Problems update Guardian 2.0.2

Questions to IPFire Addons.
User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Problems update Guardian 2.0.2

Post by Roberto Peña » December 29th, 2018, 8:50 am

Hi all.

Once updated from core 125 to 126 and updated Guardian 2.0.2 addon, nothing at all appears in "Currently blocked hosts".
Configuración de Guardian.png
The IDS module is detecting normally.

Does it happen to someone else the same ?.

Greetings and happy holidays.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
FischerM
Community Developer
Community Developer
Posts: 981
Joined: November 2nd, 2011, 12:28 pm

Re: Problems update Guardian 2.0.2

Post by FischerM » December 29th, 2018, 11:21 am

Hi,

Like you, I just updated from Core 125 to 126.

I can't confirm: 'guardian' is running and blocking with IDS and 'Emergingthreat'-rules.

Anything in logs?

Best,
Matthias

P.S.: I found only one glitch so far:
The file '/var/run/rngd.pid' got wrong file rights (0600, but it needs 0644) so despite running, the 'Random Number Generator Daemon' is shown under STATUS / SERVICES as STOPPED.

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 29th, 2018, 11:29 am

Good morning FischerM.

I'm not seeing anything weird in the Logs. I have compared the "guardian.cgi" of / srv and the only difference I have found is that you have eliminated everything related to OwnCloud.

Use Emergingthreats.net Community Rules, but the IDS module if detections appear, but it is as if Guardian could not add them to blacklists.

If you put an IP by hand from Guardian, it does Ok.

The bad thing about not knowing is giving blind people. Therefore, I do not know what to look for.

Tell me what I could look for.

Thank you.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
FischerM
Community Developer
Community Developer
Posts: 981
Joined: November 2nd, 2011, 12:28 pm

Re: Problems update Guardian 2.0.2

Post by FischerM » December 29th, 2018, 1:07 pm

Hi,

I would look at the following:

- Is 'guardian' running correctly? (Test with 'ps ax | grep guardian'). Restart and check for output.
- Is 'var/log/snort/alert.log' readable by 'guardian'? It should be root/root / 0644.
- Run a manual test if 'guardian' blocks 'SSH Brute Force Detection' correctly by trying to login to SSH several times with a wrong password... But be careful: if it works, you're block yourself! ::)

Besides: there is no blocklist, 'guardian' uses '/usr/lib/perl5/site_perl/5.12.3/Guardian/*.pm' scripts. Only manually ignored IPs are added to '/var/ipfire/guardian/ignored'.

HTH,
Matthias

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 29th, 2018, 1:56 pm

Hi again.

With "ps ax / grep guardian" this:

Code: Select all

[root@bs ~]# ps ax / grep guardian
ERROR: Garbage option.
********* simple selection *********  ********* selection by list *********
-A all processes                      -C by command name
-N negate selection                   -G by real group ID (supports names)
-a all w/ tty except session leaders  -U by real user ID (supports names)
-d all except session leaders         -g by session OR by effective group name
-e all processes                      -p by process ID
T  all processes on this terminal     -s processes in the sessions given
a  all w/ tty, including other users  -t by tty
g  OBSOLETE -- DO NOT USE             -u by effective user ID (supports names)
r  only running processes             U  processes for specified users
x  processes w/o controlling ttys     t  by tty
*********** output format **********  *********** long options ***********
-o,o user-defined  -f full            --Group --User --pid --cols --ppid
-j,j job control   s  signal          --group --user --sid --rows --info
-O,O preloaded -o  v  virtual memory  --cumulative --format --deselect
-l,l long          u  user-oriented   --sort --tty --forest --version
-F   extra full    X  registers       --heading --no-heading --context
                    ********* misc options *********
-V,V  show version      L  list format codes  f  ASCII art forest
-m,m,-L,-T,H  threads   S  children in sum    -y change -l format
-M,Z  security data     c  true command name  -c scheduling class
-w,w  wide output       n  numeric WCHAN,UID  -H process hierarchy
[root@bs ~]#
Restarting daemon:

Code: Select all

[root@bs ~]# /etc/init.d/guardian restart
Stopping Guardian...
Starting Guardian...                                                   [  OK  ]
[root@bs ~]#
In "var/log/snort/alert", this:
Alert.jpg
SSH Brute Force Detection has worked for me. I have blocked the incorrect accesses of SSH.

