[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80a474183e6c730da89e96a3d7719534c252a06b

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 80a474183e6c730da89e96a3d7719534c252a06b (commit) via f62bd2742cdfd2d2af8c6b77a526e6fe92f2d27b (commit) via afc0f6e8849c6b9bed5005a05c8c4a526b63e06d (commit) via e73a5ce77a518e1c83bab5e59702b76f2b80d655 (commit) via 6a5b83f80d4f0ad34597b46e90d4dfbc567de4a0 (commit) via dcb6493a0cc32211c713615465ddf39bc3c1916f (commit) via a27c40a05bda1e3dc64954c0550ec32bc84c6763 (commit) via 3b8ad4fde998ada617708a1c175e0039dd75194a (commit) via dadee76d7be1b5f1d1ab9c100e8e4e4929aea3ff (commit) via 5cbfa0140c0f97e077957e351c1fbfd943ed3450 (commit) via a11aaa91b36761f07f05db5cc1a3efd27cf0bf88 (commit) via f617f21cc0661a74e452d61d299742b4634eef99 (commit) via efd9c5ffb45579b4ff3c323f1f19689caa8fe50a (commit) via 8651c94e9a03116fcb9d4226b1457c4307a9dee7 (commit) via 8afd763e702fc1e711e5544ab4246ec1b59ea7cb (commit) via 65c61b574f9f4e461418b26fa0f5e3780c1a019a (commit) via 7f218a58ba2537d04dd3a661f0a57f55fe8484b1 (commit) via 06f261cfb973edfc4b633afdd8060d001076aa99 (commit) via 2daa1f5bb230cff536067280545dff60f2fecaa8 (commit) via 2d17c6e6b8d6b0f8bb9711ead293e3f6abc73ede (commit) via 1cc653239fd4d1a8c589082ea6706d76de9dd55a (commit) via c880c2cb8a922bb1132871dad96e079b7b98442b (commit) via 62fd0e6fc7c946f2c9f11d34062c555d95e8a272 (commit) via c232e3489ada10b19ca00f675f2e7a930e9164a5 (commit) via 97849142bd882820c336bec357b62381cae8a5c4 (commit) via 7edbe063742d0c65e2f229dc366da8b18ea41482 (commit) via 891ba055f2ece97941bfe3801ec4e33114b583d1 (commit) via af6856afc470656283347c86106c76d4ba3a6f49 (commit) via 52958991040571d3154345612c6adc38b31973bb (commit) via d5305379985e5f33a5639a7f4ebb8fa5ab48290f (commit) via 723648ac92c18e9b8e43ccc138fab9c0c1224f54 (commit) via b5f7d90327dc8ecc346bac6f758d752d2b510e78 (commit) via eff1feb8c7d4ed98d24ed2119dbee8da3185ec05 (commit) via b1597f879c0e897c7bf9fdb256d178857055c61e (commit) via 6a153ecdaca6ea9a04d69ba7790e88e44479eca2 (commit) via 922ddf0ef64d977422653d4346f57a9f71c6ea4e (commit) via bfb860ceb797fd9e74601f0accdf5d87193f78c0 (commit) via 28981fac68e0c86dbdb2faf0bde1fd3d538fb50f (commit) via 36dbcf2e43d77678cfe96ee8f58f01dc0c33f69c (commit) via c973d6da105f1e83423ee8d66b25a934262b069d (commit) via 473c7257215a905d6eac7fe892b46038f534737b (commit) via 4a7fc9f6349f56d8f0409a1cbb3df693944a2810 (commit) via 96655fa6b7712d586d9ce6a11e7b2f2c47ea2c7d (commit) via f8c3bfe050776a702c0f7134d21e07569a2b8d50 (commit) via a35a066845d17c5cc1ebc03bb9f01e844ea20689 (commit) via 06ff7e28d7993d02be4e4a87bfc959b3bb375346 (commit) via 7899718f04b1a7e1288c12a49444f3e0312214d9 (commit) via a67b3e2dc53d24c7a25c4f053c4ae2e6368da1b0 (commit) via 26fcd31e1f68e279c6882e9d1998f3079cc4be19 (commit) via d2fea55e0930cdc2715855297734dd65857718fb (commit) via 1d5702a7c3e4de0700d08c2e45a1a2891f777fa9 (commit) via 5f462919d9fe730aaca4e0a0e1751df9a3b7d936 (commit) via 8b8413e566334bfdb62776d31427cfb1162e4a36 (commit) via 7f7285911c65776b061a9a2df018fec66eef064c (commit) via 01dbccb11e113497809d74356d2d3467982a5681 (commit) from de5627819ba5b7381b446606512eb7b4793fca88 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 80a474183e6c730da89e96a3d7719534c252a06b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 2 12:43:01 2016 +0100

Improve wording of the Guardian translations

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit f62bd2742cdfd2d2af8c6b77a526e6fe92f2d27b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 2 12:18:45 2016 +0100

Update translation

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit afc0f6e8849c6b9bed5005a05c8c4a526b63e06d Merge: de56278 e73a5ce Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 2 12:18:29 2016 +0100

Merge remote-tracking branch 'stevee/guardian-2.0' into next

commit e73a5ce77a518e1c83bab5e59702b76f2b80d655 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jul 30 11:31:08 2016 +0200

guardian: Update to the tagged release version.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 6a5b83f80d4f0ad34597b46e90d4dfbc567de4a0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Jul 29 15:40:30 2016 +0200

Core 104: Add for guardian changed files to core update.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit dcb6493a0cc32211c713615465ddf39bc3c1916f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Jul 29 13:29:13 2016 +0200

initscripts: Drop guardian related code from snort initscript.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a27c40a05bda1e3dc64954c0550ec32bc84c6763 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Jul 29 13:25:28 2016 +0200

ids.cgi: Drop guardian related code.

Guardian competely will be managed by it's own CGI.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 3b8ad4fde998ada617708a1c175e0039dd75194a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Jul 29 13:21:08 2016 +0200

guardian-legacy: Drop old guardian related files.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit dadee76d7be1b5f1d1ab9c100e8e4e4929aea3ff Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Jul 29 13:16:11 2016 +0200

guardian.cgi: Fix path to snort alert file.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 5cbfa0140c0f97e077957e351c1fbfd943ed3450 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Jul 19 20:17:11 2016 +0200

log.dat: Added entry for 'guardian'

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a11aaa91b36761f07f05db5cc1a3efd27cf0bf88 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jul 4 11:49:39 2016 +0200

guardian: Update to 2.0.

Update guardian to the re-written version.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit f617f21cc0661a74e452d61d299742b4634eef99 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jul 13 09:37:30 2016 +0200

guardian.cgi: Prevent from using "syslog" and "debug".

When using syslog as log facility and debug as log mode, syslog does not log anything.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit efd9c5ffb45579b4ff3c323f1f19689caa8fe50a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jul 2 10:21:52 2016 +0200

guardian.cgi: Also generate ignore file when building the configuration.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 8651c94e9a03116fcb9d4226b1457c4307a9dee7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 29 09:39:39 2016 +0200

Language file update.

Add guardian related strings to the german language file.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 8afd763e702fc1e711e5544ab4246ec1b59ea7cb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 18 18:17:24 2016 +0100

perl-Net-IP: New package

The perl-Net-IP module provides various methods for validating and calculating IP-addresses (both IP protocols supported) and is a runtime dependency of guardian 2.0.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 65c61b574f9f4e461418b26fa0f5e3780c1a019a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Oct 7 19:24:11 2014 +0200

perl-common-sense: New package.

This is a runtime dependency for perl-inotify2.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7f218a58ba2537d04dd3a661f0a57f55fe8484b1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Oct 7 19:25:11 2014 +0200

perl-inotify2: New package.

This module contains inotify bindings for perl, used by the extendend guardian.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 06f261cfb973edfc4b633afdd8060d001076aa99 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jun 27 12:54:44 2016 +0200

Language file update.

Add new guardian related strings.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 2daa1f5bb230cff536067280545dff60f2fecaa8 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jun 27 12:52:39 2016 +0200

guardian.cgi: Show/Hide options using Java Script.

The options for configuring the log file location and snort alert priority level now dynamically will be displayed or hidden if the desired options or feature is not used.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 2d17c6e6b8d6b0f8bb9711ead293e3f6abc73ede Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jun 23 15:54:19 2016 +0200

guardian.cgi: Add support for selecting the used firewall action.

This will allow to choose between DROP and REJECT if guardian blocks an attackers address.

Fixes #10xxx.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 1cc653239fd4d1a8c589082ea6706d76de9dd55a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jun 21 10:05:01 2016 +0200

guardian.cgi: Use new feature of ignore file inclusion.

Add support and usage of the recently introduced feature of including other files in the ignore file to add the red related IP-addresses to the ignore list on IPFire systems.

Also use reload-ignore-list feature instead of reloading the whole configuration on ignore list modifications.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c880c2cb8a922bb1132871dad96e079b7b98442b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 29 11:54:53 2016 +0200

guardian.cgi: Create config and ignore file if they does not exist.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 62fd0e6fc7c946f2c9f11d34062c555d95e8a272 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 29 11:06:40 2016 +0200

guardian.cgi: Prevent from blocking the used DNS servers.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c232e3489ada10b19ca00f675f2e7a930e9164a5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 29 11:06:06 2016 +0200

guardian.cgi: Use private subfunction for gateway and DNS server detection.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 97849142bd882820c336bec357b62381cae8a5c4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 29 10:55:32 2016 +0200

guardian.cgi: Add function to generate the guardian.ignore file.

This function is responsible for collecting all required data, like the green, blue, orange (if the interfaces are available), red, gateway and used DNS server IP-addresses.

It will add als these addresses and the configured and enabled user-defined ignored addresses/networks to the ignore file of guardian to prevent from blocking any of them.

Note:

The IPFire and RED inteface related addresses also will be added to the ignore file, even if there is no user-defined entry in the list.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7edbe063742d0c65e2f229dc366da8b18ea41482 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 29 09:09:25 2016 +0200

guardian.cgi: Use ignored config file.

The CGI now uses an own ignored configuration file for storing host addresses and/or subnets which should be ignored by guardian.

This allows to add remarks for them and to enable or disable each entry individally at any time.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 891ba055f2ece97941bfe3801ec4e33114b583d1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 25 11:22:19 2016 +0100

guardian.cgi: Use "getipstat" binary.

Rework the GetBlockedHosts() to use the "getipstat" binary instead of the not longer available "guardianctrl" binary.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit af6856afc470656283347c86106c76d4ba3a6f49 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 24 12:41:12 2016 +0100

guardian.cgi: Send commands through socket connection.

The guardianctrl binary does not longer exists, use the Guardian::Socket module to send various commands by using the provided socket client.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 52958991040571d3154345612c6adc38b31973bb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 24 12:12:11 2016 +0100

guardian.cgi: Adjust code for generating the config file.

The config file format and values have been changed, so the code to do the generation has to be adjusted.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit d5305379985e5f33a5639a7f4ebb8fa5ab48290f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 24 09:27:10 2016 +0100

guardian.cgi: Drop option for configure the path to the snort alertfile.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 723648ac92c18e9b8e43ccc138fab9c0c1224f54 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 24 09:19:39 2016 +0100

guardian.cgi: Rename hash keys for enabled modules.

Rename the hash key names of enabled parser modules, (services which should be monitored by guardian) to keep the same name sheme than in the guardian config file.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit b5f7d90327dc8ecc346bac6f758d752d2b510e78 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 24 08:59:42 2016 +0100

guardian.cgi: Adjust CGI to use Locale::Codes::Country.

The module has been renamed some time ago.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit eff1feb8c7d4ed98d24ed2119dbee8da3185ec05 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Feb 28 12:33:12 2015 +0100

guardian.cgi: Disable debugging.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit b1597f879c0e897c7bf9fdb256d178857055c61e Author: Matthias Fischer fischerm@ipfire.org Date: Sat Feb 28 11:57:33 2015 +0100

guardian.cgi: Suppress warnings for ${Header::colourgreen} variable.

Reference #10748.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 6a153ecdaca6ea9a04d69ba7790e88e44479eca2 Author: Matthias Fischer fischerm@ipfire.org Date: Sat Feb 28 11:54:58 2015 +0100

guardian.cgi: Fix unititalized value "GUARDIAN_ENABLE_OWNCLOUD".

When the owncloud addon is not installed, this value was not initialized correctly.

Reference #10748.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 922ddf0ef64d977422653d4346f57a9f71c6ea4e Author: Matthias Fischer fischerm@ipfire.org Date: Sat Feb 28 11:52:33 2015 +0100

guardian.cgi: Use variable $pid instead of array element.

This will prevent from a lot of perl suggestions in the apache error log.

