As of Core Update 131 the guardian add-on is no longer required for the Intrusion Detection System (IDS). Guardian will still provide means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

Guardian is an extension to the IPFire Intrusion Detection System, which enables automatic blocking of IP addresses which are associated with intrusion attempts.

Since the legacy version, guardian massively has been improved by the IPFire team and now is able to detect and prevent from brute force attacks against the IPFire web interface and SSH daemon.

Technically guardian monitors (based on its configuration) several different files for modifications and parses the recently added lines. For each offensive IP address guardian internal uses a counter, when this counter reaches the configured maximum amount an iptables rule will be created which drops the complete traffic for a dedicated time interval.

Advantages and disadvantages

  • Enhance suricata from a simple IDS Intrusion Detection System to an Intrusion Prevention System
  • Detect and prevent from Brute-force attacks against several local running services.
  • The blocking mechanism of Guardian is based on IP addresses. If an attacker changes his address, Guardian can not prevent him from attacking again.
  • A huge part of the intelligence relies entirely on Snort and the usage of sensible rules.
  • Possible false-positives based on the used Snort ruleset, may generate bans for several harmless systems.

Installation

guardian can be installed with the Pakfire web interface or via the console:

pakfire install guardian

Configuration

Guardian completely can be managed by using the IPFire web interface. A corresponding menu entry will be displayed after the addon has been installed.

SSH Brute Force Detection

Enables or disables the Brute-force detection for the local running SSH daemon. The default setting will beon.

httpd Brute Force Detection

By using this option, guardian will detect Brute-force login attempts against the IPFire web interface. Defaults to on.

Log Facility

The log facility option allows to configure where guardian should sent any generated log messages. Available facilities are:

  • Systemlog: Directly send the messages to the system log.
  • File: Write all messages to a defined file.
  • Console: This option is only used for debugging purposes and requires to launch guardian in the foreground to get any log messages displayed.

Log Level

This drop down menu allows you to configure the log level of guardian. This setting affects the amount of messages which are written to the log file.

  • Off: Nothing will be logged.
  • Info: Default - write a log message when an address has been blocked or is unblocked.
  • Debug: Very detailed logging - Only use this level for development or debug purposes, it can result in a very large log file. Cannot be chosen if the log facility is set to "Syslog".

Firewall Action

This option allows to configure if a "DROP" or "REJECT" rule should be created if an attacker gets blocked by guardian. More details can be found here.

For several reasons, it might be better to use "DROP", especially in case the firewall machine is directly connected to the internet. The "REJECT" option sends an ICMP package back to the source, which reveals that there is something answering. In case of "DROP", it will look like the destination went offline. You might want to look here for further information.

Strike Threshold

The Strike Threshold contains the maximum amount of attempts for an aggressive IP address before it will be blocked. The minimum value has to be at least "1". The default setting is 3.

Block time

The block time describes the time interval, which has to be passed until a block against an IP address automatically get released again. Default value is 86400 seconds which equals to 24 hours.

Log file

This option only will be displayed if the log facility is set to "File" and allows to configure the location of guardians log file.

Ignored Hosts

Guardian has a built-in support for ignoring attacks from single hosts or whole subnets. It feature can be used to prevent critical devices or systems on your local networks from incorrectly being blocked by guardian.

The ignore list easily can be manipulated by using the web interface. Existing elements from the list can be dropped by clicking the trash icon next to each.

A new entry can be added by using the input field and using the Add button.

Valid inputs are all kind of single IPv4 addresses or networks. Guardian accepts networks with an appended prefix (192.168.0.0/24) or net mask in dot-decimal notation (192.168.0.0/255.255.255.0).

Currently blocked hosts

A full list of all currently blocked IP addresses is displayed in the web interface.

A single list entry can be dropped by clicking the trash icon next to the IP address.

A single host manually can be blocked by filling in its IP address into the input field and using the Block button.

The complete list can be flushed by using the Unblock All button.