The problem is that I have activated the IDS for the RED interface. There are detections, but it does not block external attacks.
Sistema de Detección de Intrusiones.png
Visor de registros IDS.png
Configuración de Guardian.png
Before it worked perfectly. Strange, is not it?. :o

Thank FischerM.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 29th, 2018, 1:58 pm

Pardon:

Code: Select all

[root@bs ~]# ps ax | grep guardian
20877 ?        Sl     0:03 /usr/bin/perl /usr/sbin/guardian -c /var/ipfire/guardian/guardian.conf
23902 pts/0    S+     0:00 grep guardian
[root@bs ~]#
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
FischerM
Community Developer
Community Developer
Posts: 981
Joined: November 2nd, 2011, 12:28 pm

Re: Problems update Guardian 2.0.2

Post by FischerM » December 29th, 2018, 2:48 pm

Hi,
SSH Brute Force Detection has worked for me.
Ok, 'guardian' is REALLY working - should be a problem with 'snort' only.

Last idea:

Change Priority Level (snort) from 3 - low to 2 - medium.

Best,
Matthias

P.S.: Sorry for the typo. Fixed.

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 29th, 2018, 2:56 pm

Don´t worry.

There have been two more detections, but it still does not block anything. Nothing appears in "Currently blocked hosts". It seems that the change from 3 - low to 2 - medium, does not work. :-\
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

Mentalic
Posts: 21
Joined: April 14th, 2018, 2:51 pm

Re: Problems update Guardian 2.0.2

Post by Mentalic » December 29th, 2018, 8:55 pm

I'm also having issues with Guardian not adding anything to the block list after update to PFire 2.21 (x86_64) - core126. Although initially when I updated from 125 it did work but after trying a block list addon I reinstalled ipfire, then no mater what Guardian does not add entry's.
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 981
Joined: November 2nd, 2011, 12:28 pm

Re: Problems update Guardian 2.0.2

Post by FischerM » December 30th, 2018, 8:40 am

Hi,

@Roberto:
Very last idea: Try uninstall/reinstall of 'guardian'... ::)

Best,
Matthias

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 30th, 2018, 8:53 am

Yes twice. Including its dependencies.

I have done several things without apparent results. I have compared the files "/usr/lib/perl5/site_perl/5.12.3/Guardian/*.pm" with two differences: "parser.pm and events.pm". But pasting the old ones, it still does not work. I do not think it's that.

I can not think of anything. Does not happen to you ?.

Greetings.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
FischerM
Community Developer
Community Developer
Posts: 981
Joined: November 2nd, 2011, 12:28 pm

Re: Problems update Guardian 2.0.2

Post by FischerM » December 30th, 2018, 8:57 am

Hi,

No problems here. Right after rebooting, 'guardian' blocked again. Really weird.

Some other guys got this fixed - somehow. Perhaps you could asked there...

HTH,
Matthias

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 30th, 2018, 11:31 am

Hello Matthias.

To move forward ... Is there no way to activate in a Debug Guardian to see if IDS receives the blocks to be made?.

Or something like that.

The last thing I have done is to uninstall all Guardian (removing everything manually once uninstalled) and leave the IDS as newly installed and the result has been the same.

In the afternoon, if I have time I try with a machine to do a clean installation and see what happens.

I will continue informing.

Greetings.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
Roberto Peña
Posts: 743
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Problems update Guardian 2.0.2

Post by Roberto Peña » December 30th, 2018, 12:07 pm

I've already done the tests ...

I tell you. I installed the Core 125 on a machine. Once installed, without touching anything, I installed the Guardian Addon (2.0.2 appeared).

Afterwards, I configured the IDS with EmergingThreats in "RED" and waited for some detection to appear.

Once it has happened, I have configured Guardian and I have waited for another detection to appear in IDS and ZASSSS ... NOTHING. Nothing blocked appears in Guardian.

So, I updated the Core to 126 and neither, not for nothing at all.

It is easy to reproduce. Something is wrong.

Greetings.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
FischerM
Community Developer
Community Developer
Posts: 981
Joined: November 2nd, 2011, 12:28 pm

Re: Problems update Guardian 2.0.2

Post by FischerM » December 30th, 2018, 12:57 pm

Hi,

I think the best would be to file a bug report and include as many informations as possible...

Best,
Matthias

Post Reply