Reference #10748.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit bfb860ceb797fd9e74601f0accdf5d87193f78c0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jan 24 18:41:37 2015 +0100

guardian.cgi: Fix path to meta-owncloud.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 28981fac68e0c86dbdb2faf0bde1fd3d538fb50f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jan 17 10:15:12 2015 +0100

guardian.cgi: Add configure options for owncloud.

The related options only will be displayed when the owncloud addon has been installed.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 36dbcf2e43d77678cfe96ee8f58f01dc0c33f69c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Nov 1 13:42:53 2014 +0100

guardian.cgi: Allways read-in settings.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c973d6da105f1e83423ee8d66b25a934262b069d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Oct 28 21:53:27 2014 +0100

guardian.cgi: Some more input validation.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 473c7257215a905d6eac7fe892b46038f534737b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Oct 27 21:12:03 2014 +0100

guardian.cgi: Correct indentation when writing out the config file.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 4a7fc9f6349f56d8f0409a1cbb3df693944a2810 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Oct 27 21:06:58 2014 +0100

guardian.cgi: Add dropdown for PriorityLevel selection.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 96655fa6b7712d586d9ce6a11e7b2f2c47ea2c7d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Oct 27 20:16:42 2014 +0100

guardian.cgi: Fix and improve input validation.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit f8c3bfe050776a702c0f7134d21e07569a2b8d50 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Oct 21 21:55:07 2014 +0200

guardian.cgi: Reload guardian if config or the ignorelist changes.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a35a066845d17c5cc1ebc03bb9f01e844ea20689 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 19 19:58:45 2014 +0200

guardian.cgi: Add option to configure the BlockCount.

Some small code fixes.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 06ff7e28d7993d02be4e4a87bfc959b3bb375346 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 19 16:46:38 2014 +0200

guardian.cgi: Accidently hardcoded some descriptions.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7899718f04b1a7e1288c12a49444f3e0312214d9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 19 16:43:32 2014 +0200

guardian.cgi: Add dropdown to select the used loglevel.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a67b3e2dc53d24c7a25c4f053c4ae2e6368da1b0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 19 14:01:48 2014 +0200

guardian.cgi: Remove code for options which have been dropped from guardian.

Guardian does not longer require the information for the red interface from the configfile.

Guardian does not longer support a targetfile.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 26fcd31e1f68e279c6882e9d1998f3079cc4be19 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 19 13:57:30 2014 +0200

guardian.cgi: Add options to enable/disable some built-in functions from guardian.

This commit allows to enable or disable the monitoring of the snort alertfile and to switch off the blocking of SSH and HTTPD Brute-force attempts.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit d2fea55e0930cdc2715855297734dd65857718fb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 9 10:35:32 2014 +0200

guardian.cgi: Remove code for Blockinterfaces.

We don't need this code anymore because we dropped interface support from guardian.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 1d5702a7c3e4de0700d08c2e45a1a2891f777fa9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jul 5 15:09:50 2014 +0200

guardian.cgi: Connect subboxes with input elements to the main boxes.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 5f462919d9fe730aaca4e0a0e1751df9a3b7d936 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jun 30 17:59:28 2014 +0200

guardian.cgi: Sort blocked IP addresses.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 8b8413e566334bfdb62776d31427cfb1162e4a36 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Jun 8 12:47:58 2014 +0200

guardian.cgi: Add hyperlink to ipinfo page for blocked hosts.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7f7285911c65776b061a9a2df018fec66eef064c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jun 3 22:36:32 2014 +0200

guardian.cgi: Autodetect the used interface for red.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 01dbccb11e113497809d74356d2d3467982a5681 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Jun 1 17:24:23 2014 +0200

guardian.cgi: New page to configure and interact with guardian.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/backup/includes/guardian | 4 + config/guardian/guardian.conf | 33 - config/guardian/guardian.logrotate | 12 + config/guardian/guardian.pl | 431 -------- config/guardian/guardian_block.sh | 12 - config/guardian/guardian_unblock.sh | 10 - config/menu/EX-guardian.menu | 6 + config/rootfiles/common/armv5tel/initscripts | 2 + config/rootfiles/common/configroot | 1 + config/rootfiles/common/i586/initscripts | 2 + config/rootfiles/common/web-user-interface | 1 + config/rootfiles/common/x86_64/initscripts | 2 + config/rootfiles/core/104/filelists/files | 3 + config/rootfiles/packages/guardian | 25 +- .../{common/Net-Telnet => packages/perl-Net-IP} | 10 +- config/rootfiles/packages/perl-common-sense | 7 + .../packages/{perl-gettext => perl-inotify2} | 16 +- doc/language_issues.de | 6 +- doc/language_issues.en | 8 +- doc/language_issues.es | 32 + doc/language_issues.fr | 32 + doc/language_issues.it | 32 + doc/language_issues.nl | 32 + doc/language_issues.pl | 32 + doc/language_issues.ru | 32 + doc/language_issues.tr | 32 +- doc/language_missings | 88 ++ html/cgi-bin/guardian.cgi | 1129 ++++++++++++++++++++ html/cgi-bin/ids.cgi | 71 +- html/cgi-bin/logs.cgi/log.dat | 6 +- langs/de/cgi-bin/de.pl | 30 +- langs/en/cgi-bin/en.pl | 30 +- lfs/guardian | 75 +- lfs/{perl-TimeDate => perl-Net-IP} | 13 +- lfs/{perl-File-Tail => perl-common-sense} | 14 +- lfs/{perl-Sort-Naturally => perl-inotify2} | 13 +- make.sh | 3 + src/initscripts/init.d/guardian | 56 + .../init.d/networking/red.up/35-guardian | 3 + src/initscripts/init.d/snort | 20 +- 40 files changed, 1721 insertions(+), 645 deletions(-) create mode 100644 config/backup/includes/guardian delete mode 100644 config/guardian/guardian.conf create mode 100644 config/guardian/guardian.logrotate delete mode 100644 config/guardian/guardian.pl delete mode 100644 config/guardian/guardian_block.sh delete mode 100644 config/guardian/guardian_unblock.sh create mode 100644 config/menu/EX-guardian.menu copy config/rootfiles/{common/Net-Telnet => packages/perl-Net-IP} (50%) create mode 100644 config/rootfiles/packages/perl-common-sense copy config/rootfiles/packages/{perl-gettext => perl-inotify2} (53%) create mode 100644 html/cgi-bin/guardian.cgi copy lfs/{perl-TimeDate => perl-Net-IP} (95%) copy lfs/{perl-File-Tail => perl-common-sense} (95%) copy lfs/{perl-Sort-Naturally => perl-inotify2} (93%) create mode 100755 src/initscripts/init.d/guardian create mode 100644 src/initscripts/init.d/networking/red.up/35-guardian

