Page 1 of 2

Problems update Guardian 2.0.2

Posted: December 29th, 2018, 8:50 am
by Roberto Peña
Hi all.

Once updated from core 125 to 126 and updated Guardian 2.0.2 addon, nothing at all appears in "Currently blocked hosts".
Configuración de Guardian.png
The IDS module is detecting normally.

Does it happen to someone else the same ?.

Greetings and happy holidays.

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 11:21 am
by FischerM
Hi,

Like you, I just updated from Core 125 to 126.

I can't confirm: 'guardian' is running and blocking with IDS and 'Emergingthreat'-rules.

Anything in logs?

Best,
Matthias

P.S.: I found only one glitch so far:
The file '/var/run/rngd.pid' got wrong file rights (0600, but it needs 0644) so despite running, the 'Random Number Generator Daemon' is shown under STATUS / SERVICES as STOPPED.

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 11:29 am
by Roberto Peña
Good morning FischerM.

I'm not seeing anything weird in the Logs. I have compared the "guardian.cgi" of / srv and the only difference I have found is that you have eliminated everything related to OwnCloud.

Use Emergingthreats.net Community Rules, but the IDS module if detections appear, but it is as if Guardian could not add them to blacklists.

If you put an IP by hand from Guardian, it does Ok.

The bad thing about not knowing is giving blind people. Therefore, I do not know what to look for.

Tell me what I could look for.

Thank you.

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 1:07 pm
by FischerM
Hi,

I would look at the following:

- Is 'guardian' running correctly? (Test with 'ps ax | grep guardian'). Restart and check for output.
- Is 'var/log/snort/alert.log' readable by 'guardian'? It should be root/root / 0644.
- Run a manual test if 'guardian' blocks 'SSH Brute Force Detection' correctly by trying to login to SSH several times with a wrong password... But be careful: if it works, you're block yourself! ::)

Besides: there is no blocklist, 'guardian' uses '/usr/lib/perl5/site_perl/5.12.3/Guardian/*.pm' scripts. Only manually ignored IPs are added to '/var/ipfire/guardian/ignored'.

HTH,
Matthias

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 1:56 pm
by Roberto Peña
Hi again.

With "ps ax / grep guardian" this:

Code: Select all

[root@bs ~]# ps ax / grep guardian
ERROR: Garbage option.
********* simple selection *********  ********* selection by list *********
-A all processes                      -C by command name
-N negate selection                   -G by real group ID (supports names)
-a all w/ tty except session leaders  -U by real user ID (supports names)
-d all except session leaders         -g by session OR by effective group name
-e all processes                      -p by process ID
T  all processes on this terminal     -s processes in the sessions given
a  all w/ tty, including other users  -t by tty
g  OBSOLETE -- DO NOT USE             -u by effective user ID (supports names)
r  only running processes             U  processes for specified users
x  processes w/o controlling ttys     t  by tty
*********** output format **********  *********** long options ***********
-o,o user-defined  -f full            --Group --User --pid --cols --ppid
-j,j job control   s  signal          --group --user --sid --rows --info
-O,O preloaded -o  v  virtual memory  --cumulative --format --deselect
-l,l long          u  user-oriented   --sort --tty --forest --version
-F   extra full    X  registers       --heading --no-heading --context
                    ********* misc options *********
-V,V  show version      L  list format codes  f  ASCII art forest
-m,m,-L,-T,H  threads   S  children in sum    -y change -l format
-M,Z  security data     c  true command name  -c scheduling class
-w,w  wide output       n  numeric WCHAN,UID  -H process hierarchy
[root@bs ~]#
Restarting daemon:

Code: Select all

[root@bs ~]# /etc/init.d/guardian restart
Stopping Guardian...
Starting Guardian...                                                   [  OK  ]
[root@bs ~]#
In "var/log/snort/alert", this:
Alert.jpg
SSH Brute Force Detection has worked for me. I have blocked the incorrect accesses of SSH.

