Hello Mark,

thanks for testing and your feedback.

The details why a host has been blocked or the time, can be grabbed from the guardian logfile if configured or in the default settings from
syslog (/var/log/messages). I'll very soon the support in the IPFire Webinterface to get the guardian related messages from the syslog on
the corresponding CGI.

Best regards,

-Stefan
Everything seems to work well here Stefan. Is it possible to put the reason for the host being blocked in the UI. It would be very nice to know which ones, for instance, were custom-blocked. The snort log would give a reason why they were flagged. It would also be nice to know when the block was applied.
I know you probably don't want to get the interface too crowded but those are just things I was thinking of.

Thanks for this.

On Mon, Jul 18, 2016 at 10:01 AM, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
Hello mailing list followers,

this is the official release announcement for the first beta release of
the new Guardian 2.0 approach.


- What are the differences to the current version of guardian (legacy)
and the first approach of guardian 2.0?

The most important difference is, that the new version of Guardian 2.0
completely has been re-written from scratch and released under the
terms of the GPLv3. The legacy version of guardian is not maintained
anymore by it's developer and the software has been released without
any license details at all.

Guardian 2.0 has a very modular code base and has been designed as a
multi-threaded application. This allows a parallel parsing of all
monitored logfiles and faster actions, if one of the used modules
detects an attack.

A very important difference to the legacy version is the support of
configuring and managing the entire service through the IPFire
webinterface. The entire configuration, managing of current blocked
hosts, unblocking them or editing the ignored hosts list now can be
done in a graphical way. 

The legacy version of guardian only supported parsing snort alerts.
HTTPD and SSH support has been patched by the IPFire development team
some time ago. Guardian 2.0 supports all of them out of the box and
includes a filter to detect owncloud login brute-force attempts. As a
benefit of the new modular design, additional filters easily can be
added.

Guardian 2.0 is able to reload it's configuration, reloading
the ignore list during runtime and handle, if the logfiles will get
rotated by logrotate. This actions can be called by using the
webinterface or from the command line interface by using
"guardianctrl".

These are just a handful of the changes and benefits which comes with
Guardian 2.0, a complete list would be to long for this mailing list.


- How to join testing?

To get part of the testing team, simple navigate to http://people.ipfir
e.org/~stevee/guardian-2.0/ and download the latest tarball (currently
002). Please take care to download the correct one, based on your used
architecture. The i585 packages are for 32Bit installations of IPFire,
the x86_64 packages only can be used on 64Bit installations.

Put the downloaded file on your IPFire test system and extract the
package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C /".

The final installation step would be to regenerate the language cache
by executing "update-lang-cache" on the console.

From now you can find a new menu item called "Guardian" in your
"Service" menu after you have logged-in into your IPFire's
webinterface.

Documentation can be found on the IPFire wiki: http://wiki.ipfire.org/e
n/addons/guardian/start#the_guardian_20_addon


- Where to post bugs reports or provide feedback?

If you find any bugs, please report them as usual on the IPFire
bugtracker, which can be found at https://bugzilla.ipfire.org.

To provide feedback or to join a discussion, please send your mails to
"development@lists.ipfire.org" (Please register first at http://lists.i
pfire.org if not yet done).

The source code can be found at http://git.ipfire.org/?p=people/stevee/
guardian.git;a=summary


Happy testing,

-Stefan