Difference in files: diff --git a/config/backup/includes/guardian b/config/backup/includes/guardian new file mode 100644 index 0000000..e5433f0 --- /dev/null +++ b/config/backup/includes/guardian @@ -0,0 +1,4 @@ +/var/ipfire/guardian/guardian.conf +/var/ipfire/guardian/guardian.ignore +/var/ipfire/guardian/settings +/var/ipfire/guardian/ignored diff --git a/config/guardian/guardian.conf b/config/guardian/guardian.conf deleted file mode 100644 index b1aa2e8..0000000 --- a/config/guardian/guardian.conf +++ /dev/null @@ -1,33 +0,0 @@ -# The machines IP address that is visable to the internet -# If this is left undefined, then guardian will attempt to get the information -# from ifconfig, as long as it has an interface to use. This would be useful -# for people on ppp links, or dhcp machines, or if you are lazy :) -# HostIpAddr - -# Here we define the interface which we will use to guess the IP address, and -# block incoming offending packets. This is the only option that is required -# for guardian to run. If the rest are undefined, guardian will use the default. -Interface ppp0 - -# The last octet of the ip address, which gives us the gateway address. -HostGatewayByte 1 - -# Guardian's log file -LogFile /var/log/guardian/guardian.log - -# Snort's alert file. This can be the snort.alert file, or a syslog file -# There might be some snort alerts that get logged to syslog which guardian -# might not see.. -AlertFile /var/log/snort/alert - -# The list of ip addresses to ignore -IgnoreFile /var/ipfire/guardian/guardian.ignore - -# This is a list of IP addresses on the current host, in case there is more -# than one. If this file doesn't exist, then it will assume you want to run -# with the default setup (machine's ip address, and broadcast/network). -TargetFile /var/ipfire/guardian/guardian.target - -# The time in seconds to keep a host blocked. If undefined, it defaults to -# 99999999, which basicly disables the feature. -TimeLimit 86400 diff --git a/config/guardian/guardian.logrotate b/config/guardian/guardian.logrotate new file mode 100644 index 0000000..42f4817 --- /dev/null +++ b/config/guardian/guardian.logrotate @@ -0,0 +1,12 @@ +lastaction + /usr/bin/guardianctrl logrotate &>/dev/null +endscript + +/var/log/guardian/guardian.log { + weekly + rotate 4 + copytruncate + compress + notifempty + missingok +} diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl deleted file mode 100644 index 34546b7..0000000 --- a/config/guardian/guardian.pl +++ /dev/null @@ -1,431 +0,0 @@ -#!/usr/bin/perl -# based on V 1.7 guardian enhanced for IPFire and snort 2.8 -# Read the readme file for changes -# -# Enhanced for IPFire by IPFire Team -# Added Portscan detection for non syslog system -# Added SSH-Watch for SSH-Bruteforce Attacks -# An suppected IP will be blocked on all interfaces - -$OS=`uname`; -chomp $OS; -print "OS shows $OS\n"; - -require 'getopts.pl'; - -&Getopts ('hc:d'); -if (defined($opt_h)) { - print "Guardian v1.7 \n"; - print "guardian.pl [-hd] <-c config>\n"; - print " -h shows help\n"; - print " -d run in debug mode (doesn't fork, output goes to STDOUT)\n"; - print " -c specifiy a configuration file other than the default (/etc/guardian.conf)\n"; - exit; -} -&load_conf; -&sig_handler_setup; - -print "My ip address and interface are: $hostipaddr $interface\n"; - -if ($hostipaddr !~ /\d+.\d+.\d+.\d+/) { - print "This ip address is bad : $hostipaddr\n"; - die "I need a good host ipaddress\n"; -} - -$networkaddr = $hostipaddr; -$networkaddr =~ s/\d+$/0/; -$gatewayaddr = `cat /var/ipfire/red/remote-ipaddress 2>/dev/null`; -$broadcastaddr = $hostipaddr; -$broadcastaddr =~ s/\d+$/255/; -&build_ignore_hash; - -print "My gatewayaddess is: $gatewayaddr\n"; - -# This is the target hash. If a packet was destened to any of these, then the -# sender of that packet will get denied, unless it is on the ignore list.. - -%targethash = ( "$networkaddr" => 1, - "$broadcastaddr" => 1, - "0" => 1, # This is what gets sent to &checkem if no - # destination was found. - "$hostipaddr" => 1); - -&get_aliases; - -%sshhash = (); - -if ( -e $targetfile ) { - &load_targetfile; -} - -if (!defined($opt_d)) { - print "Becoming a daemon..\n"; - &daemonize; -} else { print "Running in debug mode..\n"; } - -open (ALERT, $alert_file) or die "can't open alert file: $alert_file: $!\n"; -seek (ALERT, 0, 2); # set the position to EOF. -# this is the same as a tail -f :) -$counter=0; -open (ALERT2, "/var/log/messages" ) or die "can't open /var/log/messages: $!\n"; -seek (ALERT2, 0, 2); # set the position to EOF. -# this is the same as a tail -f :) - -for (;;) { - sleep 1; - if (seek(ALERT,0,1)){ - while (<ALERT>) { - chop; - if (defined($opt_d)) { - print "$_\n"; - } - if (/[**]\s+(.*)\s+[**]/){ - $type=$1; - } - if (/(\d+.\d+.\d+.\d+):\d+ -> (\d+.\d+.\d+.\d+):\d+/) { - &checkem ($1, $2, $type); - } - if (/(\d+.\d+.\d+.\d+)+ -> (\d+.\d+.\d+.\d+)+/) { - &checkem ($1, $2, $type); - } - } - } - - sleep 1; - if (seek(ALERT2,0,1)){ - while (<ALERT2>) { - chop; - if ($_=~/.*sshd.*Failed password for .* from.*/) { - my @array=split(/ /,$_); - my $temp = ""; - if ( $array[11] eq "port" ) { - $temp = $array[10]; - } elsif ( $array[11] eq "from" ) { - $temp = $array[12]; - } else { - $temp = $array[11]; - } - &checkssh ($temp, "possible SSH-Bruteforce Attack");} - - # This should catch Bruteforce Attacks with enabled preauth - if ($_ =~ /.*sshd.*Received disconnect from (\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):.*[preauth]/) { - &checkssh ($1, "possible SSH-Bruteforce Attack, failed preauth");} - } - } - -# Run this stuff every 30 seconds.. - if ($counter == 30) { - &remove_blocks; # This might get moved elsewhere, depending on how much load - # it puts on the system.. - &check_log_name; - $counter=0; - } else { - $counter=$counter+1; - } -} - -sub check_log_name { - my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, - $atime,$mtime,$ctime,$blksize,$blocks) = stat($alert_file); - if ($size < $previous_size) { # The filesize is smaller than last - close (ALERT); # we checked, so we need to reopen it - open (ALERT, "$alert_file"); # This should still work in our main while - $previous_size=$size; # loop (I hope) - write_log ("Log filename changed. Reopening $alert_file\n"); - } else { - $previous_size=$size; - } -} - - -sub checkem { - my ($source, $dest,$type) = @_; - my $flag=0; - - return 1 if ($source eq $hostipaddr); - # this should prevent is from nuking ourselves - - return 1 if ($source eq $gatewayaddr); # or our gateway - if ($ignore{$source} == 1) { # check our ignore list.. - &write_log("$source\t$type\n"); - &write_log("Ignoring attack because $source is in my ignore list\n"); - return 1; - } - -# if the offending packet was sent to us, the network, or the broadcast, then - if ($targethash{$dest} == 1) { - &ipchain ($source, $dest, $type); - } -# you will see this if the destination was not in the $targethash, and the -# packet was not ignored before the target check.. - else { - &write_log ("Odd.. source = $source, dest = $dest - No action done.\n"); - if (defined ($opt_d)) { - foreach $key (keys %targethash) { - &write_log ("targethash{$key} = $targethash{$key}\n"); - } - } - } -} - -sub checkssh { - my ($source,$type) = @_; - my $flag=0; - - return 1 if ($source eq $hostipaddr); - # this should prevent is from nuking ourselves - - return 1 if ($source eq $gatewayaddr); # or our gateway - - return 0 if ($sshhash{$source} > 4); # allready blocked - - if ( ($ignore{$source} == 1) ){ - &write_log("Ignoring attack because $source is in my ignore list\n"); - return 1; - } - - if ($sshhash{$source} == 4 ) { - &write_log ("source = $source, blocking for ssh attack.\n"); - &ipchain ($source, "", $type); - $sshhash{$source} = $sshhash{$source}+1; - return 0; - } - - if ($sshhash{$source} eq "" ){ - $sshhash{$source} = 1; - &write_log ("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n"); - return 0; - } - - $sshhash{$source} = $sshhash{$source}+1; - &write_log ("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n"); -} - -sub ipchain { - my ($source, $dest, $type) = @_; - &write_log ("$source\t$type\n"); - if ($hash{$source} eq "") { - &write_log ("Running '$blockpath $source $interface'\n"); - system ("$blockpath $source $interface"); - $hash{$source} = time() + $TimeLimit; - } else { -# We have already blocked this one, but snort detected another attack. So -# we should update the time blocked.. - $hash{$source} = time() + $TimeLimit; - } -} - -sub build_ignore_hash { -# This would cause is to ignore all broadcasts if it -# got set.. However if unset, then the attacker could spoof the packet to make -# it look like it came from the network, and a reply to the spoofed packet -# could be seen if the attacker were on the local network. -# $ignore{$networkaddr}=1; - -# same thing as above, just with the broadcast instead of the network. -# $ignore{$broadcastaddr}=1; - my $count =0; - $ignore{$gatewayaddr}=1; - $ignore{$hostipaddr}=1; - if ($ignorefile ne "") { - open (IGNORE, $ignorefile); - while (<IGNORE>) { - $_=~ s/\s+$//; - chomp; - next if (/#/); #skip comments - next if (/^\s*$/); # and blank lines - $ignore{$_}=1; - $count++; - } - close (IGNORE); - &write_log("Loaded $count addresses from $ignorefile\n"); - } else { - &write_log("No ignore file was loaded!\n"); - } -} - -sub load_conf { - if ($opt_c eq "") { - $opt_c = "/etc/guardian.conf"; - } - - if (! -e $opt_c) { - die "Need a configuration file.. please use to the -c option to name a configuration file\n"; - } - - open (CONF, $opt_c) or die "Cannot read the config file $opt_c, $!\n"; - while (<CONF>) { - chop; - next if (/^\s*$/); #skip blank lines - next if (/^#/); # skip comment lines - if (/LogFile\s+(.*)/) { - $logfile = $1; - } - if (/Interface\s+(.*)/) { - $interface = $1; - if ( $interface eq "" ) { - $interface = `cat /var/ipfire/ethernet/settings | grep RED_DEV | cut -d"=" -f2`; - } - } - if (/AlertFile\s+(.*)/) { - $alert_file = $1; - } - if (/IgnoreFile\s+(.*)/) { - $ignorefile = $1; - } - if (/TargetFile\s+(.*)/) { - $targetfile = $1; - } - if (/TimeLimit\s+(.*)/) { - $TimeLimit = $1; - } - if (/HostIpAddr\s+(.*)/) { - $hostipaddr = $1; - } - if (/HostGatewayByte\s+(.*)/) { - $hostgatewaybyte = $1; - } - } - - if ($alert_file eq "") { - print "Warning! AlertFile is undefined.. Assuming /var/log/snort.alert\n"; - $alert_file="/var/log/snort.alert"; - } - if ($hostipaddr eq "") { - print "Warning! HostIpAddr is undefined! Attempting to guess..\n"; - $hostipaddr = `cat /var/ipfire/red/local-ipaddress`; - print "Got it.. your HostIpAddr is $hostipaddr\n"; - } - if ($ignorefile eq "") { - print "Warning! IgnoreFile is undefined.. going with default ignore list (hostname and gateway)!\n"; - } - if ($hostgatewaybyte eq "") { - print "Warning! HostGatewayByte is undefined.. gateway will not be in ignore list!\n"; - } - if ($logfile eq "") { - print "Warning! LogFile is undefined.. Assuming debug mode, output to STDOUT\n"; - $opt_d = 1; - } - if (! -w $logfile) { - print "Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT\n"; - $opt_d = 1; - } - - foreach $mypath (split (/:/, $ENV{PATH})) { - if (-x "$mypath/guardian_block.sh") { - $blockpath = "$mypath/guardian_block.sh"; - } - if (-x "$mypath/guardian_unblock.sh") { - $unblockpath = "$mypath/guardian_unblock.sh"; - } - } - - if ($blockpath eq "") { - print "Error! Could not find guardian_block.sh. Please consult the README. \n"; - exit; - } - if ($unblockpath eq "") { - print "Warning! Could not find guardian_unblock.sh. Guardian will not be\n"; - print "able to remove blocked ip addresses. Please consult the README file\n"; - } - if ($TimeLimit eq "") { - print "Warning! Time limit not defined. Defaulting to absurdly long time limit\n"; - $TimeLimit = 999999999; - } -} - -sub write_log { - my $message = $_[0]; - my $date = localtime(); - if (defined($opt_d)) { # we are in debug mode, and not daemonized - print STDOUT $message; - } else { - open (LOG, ">>$logfile"); - print LOG $date.": ".$message; - close (LOG); - } -} - -sub daemonize { - my ($home); - if (fork()) { -# parent - exit(0); - } else { -# child - &write_log ("Guardian process id $$\n"); - $home = (getpwuid($>))[7] || die "No home directory!\n"; - chdir($home); # go to my homedir - setpgrp(0,0); # become process leader - close(STDOUT); - close(STDIN); - close(STDERR); - print "Testing...\n"; - } -} - -sub sig_handler_setup { - $SIG{INT} = &clean_up_and_exit; # kill -2 - $SIG{TERM} = &clean_up_and_exit; # kill -9 - $SIG{QUIT} = &clean_up_and_exit; # kill -3 -# $SIG{HUP} = &flush_and_reload; # kill -1 -} - -sub remove_blocks { - my $source; - my $time = time(); - foreach $source (keys %hash) { - if ($hash{$source} < $time) { - &call_unblock ($source, "expiring block of $source\n"); - delete ($hash{$source}); - } - } -} - -sub call_unblock { - my ($source, $message) = @_; - &write_log ("$message"); - system ("$unblockpath $source $interface"); -} - -sub clean_up_and_exit { - my $source; - &write_log ("received kill sig.. shutting down\n"); - foreach $source (keys %hash) { - &call_unblock ($source, "removing $source for shutdown\n"); - } - exit; -} - -sub load_targetfile { - my $count = 0; - open (TARG, "$targetfile") or die "Cannot open $targetfile\n"; - while (<TARG>) { - chop; - next if (/#/); #skip comments - next if (/^\s*$/); # and blank lines - $targethash{$_}=1; - $count++; - } - close (TARG); - print "Loaded $count addresses from $targetfile\n"; -} - -sub get_aliases { - my $ip; - print "Scanning for aliases on $interface and add them to the target hash..."; - - open (IFCONFIG, "/sbin/ip addr show $interface |"); - my @lines = <IFCONFIG>; - close(IFCONFIG); - - foreach $line (@lines) { - if ( $line =~ /inet (\d+.\d+.\d+.\d+)/) { - $ip = $1; - print " got $ip on $interface ... "; - $targethash{'$ip'} = "1"; - } - } - - print "done \n"; -} diff --git a/config/guardian/guardian_block.sh b/config/guardian/guardian_block.sh deleted file mode 100644 index a8331fa..0000000 --- a/config/guardian/guardian_block.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -# this is a sample block script for guardian. This should work with ipchains. -# This command gets called by guardian as such: -# guardian_block.sh <source_ip> <interface> -# and the script will issue a command to block all traffic from that source ip -# address. The logic of weither or not it is safe to block that address is -# done inside guardian itself. -source=$1 -interface=$2 - -/sbin/iptables -I GUARDIAN -s $source -i $interface -j DROP diff --git a/config/guardian/guardian_unblock.sh b/config/guardian/guardian_unblock.sh deleted file mode 100644 index 315d771..0000000 --- a/config/guardian/guardian_unblock.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - -# this is a sample unblock script for guardian. This should work with ipchains. -# This command gets called by guardian as such: -# unblock.sh <source_ip> <interface> -# and the script will issue a command to remove the block that was created with # block.sh address. -source=$1 -interface=$2 - -/sbin/iptables -D GUARDIAN -s $source -i $interface -j DROP diff --git a/config/menu/EX-guardian.menu b/config/menu/EX-guardian.menu new file mode 100644 index 0000000..89cda9d --- /dev/null +++ b/config/menu/EX-guardian.menu @@ -0,0 +1,6 @@ +$subservices->{'65.guardian'} = { + 'caption' => $Lang::tr{'guardian'}, + 'uri' => '/cgi-bin/guardian.cgi', + 'title' => "$Lang::tr{'guardian'}", + 'enabled' => '1', + }; diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index c6f4dbc..29b3290 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -36,6 +36,7 @@ etc/rc.d/init.d/firstsetup etc/rc.d/init.d/fsresize etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d +#etc/rc.d/init.d/guardian etc/rc.d/init.d/halt #etc/rc.d/init.d/haproxy #etc/rc.d/init.d/hostapd @@ -92,6 +93,7 @@ etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns +#etc/rc.d/init.d/networking/red.up/35-guardian etc/rc.d/init.d/networking/red.up/40-ipac etc/rc.d/init.d/networking/red.up/50-ipsec etc/rc.d/init.d/networking/red.up/50-ovpn diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index f37f97e..7552b96 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -110,6 +110,7 @@ var/ipfire/menu.d/70-log.menu #var/ipfire/menu.d/EX-apcupsd.menu #var/ipfire/menu.d/EX-asterisk.menu #var/ipfire/menu.d/EX-bluetooth.menu +#var/ipfire/menu.d/EX-guardian.menu #var/ipfire/menu.d/EX-imspector.menu #var/ipfire/menu.d/EX-mpfire.menu #var/ipfire/menu.d/EX-samba.menu diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 16ccfe2..443dee3 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -37,6 +37,7 @@ etc/rc.d/init.d/firstsetup etc/rc.d/init.d/fsresize etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d +#etc/rc.d/init.d/guardian etc/rc.d/init.d/halt #etc/rc.d/init.d/haproxy #etc/rc.d/init.d/hostapd @@ -94,6 +95,7 @@ etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns +#etc/rc.d/init.d/networking/red.up/35-guardian etc/rc.d/init.d/networking/red.up/40-ipac etc/rc.d/init.d/networking/red.up/50-ipsec etc/rc.d/init.d/networking/red.up/50-ovpn diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface index b9780ea..8c94d2e 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -23,6 +23,7 @@ srv/web/ipfire/cgi-bin/fireinfo.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/fwhosts.cgi srv/web/ipfire/cgi-bin/geoip-block.cgi +#srv/web/ipfire/cgi-bin/guardian.cgi srv/web/ipfire/cgi-bin/gpl.cgi srv/web/ipfire/cgi-bin/gui.cgi srv/web/ipfire/cgi-bin/hardwaregraphs.cgi diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 16ccfe2..443dee3 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -37,6 +37,7 @@ etc/rc.d/init.d/firstsetup etc/rc.d/init.d/fsresize etc/rc.d/init.d/functions #etc/rc.d/init.d/gnump3d +#etc/rc.d/init.d/guardian etc/rc.d/init.d/halt #etc/rc.d/init.d/haproxy #etc/rc.d/init.d/hostapd @@ -94,6 +95,7 @@ etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns +#etc/rc.d/init.d/networking/red.up/35-guardian etc/rc.d/init.d/networking/red.up/40-ipac etc/rc.d/init.d/networking/red.up/50-ipsec etc/rc.d/init.d/networking/red.up/50-ovpn diff --git a/config/rootfiles/core/104/filelists/files b/config/rootfiles/core/104/filelists/files index 9aeb79e..8c90a3f 100644 --- a/config/rootfiles/core/104/filelists/files +++ b/config/rootfiles/core/104/filelists/files @@ -2,9 +2,12 @@ etc/system-release etc/issue etc/collectd.conf etc/httpd/conf/global.conf +etc/rc.d/init.d/snort opt/pakfire/lib/functions.sh srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/html/themes/ipfire/include/functions.pl srv/web/ipfire/html/themes/ipfire/include/js/refreshInetInfo.js +var/ipfire/langs var/ipfire/updatexlrator/bin/download diff --git a/config/rootfiles/packages/guardian b/config/rootfiles/packages/guardian index 2ebdf1e..9eb3fed 100644 --- a/config/rootfiles/packages/guardian +++ b/config/rootfiles/packages/guardian @@ -1,8 +1,23 @@ -usr/local/bin/guardian.pl -usr/local/bin/guardian_block.sh -usr/local/bin/guardian_unblock.sh +etc/logrotate.d/guardian +etc/rc.d/init.d/guardian +etc/rc.d/init.d/networking/red.up/35-guardian +etc/rc.d/rc0.d/K76guardian +etc/rc.d/rc3.d/S45guardian +etc/rc.d/rc6.d/K76guardian +srv/web/ipfire/cgi-bin/guardian.cgi +usr/bin/guardianctrl +#usr/lib/perl5/site_perl/5.12.3/Guardian +usr/lib/perl5/site_perl/5.12.3/Guardian/Base.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/Config.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/Daemon.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/Events.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/IPtables.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/Logger.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm +usr/lib/perl5/site_perl/5.12.3/Guardian/Socket.pm +usr/sbin/guardian +var/ipfire/backup/addons/includes/guardian var/ipfire/guardian -var/ipfire/guardian/guardian.conf -var/ipfire/guardian/guardian.ignore +var/ipfire/menu.d/EX-guardian.menu var/log/guardian var/log/guardian/guardian.log diff --git a/config/rootfiles/packages/perl-Net-IP b/config/rootfiles/packages/perl-Net-IP new file mode 100644 index 0000000..815208d --- /dev/null +++ b/config/rootfiles/packages/perl-Net-IP @@ -0,0 +1,6 @@ +#usr/bin/ipcount +#usr/bin/iptab +usr/lib/perl5/site_perl/5.12.3/Net/IP.pm +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Net/IP +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Net/IP/.packlist +#usr/share/man/man3/Net::IP.3 diff --git a/config/rootfiles/packages/perl-common-sense b/config/rootfiles/packages/perl-common-sense new file mode 100644 index 0000000..1af6940 --- /dev/null +++ b/config/rootfiles/packages/perl-common-sense @@ -0,0 +1,7 @@ +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/common +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/common/sense +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/common/sense/.packlist +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/common +usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/common/sense.pm +usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/common/sense.pod +#usr/share/man/man3/common::sense.3 diff --git a/config/rootfiles/packages/perl-inotify2 b/config/rootfiles/packages/perl-inotify2 new file mode 100644 index 0000000..7b8114b --- /dev/null +++ b/config/rootfiles/packages/perl-inotify2 @@ -0,0 +1,8 @@ +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Linux +usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Linux/Inotify2.pm +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Linux +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Linux/Inotify2 +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Linux/Inotify2/.packlist +#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Linux/Inotify2/Inotify2.bs +usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Linux/Inotify2/Inotify2.so +#usr/share/man/man3/Linux::Inotify2.3 diff --git a/doc/language_issues.de b/doc/language_issues.de index 421c40e..81807d9 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -74,7 +74,6 @@ WARNING: translation string unused: bad characters in WARNING: translation string unused: behind a proxy WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules -WARNING: translation string unused: block WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface WARNING: translation string unused: cache management @@ -611,8 +610,6 @@ WARNING: translation string unused: tripwirewarningkeys WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug -WARNING: translation string unused: unblock -WARNING: translation string unused: unblock all WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase @@ -672,6 +669,9 @@ WARNING: untranslated string: dead peer detection WARNING: untranslated string: emerging rules WARNING: untranslated string: fwhost cust geoipgrp WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: info messages WARNING: untranslated string: no data diff --git a/doc/language_issues.en b/doc/language_issues.en index 0a1756f..a6c55d9 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -92,7 +92,6 @@ WARNING: translation string unused: bewan adsl pci st WARNING: translation string unused: bewan adsl usb WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules -WARNING: translation string unused: block WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface WARNING: translation string unused: cache management @@ -300,6 +299,8 @@ WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name WARNING: translation string unused: geoipblock flag WARNING: translation string unused: green interface +WARNING: translation string unused: guardian not running no hosts can be blocked +WARNING: translation string unused: guardian snort alertfile WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -644,8 +645,6 @@ WARNING: translation string unused: tripwirewarningkeys WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug -WARNING: translation string unused: unblock -WARNING: translation string unused: unblock all WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase @@ -704,6 +703,9 @@ WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes WARNING: untranslated string: fwhost cust geoipgrp WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: info messages WARNING: untranslated string: no data diff --git a/doc/language_issues.es b/doc/language_issues.es index 17347f6..f99cb90 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -244,6 +244,10 @@ WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name WARNING: translation string unused: geoipblock flag WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -642,6 +646,7 @@ WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit +WARNING: untranslated string: block WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: ccd add @@ -921,6 +926,31 @@ WARNING: untranslated string: fwhost welcome WARNING: untranslated string: gen dh WARNING: untranslated string: generate dh key WARNING: untranslated string: grouptype +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: hardware support WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: imei @@ -1091,6 +1121,8 @@ WARNING: untranslated string: tor traffic limit hard WARNING: untranslated string: tor traffic limit soft WARNING: untranslated string: tor traffic read written WARNING: untranslated string: tor use exit nodes +WARNING: untranslated string: unblock +WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: uplink WARNING: untranslated string: upload dh key diff --git a/doc/language_issues.fr b/doc/language_issues.fr index a93453f..c9714b5 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -241,6 +241,10 @@ WARNING: translation string unused: generatepolicy WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -649,6 +653,7 @@ WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit +WARNING: untranslated string: block WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: ccd add @@ -936,6 +941,31 @@ WARNING: untranslated string: geoipblock country is allowed WARNING: untranslated string: geoipblock country is blocked WARNING: untranslated string: geoipblock enable feature WARNING: untranslated string: grouptype +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: hardware support WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: imei @@ -1103,6 +1133,8 @@ WARNING: untranslated string: tor traffic limit hard WARNING: untranslated string: tor traffic limit soft WARNING: untranslated string: tor traffic read written WARNING: untranslated string: tor use exit nodes +WARNING: untranslated string: unblock +WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: uplink WARNING: untranslated string: upload dh key diff --git a/doc/language_issues.it b/doc/language_issues.it index 776b932..b271c22 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -291,6 +291,10 @@ WARNING: translation string unused: generatepolicy WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -699,6 +703,7 @@ WARNING: untranslated string: advproxy basic authentication WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: application layer gateways +WARNING: untranslated string: block WARNING: untranslated string: bytes WARNING: untranslated string: check all WARNING: untranslated string: dhcp dns enable update @@ -742,6 +747,31 @@ WARNING: untranslated string: geoipblock configuration WARNING: untranslated string: geoipblock country is allowed WARNING: untranslated string: geoipblock country is blocked WARNING: untranslated string: geoipblock enable feature +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: incoming compression in bytes per second WARNING: untranslated string: incoming overhead in bytes per second @@ -770,6 +800,8 @@ WARNING: untranslated string: routing table WARNING: untranslated string: samba join a domain WARNING: untranslated string: samba join domain WARNING: untranslated string: search +WARNING: untranslated string: unblock +WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: vpn force mobike WARNING: untranslated string: vpn statistic n2n diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 77fa1f5..4ae42a6 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -290,6 +290,10 @@ WARNING: translation string unused: generatepolicy WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -697,6 +701,7 @@ WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device +WARNING: untranslated string: block WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: check all @@ -757,6 +762,31 @@ WARNING: untranslated string: geoipblock configuration WARNING: untranslated string: geoipblock country is allowed WARNING: untranslated string: geoipblock country is blocked WARNING: untranslated string: geoipblock enable feature +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: imei WARNING: untranslated string: imsi @@ -817,6 +847,8 @@ WARNING: untranslated string: show tls-auth key WARNING: untranslated string: software version WARNING: untranslated string: source ip country WARNING: untranslated string: ta key +WARNING: untranslated string: unblock +WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: upload dh key WARNING: untranslated string: vendor diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 17347f6..f99cb90 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -244,6 +244,10 @@ WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name WARNING: translation string unused: geoipblock flag WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -642,6 +646,7 @@ WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit +WARNING: untranslated string: block WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: ccd add @@ -921,6 +926,31 @@ WARNING: untranslated string: fwhost welcome WARNING: untranslated string: gen dh WARNING: untranslated string: generate dh key WARNING: untranslated string: grouptype +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: hardware support WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: imei @@ -1091,6 +1121,8 @@ WARNING: untranslated string: tor traffic limit hard WARNING: untranslated string: tor traffic limit soft WARNING: untranslated string: tor traffic read written WARNING: untranslated string: tor use exit nodes +WARNING: untranslated string: unblock +WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: uplink WARNING: untranslated string: upload dh key diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 6446a74..8c5d4bb 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -237,6 +237,10 @@ WARNING: translation string unused: generatepolicy WARNING: translation string unused: generatereport WARNING: translation string unused: genkey WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -642,6 +646,7 @@ WARNING: untranslated string: application layer gateways WARNING: untranslated string: atm device WARNING: untranslated string: attention WARNING: untranslated string: bit +WARNING: untranslated string: block WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: ccd add @@ -920,6 +925,31 @@ WARNING: untranslated string: geoipblock country is allowed WARNING: untranslated string: geoipblock country is blocked WARNING: untranslated string: geoipblock enable feature WARNING: untranslated string: grouptype +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: hardware support WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: imei @@ -1084,6 +1114,8 @@ WARNING: untranslated string: tor traffic limit hard WARNING: untranslated string: tor traffic limit soft WARNING: untranslated string: tor traffic read written WARNING: untranslated string: tor use exit nodes +WARNING: untranslated string: unblock +WARNING: untranslated string: unblock all WARNING: untranslated string: uncheck all WARNING: untranslated string: uplink WARNING: untranslated string: upload dh key diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 5479859..1389408 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -92,7 +92,6 @@ WARNING: translation string unused: bewan adsl pci st WARNING: translation string unused: bewan adsl usb WARNING: translation string unused: bitrate WARNING: translation string unused: bleeding rules -WARNING: translation string unused: block WARNING: translation string unused: blue access use hint WARNING: translation string unused: blue interface WARNING: translation string unused: cache management @@ -300,6 +299,10 @@ WARNING: translation string unused: geoipblock country code WARNING: translation string unused: geoipblock country name WARNING: translation string unused: geoipblock flag WARNING: translation string unused: green interface +WARNING: translation string unused: guardian alertfile +WARNING: translation string unused: guardian ignorefile +WARNING: translation string unused: guardian interface +WARNING: translation string unused: guardian timelimit WARNING: translation string unused: gz with key WARNING: translation string unused: hint WARNING: translation string unused: host @@ -644,8 +647,6 @@ WARNING: translation string unused: tripwirewarningkeys WARNING: translation string unused: tripwirewarningpolicy WARNING: translation string unused: umount WARNING: translation string unused: umount removable media before to unplug -WARNING: translation string unused: unblock -WARNING: translation string unused: unblock all WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase @@ -705,6 +706,31 @@ WARNING: untranslated string: application layer gateways WARNING: untranslated string: bytes WARNING: untranslated string: fwhost cust geoipgrp WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: guardian +WARNING: untranslated string: guardian block a host +WARNING: untranslated string: guardian block httpd brute-force +WARNING: untranslated string: guardian block owncloud brute-force +WARNING: untranslated string: guardian block ssh brute-force +WARNING: untranslated string: guardian blockcount +WARNING: untranslated string: guardian blocked hosts +WARNING: untranslated string: guardian blocking of this address is not allowed +WARNING: untranslated string: guardian blocktime +WARNING: untranslated string: guardian common settings +WARNING: untranslated string: guardian daemon +WARNING: untranslated string: guardian empty input +WARNING: untranslated string: guardian enabled +WARNING: untranslated string: guardian firewallaction +WARNING: untranslated string: guardian ignored hosts +WARNING: untranslated string: guardian invalid address or subnet +WARNING: untranslated string: guardian invalid blockcount +WARNING: untranslated string: guardian invalid blocktime +WARNING: untranslated string: guardian invalid logfile +WARNING: untranslated string: guardian logfacility +WARNING: untranslated string: guardian loglevel +WARNING: untranslated string: guardian no entries +WARNING: untranslated string: guardian priority level +WARNING: untranslated string: guardian service +WARNING: untranslated string: guardian watch snort alertfile WARNING: untranslated string: ike lifetime should be between 1 and 8 hours WARNING: untranslated string: info messages WARNING: untranslated string: no data diff --git a/doc/language_missings b/doc/language_missings index 32e1e48..8afdfe8 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -372,6 +372,28 @@ < geoipblock enable feature < geoipblock flag < grouptype +< guardian +< guardian block a host +< guardian blockcount +< guardian blocked hosts +< guardian block httpd brute-force +< guardian blocking of this address is not allowed +< guardian block owncloud brute-force +< guardian block ssh brute-force +< guardian blocktime +< guardian common settings +< guardian daemon +< guardian empty input +< guardian enabled +< guardian firewallaction +< guardian ignored hosts +< guardian invalid address or subnet +< guardian logfacility +< guardian