The problem is that I have activated the IDS for the RED interface. There are detections, but it does not block external attacks.
Sistema de Detección de Intrusiones.png
Visor de registros IDS.png
Configuración de Guardian.png
Before it worked perfectly. Strange, is not it?. :o

Thank FischerM.

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 1:58 pm
by Roberto Peña
Pardon:

Code: Select all

[root@bs ~]# ps ax | grep guardian
20877 ?        Sl     0:03 /usr/bin/perl /usr/sbin/guardian -c /var/ipfire/guardian/guardian.conf
23902 pts/0    S+     0:00 grep guardian
[root@bs ~]#

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 2:48 pm
by FischerM
Hi,
SSH Brute Force Detection has worked for me.
Ok, 'guardian' is REALLY working - should be a problem with 'snort' only.

Last idea:

Change Priority Level (snort) from 3 - low to 2 - medium.

Best,
Matthias

P.S.: Sorry for the typo. Fixed.

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 2:56 pm
by Roberto Peña
Don´t worry.

There have been two more detections, but it still does not block anything. Nothing appears in "Currently blocked hosts". It seems that the change from 3 - low to 2 - medium, does not work. :-\

Re: Problems update Guardian 2.0.2

Posted: December 29th, 2018, 8:55 pm
by Mentalic
I'm also having issues with Guardian not adding anything to the block list after update to PFire 2.21 (x86_64) - core126. Although initially when I updated from 125 it did work but after trying a block list addon I reinstalled ipfire, then no mater what Guardian does not add entry's.

Re: Problems update Guardian 2.0.2

Posted: December 30th, 2018, 8:40 am
by FischerM
Hi,

@Roberto:
Very last idea: Try uninstall/reinstall of 'guardian'... ::)

Best,
Matthias

Re: Problems update Guardian 2.0.2

Posted: December 30th, 2018, 8:53 am
by Roberto Peña
Yes twice. Including its dependencies.

I have done several things without apparent results. I have compared the files "/usr/lib/perl5/site_perl/5.12.3/Guardian/*.pm" with two differences: "parser.pm and events.pm". But pasting the old ones, it still does not work. I do not think it's that.

I can not think of anything. Does not happen to you ?.

Greetings.

Re: Problems update Guardian 2.0.2

Posted: December 30th, 2018, 8:57 am
by FischerM
Hi,

No problems here. Right after rebooting, 'guardian' blocked again. Really weird.

Some other guys got this fixed - somehow. Perhaps you could asked there...

HTH,
Matthias

Re: Problems update Guardian 2.0.2

Posted: December 30th, 2018, 11:31 am
by Roberto Peña
Hello Matthias.

To move forward ... Is there no way to activate in a Debug Guardian to see if IDS receives the blocks to be made?.

Or something like that.

The last thing I have done is to uninstall all Guardian (removing everything manually once uninstalled) and leave the IDS as newly installed and the result has been the same.

In the afternoon, if I have time I try with a machine to do a clean installation and see what happens.

I will continue informing.

Greetings.

Re: Problems update Guardian 2.0.2

Posted: December 30th, 2018, 12:07 pm
by Roberto Peña
I've already done the tests ...

I tell you. I installed the Core 125 on a machine. Once installed, without touching anything, I installed the Guardian Addon (2.0.2 appeared).

Afterwards, I configured the IDS with EmergingThreats in "RED" and waited for some detection to appear.

Once it has happened, I have configured Guardian and I have waited for another detection to appear in IDS and ZASSSS ... NOTHING. Nothing blocked appears in Guardian.

So, I updated the Core to 126 and neither, not for nothing at all.

It is easy to reproduce. Something is wrong.

Greetings.

Re: Problems update Guardian 2.0.2

Posted: December 30th, 2018, 12:57 pm
by FischerM
Hi,

I think the best would be to file a bug report and include as many informations as possible...

Best,
Matthias