Guardian provides the means to protect against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.
Advantages and disadvantages
- Detect and prevent from Brute-force attacks against SSH and WUI access.
- The blocking mechanism of Guardian is based on IP addresses. If an attacker changes his address, Guardian can not prevent him from attacking again.
Installation
Guardian can be installed with the Pakfire web interface or via the console:
pakfire install guardian
Configuration
Guardian completely can be managed by using the IPFire Web User Interface. A corresponding menu entry will be displayed after the addon has been installed.
SSH Brute Force Detection
Enables or disables the Brute-force detection for the local running SSH daemon. The default setting will beon.
httpd Brute Force Detection
By using this option, guardian will detect Brute-force login attempts against the IPFire Web User Interface. Defaults to on.
Log Facility
The log facility option allows to configure where guardian should sent any generated log messages. Available facilities are:
- Systemlog: Directly send the messages to the system log.
- File: Write all messages to a defined file.
- Console: This option is only used for debugging purposes and requires to launch guardian in the foreground to get any log messages displayed.
Log Level
This drop down menu allows you to configure the log level of guardian. This setting affects the amount of messages which are written to the log file.
- Off: Nothing will be logged.
- Info: Default - write a log message when an address has been blocked or is unblocked.
- Debug: Very detailed logging - Only use this level for development or debug purposes, it can result in a very large log file. Cannot be chosen if the log facility is set to "Syslog".
Firewall Action
This option allows to configure if a "DROP" or "REJECT" rule should be created if an attacker gets blocked by guardian. More details can be found here.
For several reasons, it might be better to use "DROP", especially in case the firewall machine is directly connected to the internet. The "REJECT" option sends an ICMP package back to the source, which reveals that there is something answering. In case of "DROP", it will look like the destination went offline. You might want to look here for further information.
Strike Threshold
The Strike Threshold contains the maximum amount of attempts for an aggressive IP address before it will be blocked. The minimum value has to be at least "1". The default setting is 3.
Block time
The block time describes the time interval, which has to be passed until a block against an IP address automatically get released again. Default value is 86400 seconds which equals to 24 hours.
Log file
This option only will be displayed if the log facility is set to "File" and allows to configure the location of guardians log file.
Ignored Hosts
Guardian has a built-in support for ignoring attacks from single hosts or whole subnets. It feature can be used to prevent critical devices or systems on your local networks from incorrectly being blocked by guardian.
The ignore list easily can be manipulated by using the web interface. Existing elements from the list can be dropped by clicking the trash icon next to each.
A new entry can be added by using the input field and using the Add button.
Valid inputs are all kind of single IPv4 addresses or networks. Guardian accepts networks with an appended prefix (192.168.0.0/24) or net mask in dot-decimal notation (192.168.0.0/255.255.255.0).
Currently blocked hosts
A full list of all currently blocked IP addresses is displayed in the web interface.
A single list entry can be dropped by clicking the trash icon next to the IP address.
A single host manually can be blocked by filling in its IP address into the input field and using the Block button.
The complete list can be flushed by using the Unblock All button.