loglevel +< guardian no entries +< guardian priority level +< guardian service +< guardian watch snort alertfile < hardware support < imei < imsi @@ -973,6 +995,28 @@ < gen dh < generate dh key < grouptype +< guardian +< guardian block a host +< guardian blockcount +< guardian blocked hosts +< guardian block httpd brute-force +< guardian blocking of this address is not allowed +< guardian block owncloud brute-force +< guardian block ssh brute-force +< guardian blocktime +< guardian common settings +< guardian daemon +< guardian empty input +< guardian enabled +< guardian firewallaction +< guardian ignored hosts +< guardian invalid address or subnet +< guardian logfacility +< guardian loglevel +< guardian no entries +< guardian priority level +< guardian service +< guardian watch snort alertfile < hardware support < imei < imsi @@ -1568,6 +1612,28 @@ < geoipblock enable feature < geoipblock flag < grouptype +< guardian +< guardian block a host +< guardian blockcount +< guardian blocked hosts +< guardian block httpd brute-force +< guardian blocking of this address is not allowed +< guardian block owncloud brute-force +< guardian block ssh brute-force +< guardian blocktime +< guardian common settings +< guardian daemon +< guardian empty input +< guardian enabled +< guardian firewallaction +< guardian ignored hosts +< guardian invalid address or subnet +< guardian logfacility +< guardian loglevel +< guardian no entries +< guardian priority level +< guardian service +< guardian watch snort alertfile < hardware support < imei < imsi @@ -2152,6 +2218,28 @@ < geoipblock enable feature < geoipblock flag < grouptype +< guardian +< guardian block a host +< guardian blockcount +< guardian blocked hosts +< guardian block httpd brute-force +< guardian blocking of this address is not allowed +< guardian block owncloud brute-force +< guardian block ssh brute-force +< guardian blocktime +< guardian common settings +< guardian daemon +< guardian empty input +< guardian enabled +< guardian firewallaction +< guardian ignored hosts +< guardian invalid address or subnet +< guardian logfacility +< guardian loglevel +< guardian no entries +< guardian priority level +< guardian service +< guardian watch snort alertfile < hardware support < hour-graph < imei diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi new file mode 100644 index 0000000..9d044fe --- /dev/null +++ b/html/cgi-bin/guardian.cgi @@ -0,0 +1,1129 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2016 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; +use Locale::Codes::Country; +use Guardian::Socket; + +# enable only the following on debugging purpose +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "${General::swroot}/header.pl"; + +#workaround to suppress a warning when a variable is used only once +my @dummy = ( + ${Header::colourred}, + ${Header::colourgreen} +); + +undef (@dummy); + +my $string=(); +my $memory=(); +my @memory=(); +my @pid=(); +my @guardian=(); + +# Path to the guardian.ignore file. +my $ignorefile ='/var/ipfire/guardian/guardian.ignore'; + +# Hash which contains the supported modules and the +# file locations on IPFire systems. +my %module_file_locations = ( + "HTTPD" => "/var/log/httpd/error_log", + "OWNCLOUD" => "/var/owncloud/data/owncloud.log", + "SNORT" => "/var/log/snort/alert", + "SSH" => "/var/log/messages", +); + +our %netsettings = (); +&General::readhash("${General::swroot}/ethernet/settings", %netsettings); + +our %color = (); +our %mainsettings = (); +&General::readhash("${General::swroot}/main/settings", %mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color); + +# Pakfire meta file for owncloud. +# (File exists when the addon is installed.) +my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud"; + + +# File declarations. +my $settingsfile = "${General::swroot}/guardian/settings"; +my $ignoredfile = "${General::swroot}/guardian/ignored"; + +# Create empty settings and ignoredfile if they do not exist yet. +unless (-e "$settingsfile") { system("touch $settingsfile"); } +unless (-e "$ignoredfile") { system("touch $ignoredfile"); } + +our %settings = (); +our %ignored = (); + +$settings{'ACTION'} = ''; + +$settings{'GUARDIAN_ENABLED'} = 'off'; +$settings{'GUARDIAN_MONITOR_SNORT'} = 'on'; +$settings{'GUARDIAN_MONITOR_SSH'} = 'on'; +$settings{'GUARDIAN_MONITOR_HTTPD'} = 'on'; +$settings{'GUARDIAN_MONITOR_OWNCLOUD'} = ''; +$settings{'GUARDIAN_LOG_FACILITY'} = 'syslog'; +$settings{'GUARDIAN_LOGLEVEL'} = 'info'; +$settings{'GUARDIAN_BLOCKCOUNT'} = '3'; +$settings{'GUARDIAN_BLOCKTIME'} = '86400'; +$settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP'; +$settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log'; +$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3'; + +# Default settings for owncloud if installed. +if ( -e "$owncloud_meta") { + $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off'; +} + +my $errormessage = ''; + +&Header::showhttpheaders(); + +# Get GUI values. +&Header::getcgihash(%settings); + +# Check if guardian is running and grab some stats. +&daemonstats(); +my $pid = $pid[0]; + +## Perform input checks and save settings. +# +if ($settings{'ACTION'} eq $Lang::tr{'save'}) { + # Check for valid blocktime. + unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) { + $errormessage = "$Lang::tr{'guardian invalid blocktime'}"; + } + + # Check if the bloccount is valid. + unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) { + $errormessage = "$Lang::tr{'guardian invalid blockcount'}"; + } + + # Check Logfile. + unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9./]+$/) { + $errormessage = "$Lang::tr{'guardian invalid logfile'}"; + } + + # Only continue if no error message has been set. + if($errormessage eq '') { + # Write configuration settings to file. + &General::writehash("${General::swroot}/guardian/settings", %settings); + + # Update configuration files. + &BuildConfiguration(); + } + +## Add/edit an entry to the ignore file. +# +} elsif (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::tr{'update'})) { + + # Check if any input has been performed. + if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') { + + # Check if the given input is no valid IP-address or IP-address with subnet, display an error message. + if ((!&General::validip($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($settings{'IGNORE_ENTRY_ADDRESS'}))) { + $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; + } + } else { + $errormessage = "$Lang::tr{'guardian empty input'}"; + } + + # Go further if there was no error. + if ($errormessage eq '') { + my %ignored = (); + my $id; + my $status; + + # Assign hash values. + my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'}; + my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'}; + + # Read-in ignoredfile. + &General::readhasharray($ignoredfile, %ignored); + + # Check if we should edit an existing entry and got an ID. + if (($settings{'ACTION'} eq $Lang::tr{'update'}) && ($settings{'ID'})) { + # Assin the provided id. + $id = $settings{'ID'}; + + # Undef the given ID. + undef($settings{'ID'}); + + # Grab the configured status of the corresponding entry. + $status = $ignored{$id}[2]; + } else { + # Each newly added entry automatically should be enabled. + $status = "enabled"; + + # Generate the ID for the new entry. + # + # Sort the keys by it's ID and store them in an array. + my @keys = sort { $a <=> $b } keys %ignored; + + # Reverse the key array. + my @reversed = reverse(@keys); + + # Obtain the last used id. + my $last_id = @reversed[0]; + + # Increase the last id by one and use it as id for the new entry. + $id = ++$last_id; + } + + # Add/Modify the entry to/in the ignored hash. + $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"]; + + # Write the changed ignored hash to the ignored file. + &General::writehasharray($ignoredfile, %ignored); + + # Regenerate the ignore file. + &GenerateIgnoreFile(); + } + + # Check if guardian is running. + if ($pid > 0) { + # Send reload command through socket connection. + &Guardian::Socket::Client("reload-ignore-list"); + } + +## Toggle Enabled/Disabled for an existing entry on the ignore list. +# + +} elsif ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + my %ignored = (); + + # Only go further, if an ID has been passed. + if ($settings{'ID'}) { + # Assign the given ID. + my $id = $settings{'ID'}; + + # Undef the given ID. + undef($settings{'ID'}); + + # Read-in ignoredfile. + &General::readhasharray($ignoredfile, %ignored); + + # Grab the configured status of the corresponding entry. + my $status = $ignored{$id}[2]; + + # Switch the status. + if ($status eq "disabled") { + $status = "enabled"; + } else { + $status = "disabled"; + } + + # Modify the status of the existing entry. + $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"]; + + # Write the changed ignored hash to the ignored file. + &General::writehasharray($ignoredfile, %ignored); + + # Regenerate the ignore file. + &GenerateIgnoreFile(); + + # Check if guardian is running. + if ($pid > 0) { + # Send reload command through socket connection. + &Guardian::Socket::Client("reload-ignore-list"); + } + } + +## Remove entry from ignore list. +# +} elsif ($settings{'ACTION'} eq $Lang::tr{'remove'}) { + my %ignored = (); + + # Read-in ignoredfile. + &General::readhasharray($ignoredfile, %ignored); + + # Drop entry from the hash. + delete($ignored{$settings{'ID'}}); + + # Undef the given ID. + undef($settings{'ID'}); + + # Write the changed ignored hash to the ignored file. + &General::writehasharray($ignoredfile, %ignored); + + # Regenerate the ignore file. + &GenerateIgnoreFile(); + + # Check if guardian is running. + if ($pid > 0) { + # Send reload command through socket connection. + &Guardian::Socket::Client("reload-ignore-list"); + } + +## Block a user given address or subnet. +# +} elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) { + + # Assign some temporary variables used for input validation. + my $input = $settings{'ADDRESS_BLOCK'}; + my $green = $netsettings{'GREEN_ADDRESS'}; + my $blue = $netsettings{'BLUE_ADDRESS'}; + my $orange = $netsettings{'ORANGE_ADDRESS'}; + my $red = $netsettings{'RED_ADDRESS'}; + + # File declarations. + my $gatewayfile = "${General::swroot}/red/remote-ipaddress"; + my $dns1file = "${General::swroot}/red/dns1"; + my $dns2file = "${General::swroot}/red/dns2"; + + # Get gateway address. + my $gateway = &_get_address_from_file($gatewayfile); + + # Get addresses from the used dns servers. + my $dns1 = &_get_address_from_file($dns1file); + my $dns2 = &_get_address_from_file($dns2file); + + # Check if any input has been performed. + if ($input eq '') { + $errormessage = "$Lang::tr{'guardian empty input'}"; + } + + # Check if the given input is localhost (127.0.0.1). + elsif ($input eq "127.0.0.1") { + $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; + } + + # Check if the given input is anywhere (0.0.0.0). + elsif ($input eq "0.0.0.0") { + $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; + } + + # Check if the given input is one of the interface addresses or our gateway. + elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") { + $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; + } + + # Check if the given input is a valid IP address. + elsif (!&General::validip($input)) { + $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; + } + + # Go further if there was no error. + if ($errormessage eq '') { + my $block = $settings{'ADDRESS_BLOCK'}; + + # Send command to block the specified address through socket connection. + &Guardian::Socket::Client("block $block"); + } + +## Unblock address or subnet. +# +} elsif ($settings{'ACTION'} eq $Lang::tr{'unblock'}) { + + # Check if no empty input has been performed. + if ($settings{'ADDRESS_UNBLOCK'} ne '') { + + # Check if the given input is no valid IP-address or IP-address with subnet, display an error message. + if ((!&General::validip($settings{'ADDRESS_UNBLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_UNBLOCK'}))) { + $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; + } + + } else { + $errormessage = "$Lang::tr{'guardian empty input'}"; + } + + # Go further if there was no error. + if ($errormessage eq '') { + my $unblock = $settings{'ADDRESS_UNBLOCK'}; + + # Send command to unblock the given address through socket connection. + &Guardian::Socket::Client("unblock $unblock"); + } + +## Unblock all. +# +} elsif ($settings{'ACTION'} eq $Lang::tr{'unblock all'}) { + + # Send flush command through socket connection. + &Guardian::Socket::Client("flush"); +} + +# Load settings from files. +&General::readhash("${General::swroot}/guardian/settings", %settings); +&General::readhasharray("${General::swroot}/guardian/ignored", %ignored); + +# Call functions to generate whole page. +&showMainBox(); +&showIgnoreBox(); + +# Display area only if guardian is running. +if ( ($memory != 0) && ($pid > 0) ) { + &showBlockedBox(); +} + +# Function to display the status of guardian and allow base configuration. +sub showMainBox() { + my %checked = (); + my %selected = (); + + $checked{'GUARDIAN_ENABLED'}{'on'} = ''; + $checked{'GUARDIAN_ENABLED'}{'off'} = ''; + $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked'; + $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} = ''; + $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} = ''; + $checked{'GUARDIAN_MONITOR_SNORT'}{$settings{'GUARDIAN_MONITOR_SNORT'}} = "checked='checked'"; + $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = ''; + $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = ''; + $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'"; + $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = ''; + $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = ''; + $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'"; + $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = ''; + $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = ''; + $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'"; + + $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected'; + $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected'; + $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected'; + $selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected'; + + &Header::openpage($Lang::tr{'guardian configuration'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + # Print errormessage if there is one. + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<font class='base'>$errormessage&nbsp;</font>\n"; + &Header::closebox(); + } + + ### Java Script ### + print<<END; + <script> + var update_options = function() { + + var logfacility = $("#GUARDIAN_LOG_FACILITY").val(); + var loglevel = $("#GUARDIAN_LOGLEVEL").val(); + + if (logfacility === undefined) + return; + + if (loglevel === undefined) + return; + + // Show / Hide input for specifying the path to the logfile. + if (logfacility === "file") { + $(".GUARDIAN_LOGFILE").show(); + } else { + $(".GUARDIAN_LOGFILE").hide(); + } + + // Show / Hide loglevel debug if the facility is set to syslog. + if (logfacility === "syslog") { + $("#loglevel_debug").hide(); + } else { + $("#loglevel_debug").show(); + } + + // Show / Hide logfacility syslog if the loglevel is set to debug. + if (loglevel === "debug") { + $("#logfacility_syslog").hide(); + } else { + $("#logfacility_syslog").show(); + } + }; + + $(document).ready(function() { + $("#GUARDIAN_LOG_FACILITY").change(update_options); + $("#GUARDIAN_LOGLEVEL").change(update_options); + update_options(); + + // Show / Hide snort priority level option, based if + // snort is enabled / disabled. + if ($('input[name=GUARDIAN_MONITOR_SNORT]:checked').val() == 'on') { + $('.GUARDIAN_SNORT_PRIORITY_LEVEL').show(); + } else { + $('.GUARDIAN_SNORT_PRIORITY_LEVEL').hide(); + } + + // Show/Hide snort priority level when GUARDIAN_MONITOR_SNORT get changed. + $('input[name=GUARDIAN_MONITOR_SNORT]').change(function() { + $('.GUARDIAN_SNORT_PRIORITY_LEVEL').toggle(); + }); + }); + </script> +END + + + + # Draw current guardian state. + &Header::openbox('100%', 'center', $Lang::tr{'guardian'}); + + # Get current status of guardian. + &daemonstats(); + $pid = $pid[0]; + + # Display some useful information related to guardian, if daemon is running. + if ( ($memory != 0) && ($pid > 0) ){ + print <<END; + <table width='95%' cellspacing='0' class='tbl'> + <tr> + <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th> + </tr> + <tr> + <td class='base'>$Lang::tr{'guardian daemon'}</td> + <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td> + </tr> + <tr> + <td class='base'></td> + <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td> + <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td> + </tr> + <tr> + <td class='base'></td> + <td bgcolor='$color{'color22'}' align='center'>$pid</td> + <td bgcolor='$color{'color22'}' align='center'>$memory KB</td> + </tr> + </table> +END + } else { + # Otherwise display a hint that the service is not launched. + print <<END; + <table width='95%' cellspacing='0' class='tbl'> + <tr> + <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th> + </tr> + <tr> + <td class='base'>$Lang::tr{'guardian daemon'}</td> + <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td> + </tr> + </table> +END + } + + &Header::closebox(); + + # Draw elements for guardian configuration. + &Header::openbox('100%', 'center', $Lang::tr{'guardian configuration'}); + + print <<END; + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + + <table width='95%'> + <tr> + <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian enabled'}:</td> + <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td> + </tr> + <tr> + <td colspan='2'><br></td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td> + <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> / + <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td> + <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> / + <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td> + <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> / + <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td> + </tr> +END + # Display owncloud checkbox when the addon is installed. + if ( -e "$owncloud_meta" ) { + print"<tr>\n"; + print"<td width='20%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n"; + print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n"; + print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n"; + print"</tr>\n"; + } + print <<END; + <tr> + <td colspan='2'><br></td> + </tr> + <tr> + <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td> + <td><select id='GUARDIAN_LOG_FACILITY' name='GUARDIAN_LOG_FACILITY'> + <option id='logfacility_syslog' value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>syslog</option> + <option id='logfacility_file' value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>file</option> + <option id='logfacility_console' value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>console</option> + </select></td> + </tr> + <tr> + <td colspan='2'><br></td> + </tr> + <tr> + <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td> + <td><select id='GUARDIAN_LOGLEVEL' name='GUARDIAN_LOGLEVEL'> + <option id='loglevel_off' value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>off</option> + <option id='loglevel_info' value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>info</option> + <option id='loglevel_debug' value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>debug</option> + </select></td> + </tr> + <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL"> + <td colspan='2'><br></td> + </tr> + <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL"> + <td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td> + <td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'> + <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>1</option> + <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>2</option> + <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>3</option> + <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>4</option> + </select></td> + </tr> + <tr> + <td colspan='2'><br></td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian firewallaction'}:</td> + <td><select name='GUARDIAN_FIREWALL_ACTION'> + <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option> + <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option> + </select></td> + </tr> + <tr> + <td colspan='2'><br></td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian blockcount'}:</td> + <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td> + </tr> + <tr> + <td width='20%' class='base'>$Lang::tr{'guardian blocktime'}:</td> + <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td> + </tr> + <tr class="GUARDIAN_LOGFILE"> + <td width='20%' class='base'>$Lang::tr{'guardian logfile'}:</td> + <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td> + </tr> + </table> +END + + print <<END; + <hr> + + <table width='95%'> + <tr> + <td>&nbsp;</td> + <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> + <td>&nbsp;</td> + </tr> + </table> + </form> +END + + &Header::closebox(); +} + +# Function to show elements of the guardian ignorefile and allow to add or remove single members of it. +sub showIgnoreBox() { + &Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'}); + + print <<END; + <table width='80%'> + <tr> + <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td> + <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td> + <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> + </tr> +END + # Check if some hosts have been add to be ignored. + if (keys (%ignored)) { + my $col = ""; + + # Loop through all entries of the hash.. + while( (my $key) = each %ignored) { + # Assign data array positions to some nice variable names. + my $address = $ignored{$key}[0]; + my $remark = $ignored{$key}[1]; + my $status = $ignored{$key}[2]; + + # Check if the key (id) number is even or not. + if ($settings{'ID'} eq $key) { + $col="bgcolor='${Header::colouryellow}'"; + } elsif ($key % 2) { + $col="bgcolor='$color{'color22'}'"; + } else { + $col="bgcolor='$color{'color20'}'"; + } + + # Choose icon for the checkbox. + my $gif; + my $gdesc; + + # Check if the status is enabled and select the correct image and description. + if ($status eq 'enabled' ) { + $gif = 'on.gif'; + $gdesc = $Lang::tr{'click to disable'}; + } else { + $gif = 'off.gif'; + $gdesc = $Lang::tr{'click to enable'}; + } + + print <<END; + <tr> + <td width='20%' class='base' $col>$address</td> + <td width='65%' class='base' $col>$remark</td> + + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> + <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' /> + <input type='hidden' name='ID' value='$key' /> + </form> + </td> + + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> + <input type='hidden' name='ID' value='$key' /> + </form> + </td> + + <td align='center' $col> + <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'> + <input type='hidden' name='ID' value='$key'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'> + </form> + </td> + </tr> +END + } + } else { + # Print notice that currently no hosts are ignored. + print "<tr>\n"; + print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; + print "</tr>\n"; + } + + print "</table>\n"; + + # Section to add new elements or edit existing ones. + print <<END; + <br> + <hr> + <br> + + <div align='center'> + <table width='100%'> +END + + # Assign correct headline and button text. + my $buttontext; + my $entry_address; + my $entry_remark; + + # Check if an ID (key) has been given, in this case an existing entry should be edited. + if ($settings{'ID'} ne '') { + $buttontext = $Lang::tr{'update'}; + print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n"; + + # Grab address and remark for the given key. + $entry_address = $ignored{$settings{'ID'}}[0]; + $entry_remark = $ignored{$settings{'ID'}}[1]; + } else { + $buttontext = $Lang::tr{'add'}; + print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n"; + } + + print <<END; + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ID' value='$settings{'ID'}'> + <tr> + <td width='30%'>$Lang::tr{'ip address'}: </td> + <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td> + + <td width='30%'>$Lang::tr{'remark'}: </td> + <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td> + <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td> + </tr> + </form> + </table> + </div> +END + + &Header::closebox(); +} + +# Function to list currently bocked addresses from guardian and unblock them or add custom entries to block. +sub showBlockedBox() { + &Header::openbox('100%', 'center', $Lang::tr{'guardian blocked hosts'}); + + print <<END; + <table width='60%'> + <tr> + <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td> + </tr> +END + + # Lauch function to get the currently blocked hosts. + my @blocked_hosts = &GetBlockedHosts(); + + my $id = 0; + my $col = ""; + + # Loop through our blocked hosts array. + foreach my $blocked_host (@blocked_hosts) { + + # Increase id number for each element in the ignore file. + $id++; + + # Check if the id number is even or not. + if ($id % 2) { + $col="bgcolor='$color{'color22'}'"; + } else { + $col="bgcolor='$color{'color20'}'"; + } + + print <<END; + <tr> + <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td> + <td width='20%' align='center' $col> + <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'> + <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'> + <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'> + </form> + </td> + </tr> +END + } + + # If the loop only has been runs once the id still is "0", which means there are no + # additional entries (blocked hosts) in the iptables chain. + if ($id == 0) { + + # Print notice that currently no hosts are blocked. + print "<tr>\n"; + print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; + print "</tr>\n"; + } + + print "</table>\n"; + + # Section for a manual block of an IP-address. + print <<END; + <br> + <div align='center'> + <table width='60%' border='0'> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <tr> + <td width='30%'>$Lang::tr{'guardian block a host'}: </td> + <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td> + <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td> + <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td> + </tr> + </form> + </table> + </div> +END + + &Header::closebox(); +} + +&Header::closebigbox(); +&Header::closepage(); + +# Function to check if guardian has been started. +# Grab process id and consumed memory if the daemon is running. +sub daemonstats() { + $memory = 0; + # for pid and memory + open(FILE, '/usr/local/bin/addonctrl guardian status | '); + @guardian = <FILE>; + close(FILE); + $string = join("", @guardian); + $string =~ s/[a-z_]//gi; + $string =~ s/[[0-1];[0-9]+//gi; + $string =~ s/[().]//gi; + $string =~ s/ //gi; + $string =~ s/\e//gi; + @pid = split(/\s/,$string); + if (open(FILE, "/proc/$pid[0]/statm")){ + my $temp = <FILE>; + @memory = split(/ /,$temp); + close(FILE); + } + $memory+=$memory[0]; +} + +sub GetBlockedHosts() { + # Create new, empty array. + my @hosts; + + # Lauch helper to get chains from iptables. + system('/usr/local/bin/getipstat'); + + # Open temporary file which contains the chains and rules. + open (FILE, '/srv/web/ipfire/html/iptables.txt'); + + # Loop through the entire file. + while (<FILE>) { + my $line = $_; + + # Search for the guardian chain and extract + # the lines between it and the next empty line + # which is placed before the next firewall + # chain starts. + if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) { + # Skip descriptive lines. + next if ($line =~ /^Chain/); + next if ($line =~ /^ pkts/); + + # Generate array, based on the line content (seperator is a single or multiple space's) + my @comps = split(/\s{1,}/, $line); + my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps; + + # Assign different variable names. + my $blocked_host = $source; + + # Add host to our hosts array. + if ($blocked_host) { + push(@hosts, $blocked_host); + } + } + } + + # Close filehandle. + close(FILE); + + # Remove recently created temporary files of the "getipstat" binary. + system(rm -f "/srv/web/ipfire/html/iptables.txt"); + system(rm -f "/srv/web/ipfire/html/iptablesmangle.txt"); + system(rm -f "/srv/web/ipfire/html/iptablesnat.txt"); + + # Convert entries, sort them, write back and store the sorted entries into new array. + my @sorted = map { $_->[0] } + sort { $a->[1] <=> $b->[1] } + map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/./, $_))] } + @hosts; + + # Return our sorted list. + return @sorted +} + +sub BuildConfiguration() { + my %settings = (); + &General::readhash("${General::swroot}/guardian/settings", %settings); + + my $configfile = "${General::swroot}/guardian/guardian.conf"; + + # Create the configfile if not exist yet. + unless (-e "$configfile") { system("touch $configfile"); } + + # Open configfile for writing. + open(FILE, ">$configfile"); + + # Config file header. + print FILE "# Autogenerated configuration file.\n"; + print FILE "# All user modifications will be overwritten.\n\n"; + + # Settings for the logging mechanism. + print FILE "# Log settings.\n"; + print FILE "LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n"; + + if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") { + print FILE "LogFile = $settings{'GUARDIAN_LOGFILE'}\n"; + } + + print FILE "LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n"; + + # IPFire related static settings. + print FILE "# IPFire related settings.\n"; + print FILE "FirewallEngine = IPtables\n"; + print FILE "SocketOwner = nobody:nobody\n"; + print FILE "IgnoreFile = $ignorefile\n\n"; + + # Configured block values. + print FILE "# Configured block settings.\n"; + print FILE "BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n"; + print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n"; + print FILE "FirewallAction = $settings{'GUARDIAN_FIREWALL_ACTION'}\n\n"; + + # Enabled modules. + # Loop through whole settings hash. + print FILE "# Enabled modules.\n"; + foreach my $option (keys %settings) { + # Search for enabled modules. + if ($option =~ /GUARDIAN_MONITOR_(.*)/) { + # Skip if module is not enabled. + next unless($settings{$option} eq "on"); + + # Skip module if no file location is available. + next unless(exists($module_file_locations{$1})); + + # Add enabled module and defined path to the config file. + print FILE "Monitor_$1 = $module_file_locations{$1}\n"; + } + } + + # Module settings. + print FILE "\n# Module settings.\n"; + # Check if SNORT is enabled and add snort priority. + if ($settings{'GUARDIAN_MONITOR_SNORT'} eq "on") { + print FILE "SnortPriorityLevel = $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}\n"; + } + + close(FILE); + + # Generate ignore file. + &GenerateIgnoreFile(); + + # Check if guardian should be started or stopped. + if($settings{'GUARDIAN_ENABLED'} eq 'on') { + if($pid > 0) { + # Send reload command through socket connection. + &Guardian::Socket::Client("reload"); + } else { + # Launch guardian. + system("/usr/local/bin/addonctrl guardian start &>/dev/null"); + } + } else { + # Stop the daemon. + system("/usr/local/bin/addonctrl guardian stop &>/dev/null"); + } +} + +sub GenerateIgnoreFile() { + my %ignored = (); + + # Read-in ignoredfile. + &General::readhasharray($ignoredfile, %ignored); + + # Create the guardian.ignore file if not exist yet. + unless (-e "$ignorefile") { system("touch $ignorefile"); } + + # Open ignorefile for writing. + open(FILE, ">$ignorefile"); + + # Config file header. + print FILE "# Autogenerated configuration file.\n"; + print FILE "# All user modifications will be overwritten.\n\n"; + + # Add IFPire interfaces and gateway to the ignore file. + # + # Assign some temporary variables for the IPFire interfaces. + my $green = $netsettings{'GREEN_ADDRESS'}; + my $blue = $netsettings{'BLUE_ADDRESS'}; + my $orange = $netsettings{'ORANGE_ADDRESS'}; + + # File declarations. + my $public_address_file = "${General::swroot}/red/local-ipaddress"; + my $gatewayfile = "${General::swroot}/red/remote-ipaddress"; + my $dns1file = "${General::swroot}/red/dns1"; + my $dns2file = "${General::swroot}/red/dns2"; + + # Write the obtained addresses to the ignore file. + print FILE "# IPFire local interfaces.\n"; + print FILE "$green\n"; + + # Check if a blue interface exists. + if ($blue) { + # Add blue address. + print FILE "$blue\n"; + } + + # Check if an orange interface exists. + if ($orange) { + # Add orange address. + print FILE "$orange\n"; + } + + print FILE "\n# IPFire red interface, gateway and used DNS-servers.\n"; + print FILE "# Include the corresponding files to obtain the addresses.\n"; + print FILE "Include_File = $public_address_file\n"; + print FILE "Include_File = $gatewayfile\n"; + print FILE "Include_File = $dns1file\n"; + print FILE "Include_File = $dns2file\n"; + + # Add all user defined hosts and networks to the ignore file. + # + # Check if the hash contains any elements. + if (keys (%ignored)) { + # Write headline. + print FILE "\n# User defined hosts/networks.\n"; + + # Loop through the entire hash and write the host/network + # and remark to the ignore file. + while ( (my $key) = each %ignored) { + my $address = $ignored{$key}[0]; + my $remark = $ignored{$key}[1]; + my $status = $ignored{$key}[2]; + + # Check if the status of the entry is "enabled". + if ($status eq "enabled") { + # Check if the address/network is valid. + if ((&General::validip($address)) || (&General::validipandmask($address))) { + # Write the remark to the file. + print FILE "# $remark\n"; + + # Write the address/network to the ignore file. + print FILE "$address\n\n"; + } + } + } + } + + close(FILE); +} + +# Private subfunction to obtain IP-addresses from given file names. +# +sub _get_address_from_file ($) { + my $file = shift; + + # Check if the file exists. + if (-e $file) { + # Open the given file. + open(FILE, "$file") or die "Could not open $file."; + + # Obtain the address from the first line of the file. + my $address = <FILE>; + + # Close filehandle + close(FILE); + + # Remove newlines. + chomp $address; + + # Check if the grabbed address is valid. + if (&General::validip($address)) { + # Return the address. + return $address; + } + } + + # Return nothing. + return; +} diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index e7753aa..bc066a0 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -55,16 +55,7 @@ $snortsettings{'ENABLE_SNORT'} = 'off'; $snortsettings{'ENABLE_SNORT_GREEN'} = 'off'; $snortsettings{'ENABLE_SNORT_BLUE'} = 'off'; $snortsettings{'ENABLE_SNORT_ORANGE'} = 'off'; -$snortsettings{'ENABLE_GUARDIAN'} = 'off'; -$snortsettings{'GUARDIAN_INTERFACE'} = `cat /var/ipfire/red/iface`; -$snortsettings{'GUARDIAN_HOSTGATEWAYBYTE'} = '1'; -$snortsettings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log'; -$snortsettings{'GUARDIAN_ALERTFILE'} = '/var/log/snort/alert'; -$snortsettings{'GUARDIAN_IGNOREFILE'} = '/var/ipfire/guardian/guardian.ignore'; -$snortsettings{'GUARDIAN_TARGETFILE'} = '/var/ipfire/guardian/guardian.target'; -$snortsettings{'GUARDIAN_TIMELIMIT'} = '86400'; $snortsettings{'ACTION'} = ''; -$snortsettings{'ACTION2'} = ''; $snortsettings{'RULES'} = ''; $snortsettings{'OINKCODE'} = ''; $snortsettings{'INSTALLDATE'} = ''; @@ -311,39 +302,11 @@ if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} e } else { unlink "${General::swroot}/snort/enable_preprocessor_http_inspect"; } - if ($snortsettings{'ENABLE_GUARDIAN'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/guardian/enable"); - } else { - unlink "${General::swroot}/guardian/enable"; - }

