> These are just a handful of the changes and benefits which comes with >> Guardian 2.0, a complete list would be to long for this mailing list. >> >> >> - How to join testing? >> >> To get part of the testing team, simple navigate to http://people.ipf >> ir >> e.org/~stevee/guardian-2.0/ and download the latest tarball >> (currently >> 002). Please take care to download the correct one, based on your >> used >> architecture. The i585 packages are for 32Bit installations of >> IPFire, >> the x86_64 packages only can be used on 64Bit installations. >> >> Put the downloaded file on your IPFire test system and extract the >> package by using "tar -xvf guardian-2.0-002..tar.gz -C /". >> >> The final installation step would be to regenerate the language cache >> by executing "update-lang-cache" on the console. >> >> From now you can find a new menu item called "Guardian" in your >> "Service" menu after you have logged-in into your IPFire's >> webinterface. >> >> Documentation can be found on the IPFire wiki: http://wiki.ipfire.org >> /e >> n/addons/guardian/start#the_guardian_20_addon >> >> >> - Where to post bugs reports or provide feedback? >> >> If you find any bugs, please report them as usual on the IPFire >> bugtracker, which can be found at https://bugzilla.ipfire.org. >> >> To provide feedback or to join a discussion, please send your mails >> to >> "development(a)lists.ipfire.org" (Please register first at http://lists >> .i >> pfire.org if not yet done). >> >> The source code can be found at http://git.ipfire.org/?p=people/steve >> e/ >> guardian.git;a=summary >> >> >> Happy testing, >> >> -Stefan >> > --===============3045499741109500842== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="snort_ids_cgi_latest_rules_and_link.txt" MIME-Version: 1.0 LS0tIG9sZC9pZHMuY2dpCVdlZCBPY3QgMjIgMTk6Mjc6NTIgMjAxNAorKysgbmV3L2lkcy5jZ2kJ VHVlIEp1bCAxOSAwNDoxMDozOSAyMDE2CkBAIC0yNTQsOSArMjU0LDkgQEAKICMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjICBFbmQgYWRkZWQgZm9yIHNub3J0IHJ1bGVzIGNvbnRyb2wgICMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwogCiBpZiAoJHNub3J0c2V0dGluZ3N7J1JVTEVTJ30g ZXEgJ3N1YnNjcmlwdGVkJykgewotCSR1cmw9IiBodHRwczovL3d3dy5zbm9ydC5vcmcvcnVsZXMv c25vcnRydWxlcy1zbmFwc2hvdC0yOTYxLnRhci5nej9vaW5rY29kZT0kc25vcnRzZXR0aW5nc3sn T0lOS0NPREUnfSI7CisJJHVybD0iIGh0dHBzOi8vd3d3LnNub3J0Lm9yZy9ydWxlcy9zbm9ydHJ1 bGVzLXNuYXBzaG90LTI5ODMudGFyLmd6P29pbmtjb2RlPSRzbm9ydHNldHRpbmdzeydPSU5LQ09E RSd9IjsKIH0gZWxzaWYgKCRzbm9ydHNldHRpbmdzeydSVUxFUyd9IGVxICdyZWdpc3RlcmVkJykg ewotCSR1cmw9IiBodHRwczovL3d3dy5zbm9ydC5vcmcvcnVsZXMvc25vcnRydWxlcy1zbmFwc2hv dC0yOTYxLnRhci5nej9vaW5rY29kZT0kc25vcnRzZXR0aW5nc3snT0lOS0NPREUnfSI7CisJJHVy bD0iIGh0dHBzOi8vd3d3LnNub3J0Lm9yZy9ydWxlcy9zbm9ydHJ1bGVzLXNuYXBzaG90LTI5ODMu dGFyLmd6P29pbmtjb2RlPSRzbm9ydHNldHRpbmdzeydPSU5LQ09ERSd9IjsKIH0gZWxzaWYgKCRz bm9ydHNldHRpbmdzeydSVUxFUyd9IGVxICdjb21tdW5pdHknKSB7CiAJJHVybD0iIGh0dHBzOi8v d3d3LnNub3J0Lm9yZy9ydWxlcy9jb21tdW5pdHkiOwogfSBlbHNlIHsKQEAgLTQ4NSw3ICs0ODUs NyBAQAogPC90cj4KIDx0cj4KIAk8dGQ+PGJyIC8+Ci0JCSRMYW5nOjp0cnsnaWRzIHJ1bGVzIGxp Y2Vuc2UnfSA8YSBocmVmPSdodHRwczovL3d3dy5zbm9ydC5vcmcvc2lnbnVwJyB0YXJnZXQ9J19i bGFuayc+d3d3LnNub3J0Lm9yZzwvYT4kTGFuZzo6dHJ7J2lkcyBydWxlcyBsaWNlbnNlMSd9PGJy IC8+PGJyIC8+CisJCSRMYW5nOjp0cnsnaWRzIHJ1bGVzIGxpY2Vuc2UnfSA8YSBocmVmPSdodHRw czovL3d3dy5zbm9ydC5vcmcvc3Vic2NyaWJlJyB0YXJnZXQ9J19ibGFuayc+d3d3LnNub3J0Lm9y ZzwvYT4kTGFuZzo6dHJ7J2lkcyBydWxlcyBsaWNlbnNlMSd9PGJyIC8+PGJyIC8+CiAJCSRMYW5n Ojp0cnsnaWRzIHJ1bGVzIGxpY2Vuc2UyJ30gPGEgaHJlZj0naHR0cHM6Ly93d3cuc25vcnQub3Jn L2FjY291bnQvb2lua2NvZGUnIHRhcmdldD0nX2JsYW5rJz5HZXQgYW4gT2lua2NvZGU8L2E+LCAk TGFuZzo6dHJ7J2lkcyBydWxlcyBsaWNlbnNlMyd9CiAJPC90ZD4KIDwvdHI+Cg== --===============3045499741109500842==--