Stefan Schantl

Introducing Guardian 2.0 for IPFire
by Stefan Schantl, February 18, 2015

Hello planet followers,

This post is going to introduce you to guardian 2.0, which is a complete rewrite based on the idea of guardian. The original intention was to add some missing functions to guardian, but as usual in life, things become bigger than expected.

A new codebase

During the development process the code has been adjusted to benefit from new technologies like “inotify” for tracking file changes. The ignore file now may contain whole network ranges instead of single IP addresses. Both subnet notations, the prefix and the dotted-decimal one, are supported.

An other important point is the new signal handler, which provides support for reloading the config and ignore file for directly apply modifications without restarting guardian. In the past this was a huge limitation, because a restart did a complete reset of all internal counters and also all previously performed address blocks get lost.

Guardian 2.0 introduces code for brute-force detection against several locally running services. Those detections are completely optional and can be switched off in the config file. As a side-effect, we have dropped the former dependency to a running snort instance. This allows the sole usage of guardian for preventing brute-force attacks against a local apache2 webserver, SSH daemon or owncloud instance.

All named features and of course a lot of more unnamed changes (which probably would blow up this article) result in a complete new codebase, which finally only contains a few tiny parts (mostly because of compatibility reasons) of the original code.

Web interface

The hugest improvement of guardian 2.0 for all users of IPFire can be found on the web interface. All guardian related parts have been dropped from the Intrusion Detection System area and were put on a separate page.

This new guardian page allows you an easy configuration of the service to modify the ignore list and provides an overview about all currently blocked hosts.

The probably most useful feature, is the ability to block or unblock hosts by using the web interface. In the past the feasible way to do this was a manual execution of several bash scripts. As an other nice feature we have introduced the ability to flush and unblock the complete list of hosts with a simple click.

It is almost done

To move a final version of guardian 2.0 into IPFire we need a lot of more testing feedback.

For all of you who want to test guardian 2.0, I created a tarball which contains all new or modified files which can be obtained from here. (Current version is “guardian-2.0-010”)

To start testing download or put the tarball to your test system (at least IPFire 2.15) and extract the files by using tar -xvf guardian-2.0-VERSION.tar.gz -C /. As final step the language cache needs to be updated, this can be done with update-lang-cache.

The tricky part is done, you can open your IPFire web interface and navigate to the guardian page, which can be found in the “Services” menu, next to the IDS entry.

Detailed information about the configuration can be obtained from the IPFire wiki

While testing, please subscribe to our development mailing list and share your opinions and suggestions ( with us. In case of errors, please file your bug reports on our bugtracker.

For those who are interested in the development history all changes can be found here.

Posted: February 18, 2015 • 2994 views