system('/usr/local/bin/snortctrl restart >/dev/null');

-} elsif ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "guardian" ){ - foreach my $key (keys %snortsettings){ - if ( $key !~ /^GUARDIAN/ ){ - delete $snortsettings{$key}; - } - } - &General::writehashpart("${General::swroot}/snort/settings", %snortsettings); - open(IGNOREFILE, ">$snortsettings{'GUARDIAN_IGNOREFILE'}") or die "Unable to write guardian ignore file $snortsettings{'GUARDIAN_IGNOREFILE'}"; - print IGNOREFILE $snortsettings{'GUARDIAN_IGNOREFILE_CONTENT'}; - close(IGNOREFILE); - open(GUARDIAN, ">/var/ipfire/guardian/guardian.conf") or die "Unable to write guardian conf /var/ipfire/guardian/guardian.conf"; - print GUARDIAN <<END -Interface $snortsettings{'GUARDIAN_INTERFACE'} -HostGatewayByte $snortsettings{'GUARDIAN_HOSTGATEWAYBYTE'} -LogFile $snortsettings{'GUARDIAN_LOGFILE'} -AlertFile $snortsettings{'GUARDIAN_ALERTFILE'} -IgnoreFile $snortsettings{'GUARDIAN_IGNOREFILE'} -TargetFile $snortsettings{'GUARDIAN_TARGETFILE'} -TimeLimit $snortsettings{'GUARDIAN_TIMELIMIT'} -END -; - close(GUARDIAN); - system('/usr/local/bin/snortctrl restart >/dev/null'); } + # INSTALLMD5 is not in the form, so not retrieved by getcgihash &General::readhash("${General::swroot}/snort/settings", %snortsettings);

@@ -400,9 +363,6 @@ $checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='c $checked{'ENABLE_SNORT_ORANGE'}{'off'} = ''; $checked{'ENABLE_SNORT_ORANGE'}{'on'} = ''; $checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'"; -$checked{'ENABLE_GUARDIAN'}{'off'} = ''; -$checked{'ENABLE_GUARDIAN'}{'on'} = ''; -$checked{'ENABLE_GUARDIAN'}{$snortsettings{'ENABLE_GUARDIAN'}} = "checked='checked'"; $selected{'RULES'}{'nothing'} = ''; $selected{'RULES'}{'community'} = ''; $selected{'RULES'}{'emerging'} = ''; @@ -504,9 +464,6 @@ if ($netsettings{'ORANGE_DEV'} ne '') { print "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type='checkbox' name='ENABLE_SNORT_ORANGE' $checked{'ENABLE_SNORT_ORANGE'}{'on'} /> ORANGE Snort"; } print "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type='checkbox' name='ENABLE_SNORT' $checked{'ENABLE_SNORT'}{'on'} /> RED Snort"; -if ( -e "/var/ipfire/guardian/guardian.conf" ) { - print "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type='checkbox' name='ENABLE_GUARDIAN' $checked{'ENABLE_GUARDIAN'}{'on'} /> Guardian"; -}

print <<END </td></tr> @@ -564,32 +521,6 @@ if ($results ne '') {

&Header::closebox();

-####################### Added for guardian control #################################### -if ( -e "/var/ipfire/guardian/guardian.conf" ) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'guardian configuration'}); -print <<END -<form method='post' action='$ENV{'SCRIPT_NAME'}'><table width='100%'> -<tr><td align='left' width='40%'>$Lang::tr{'guardian interface'}</td><td align='left'><input type='text' name='GUARDIAN_INTERFACE' value='$snortsettings{'GUARDIAN_INTERFACE'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'guardian timelimit'}</td><td align='left'><input type='text' name='GUARDIAN_TIMELIMIT' value='$snortsettings{'GUARDIAN_TIMELIMIT'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'guardian logfile'}</td><td align='left'><input type='text' name='GUARDIAN_LOGFILE' value='$snortsettings{'GUARDIAN_LOGFILE'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'guardian alertfile'}</td><td align='left'><input type='text' name='GUARDIAN_ALERTFILE' value='$snortsettings{'GUARDIAN_ALERTFILE'}' size="30" /></td></tr> -<tr><td align='left' width='40%'>$Lang::tr{'guardian ignorefile'}</td><td align='left'><textarea name='GUARDIAN_IGNOREFILE_CONTENT' cols='32' rows='6' wrap='off'> -END -; - print `cat /var/ipfire/guardian/guardian.ignore`; -print <<END -</textarea></td></tr> -<tr><td align='right' colspan='2'><input type='hidden' name='ACTION2' value='guardian' /><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td></tr> -</table> -</form> -END -; - &Header::closebox(); -} - - - - ####################### Added for snort rules control ################################# if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) { &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat index a8a7ba4..f954213 100644 --- a/html/cgi-bin/logs.cgi/log.dat +++ b/html/cgi-bin/logs.cgi/log.dat @@ -67,7 +67,8 @@ my %sections = ( 'pakfire' => '(pakfire:) ', 'wireless' => '(hostapd:|kernel: ath.*:|kernel: wifi[0-9]:) ', 'squid' => '(squid[.*]: |squid: )', - 'snort' => '(snort[.*]: )' + 'snort' => '(snort[.*]: )', + 'guardian' => '(guardian[.*]: )' );

# Translations for the %sections array. @@ -90,7 +91,8 @@ my %trsections = ( 'pakfire' => 'Pakfire', 'wireless' => 'Wireless', 'squid' => "$Lang::tr{'web proxy'}", - 'snort' => "$Lang::tr{'intrusion detection'}" + 'snort' => "$Lang::tr{'intrusion detection'}", + 'guardian' => "$Lang::tr{'guardian'}" );

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 58c0e7a..400c2fe 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1217,12 +1217,30 @@ 'green interface' => 'Grünes Interface', 'grouptype' => 'Gruppentyp:', 'guaranteed bandwith' => 'Garantierte Bandbreite', -'guardian alertfile' => 'Alertfile', -'guardian configuration' => 'Guardian Konfiguration', -'guardian ignorefile' => 'Ignorefile', -'guardian interface' => 'Interface', -'guardian logfile' => 'Logfile', -'guardian timelimit' => 'Timelimit', +'guardian' => 'Guardian', +'guardian block a host' => 'Host blocken', +'guardian block httpd brute-force' => 'httpd-Brute-Force-Erkennung', +'guardian block owncloud brute-force' => 'Owncloud-Brute-Force-Erkennung', +'guardian block ssh brute-force' => 'SSH-Brute-Force-Erkennung', +'guardian blockcount' => 'Trefferschwelle', +'guardian blocked hosts' => 'Aktuell geblockte Hosts', +'guardian blocking of this address is not allowed' => 'Diese Addresse darf nicht gelockt werden.', +'guardian blocktime' => 'Blockzeit', +'guardian common settings' => 'Allgemeine Einstellungen', +'guardian configuration' => 'Guardian-Konfiguration', +'guardian daemon' => 'Daemon', +'guardian empty input' => 'Fehlende Angabe: Bitte eine gültige IP-Addresse oder Netzwerk angeben.', +'guardian enabled' => 'Guardian aktivieren', +'guardian firewallaction' => 'Firewall-Aktion', +'guardian ignored hosts' => 'Ignorierte Hosts', +'guardian invalid address or subnet' => 'Ungültige Host-Addresse oder Netzwerk.', +'guardian logfacility' => 'Logziel', +'guardian logfile' => 'Logdatei', +'guardian loglevel' => 'Loglevel', +'guardian no entries' => 'Keine Einträge vorhanden.', +'guardian priority level' => 'Prioritätslevel', +'guardian service' => 'Guardian-Dienst', +'guardian watch snort alertfile' => 'Snort-Alarme auswerten', 'guest ok' => 'Gastzugang gewähren', 'gui settings' => 'Benutzeroberfläche', 'gz with key' => 'Nur ein verschlüsseltes Archiv kann auf dieser Maschine wiederhergestellt werden.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 747d12e..7a7c104 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1246,12 +1246,32 @@ 'green interface' => 'Green Interface', 'grouptype' => 'Grouptype:', 'guaranteed bandwith' => 'Guaranteed bandwith', -'guardian alertfile' => 'Alertfile', +'guardian' => 'Guardian', +'guardian block a host' => 'Block host', +'guardian block httpd brute-force' => 'httpd Brute Force Detection', +'guardian block owncloud brute-force' => 'Owncloud Brute Force detection', +'guardian block ssh brute-force' => 'SSH Brute Force Detection', +'guardian blockcount' => 'Strike Threshold', +'guardian blocked hosts' => 'Currently blocked hosts', +'guardian blocking of this address is not allowed' => 'Blocking of the given address is not allowed.', +'guardian blocktime' => 'Block Time', +'guardian common settings' => 'Common Settings', 'guardian configuration' => 'Guardian Configuration', -'guardian ignorefile' => 'Ignorefile', -'guardian interface' => 'Interface', -'guardian logfile' => 'Logfile', -'guardian timelimit' => 'Timelimit', +'guardian daemon' => 'Daemon', +'guardian empty input' => 'Empty input: Please perform a valid host address or subnet.', +'guardian enabled' => 'Enable Guardian', +'guardian firewallaction' => 'Firewall Action', +'guardian ignored hosts' => 'Ignored Hosts', +'guardian invalid address or subnet' => 'Invalid host address or subnet.', +'guardian logfacility' => 'Log Facility', +'guardian logfile' => 'Log File', +'guardian loglevel' => 'Log Level', +'guardian no entries' => 'No entries at the moment.', +'guardian not running no hosts can be blocked' => 'Guardian is not running. No hosts will be blocked.', +'guardian priority level' => 'Priority Level', +'guardian service' => 'Guardian Service', +'guardian snort alertfile' => 'Snort Alert File', +'guardian watch snort alertfile' => 'Monitor Snort Alert File', 'guest ok' => 'allow guests to access', 'gui settings' => 'GUI Settings', 'gz with key' => 'Only an encrypted archive can be restored on this machine.', diff --git a/lfs/guardian b/lfs/guardian index a91fbd9..b02ec54 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -24,46 +24,89 @@

include Config

-VER = ipfire +VER = 2.0

THISAPP = guardian-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) + PROG = guardian -PAK_VER = 9 +PAK_VER = 10 + +DEPS = "perl-inotify2 perl-Net-IP"

-DEPS = ""

############################################################################### # Top-level Rules ###############################################################################

-objects = +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 15be3b14a70e21502368deca74903f5c

install : $(TARGET)

-check : +check : $(patsubst %,$(DIR_CHK)/%,$(objects))

-download : +download :$(patsubst %,$(DIR_DL)/%,$(objects))

-md5 : +md5 : $(subst %,%_MD5,$(objects))

-dist: +dist: @$(PAK)

############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### # Installation Details ###############################################################################

$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - -mkdir -p /var/ipfire/guardian /var/log/guardian - touch /var/log/guardian/guardian.log - touch /var/ipfire/guardian/guardian.ignore - install -v -m 644 $(DIR_SRC)/config/guardian/guardian.conf /var/ipfire/guardian/ - install -v -m 755 $(DIR_SRC)/config/guardian/guardian.pl /usr/local/bin/ - install -v -m 755 $(DIR_SRC)/config/guardian/guardian_block.sh /usr/local/bin/ - install -v -m 755 $(DIR_SRC)/config/guardian/guardian_unblock.sh /usr/local/bin/ + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE) + + # Adjust path for firewall binaries. + cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm + + cd $(DIR_APP) && make + cd $(DIR_APP) && make install + + # Create config directory and create files. + -mkdir -pv /var/ipfire/guardian chown nobody.nobody /var/ipfire/guardian - chown nobody.nobody /var/ipfire/guardian/{guardian.conf,guardian.ignore} + + # Create directory and file for logging. + -mkdir -pv /var/log/guardian + touch /var/log/guardian/guardian.log + + # Create symlinks for runlevel interaction. + ln -svf /etc/rc.d/init.d/guardian /etc/rc.d/rc3.d/S45guardian + ln -svf /etc/rc.d/init.d/guardian /etc/rc.d/rc0.d/K76guardian + ln -svf /etc/rc.d/init.d/guardian /etc/rc.d/rc6.d/K76guardian + + # Install include file for backup. + install -v -m 644 $(DIR_SRC)/config/backup/includes/guardian \ + /var/ipfire/backup/addons/includes/guardian + + # Logrotate. + -mkdir -pv /etc/logrotate.d + install -v -m 644 $(DIR_SRC)/config/guardian/guardian.logrotate \ + /etc/logrotate.d/guardian + + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/perl-Net-IP b/lfs/perl-Net-IP new file mode 100644 index 0000000..e509be3 --- /dev/null +++ b/lfs/perl-Net-IP @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2011 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### +include Config +VER = 1.26 + +THISAPP = Net-IP-$(VER) +DL_FILE = ${THISAPP}.tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +PROG = perl-Net-IP +DEPS = "" +PAK_VER = 1 + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 3a98e3ac45d69ea38a63a7e678bd716d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && perl Makefile.PL + cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/perl-common-sense b/lfs/perl-common-sense new file mode 100644 index 0000000..a2fb1fa --- /dev/null +++ b/lfs/perl-common-sense @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2011 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### +include Config +VER = 3.74 + +THISAPP = common-sense-$(VER) +DL_FILE = ${THISAPP}.tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +PROG = perl-common-sense +DEPS = "" +PAK_VER = 1 + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 35b273147200c4c95eef7816f83e572d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && perl Makefile.PL + cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/perl-inotify2 b/lfs/perl-inotify2 new file mode 100644 index 0000000..bcb9236 --- /dev/null +++ b/lfs/perl-inotify2 @@ -0,0 +1,85 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2013 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.22 + +THISAPP = Linux-Inotify2-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +PROG = perl-inotify2 +DEPS = "perl-common-sense" +PAK_VER = 1 + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = bc0a86f04476f9e0aaab026b8081f097 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && perl Makefile.PL + cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 3adf6d3..fdda3e5 100755 --- a/make.sh +++ b/make.sh @@ -870,6 +870,9 @@ buildipfire() { ipfiremake libyajl ipfiremake libvirt ipfiremake freeradius + ipfiremake perl-common-sense + ipfiremake perl-inotify2 + ipfiremake perl-Net-IP }

buildinstaller() { diff --git a/src/initscripts/init.d/guardian b/src/initscripts/init.d/guardian new file mode 100755 index 0000000..0ff59b7 --- /dev/null +++ b/src/initscripts/init.d/guardian @@ -0,0 +1,56 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/guardian +# +# Description : Guardian Initscript +# +# Authors : Kim Wölfel for ipfire.org +# +# Version : 01.00 +# +# Notes : +# +######################################################################## + +. /etc/sysconfig/rc +. ${rc_functions} + +eval $(/usr/local/bin/readhash /var/ipfire/guardian/settings) + +function guardian_is_enabled() { + [ "${GUARDIAN_ENABLED}" = "on" ] +} + +case "$1" in + start) + guardian_is_enabled || exit 0 + + boot_mesg "Starting Guardian..." + loadproc /usr/sbin/guardian -c /var/ipfire/guardian/guardian.conf + ;; + + stop) + if ([ -f /run/guardian/guardian.pid ]); then + boot_mesg "Stopping Guardian..." + kill $(cat /run/guardian/guardian.pid) + sleep 1; + fi + ;; + + status) + statusproc /usr/sbin/guardian + ;; + + restart) + $0 stop + sleep 2 + $0 start + ;; + + *) + echo "Usage: $0 {start|stop|restart|status}" + exit 1 + ;; +esac + +# End $rc_base/init.d/guardian diff --git a/src/initscripts/init.d/networking/red.up/35-guardian b/src/initscripts/init.d/networking/red.up/35-guardian new file mode 100644 index 0000000..587762b --- /dev/null +++ b/src/initscripts/init.d/networking/red.up/35-guardian @@ -0,0 +1,3 @@ +#!/bin/bash + +exec /usr/bin/guardianctrl reload-ignore-list 2&>/dev/null diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort index 58edf1e..5c43042 100644 --- a/src/initscripts/init.d/snort +++ b/src/initscripts/init.d/snort @@ -94,19 +94,8 @@ case "$1" in sleep 1 chmod 644 /var/run/snort_$DEVICE.pid done - - - if [ -r /var/ipfire/guardian/enable ]; then - IFACE=`/bin/cat /var/ipfire/red/iface 2>/dev/null | /usr/bin/tr -d '\012'` - sed -e "s/^Interface.*/Interface ${IFACE}/" /var/ipfire/guardian/guardian.conf > temp - mv temp /var/ipfire/guardian/guardian.conf - chown nobody.root /var/ipfire/guardian/guardian.conf - - boot_mesg "Starting Guardian..." - loadproc /usr/local/bin/guardian.pl -c /var/ipfire/guardian/guardian.conf - fi - ;; - + ;; + stop) DEVICES="" if [ -r /var/run/snort_$BLUE_DEV.pid ]; then @@ -132,11 +121,6 @@ case "$1" in done

rm /var/run/snort_* >/dev/null 2>/dev/null - - if ([ -r /var/ipfire/guardian/enable ] || [ ! -z $(pidofproc /usr/local/bin/guardian.pl) ]); then - boot_mesg "Stopping Guardian..." - killproc /usr/local/bin/guardian.pl - fi

# Don't report returncode of rm if snort was not started exit 0

hooks/post-receive -- IPFire 2.x development tree