]>
Commit | Line | Data |
---|---|---|
01dbccb1 SS |
1 | #!/usr/bin/perl |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
b5f7d903 | 5 | # Copyright (C) 2016 IPFire Team <info@ipfire.org> # |
01dbccb1 SS |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
b5f7d903 | 23 | use Locale::Codes::Country; |
af6856af | 24 | use Guardian::Socket; |
01dbccb1 SS |
25 | |
26 | # enable only the following on debugging purpose | |
eff1feb8 SS |
27 | #use warnings; |
28 | #use CGI::Carp 'fatalsToBrowser'; | |
01dbccb1 SS |
29 | |
30 | require '/var/ipfire/general-functions.pl'; | |
31 | require "${General::swroot}/lang.pl"; | |
32 | require "${General::swroot}/header.pl"; | |
33 | ||
34 | #workaround to suppress a warning when a variable is used only once | |
b1597f87 MF |
35 | my @dummy = ( |
36 | ${Header::colourred}, | |
37 | ${Header::colourgreen} | |
38 | ); | |
39 | ||
01dbccb1 SS |
40 | undef (@dummy); |
41 | ||
42 | my $string=(); | |
43 | my $memory=(); | |
44 | my @memory=(); | |
45 | my @pid=(); | |
46 | my @guardian=(); | |
01dbccb1 SS |
47 | |
48 | # Path to the guardian.ignore file. | |
49 | my $ignorefile ='/var/ipfire/guardian/guardian.ignore'; | |
50 | ||
52958991 SS |
51 | # Hash which contains the supported modules and the |
52 | # file locations on IPFire systems. | |
53 | my %module_file_locations = ( | |
54 | "HTTPD" => "/var/log/httpd/error_log", | |
55 | "OWNCLOUD" => "/var/owncloud/data/owncloud.log", | |
dadee76d | 56 | "SNORT" => "/var/log/snort/alert", |
52958991 SS |
57 | "SSH" => "/var/log/messages", |
58 | ); | |
59 | ||
01dbccb1 SS |
60 | our %netsettings = (); |
61 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
62 | ||
63 | our %color = (); | |
64 | our %mainsettings = (); | |
65 | &General::readhash("${General::swroot}/main/settings", \%mainsettings); | |
66 | &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); | |
67 | ||
28981fac SS |
68 | # Pakfire meta file for owncloud. |
69 | # (File exists when the addon is installed.) | |
bfb860ce | 70 | my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud"; |
28981fac | 71 | |
7edbe063 SS |
72 | |
73 | # File declarations. | |
74 | my $settingsfile = "${General::swroot}/guardian/settings"; | |
75 | my $ignoredfile = "${General::swroot}/guardian/ignored"; | |
76 | ||
77 | # Create empty settings and ignoredfile if they do not exist yet. | |
78 | unless (-e "$settingsfile") { system("touch $settingsfile"); } | |
79 | unless (-e "$ignoredfile") { system("touch $ignoredfile"); } | |
80 | ||
01dbccb1 | 81 | our %settings = (); |
7edbe063 | 82 | our %ignored = (); |
01dbccb1 | 83 | |
28981fac SS |
84 | $settings{'ACTION'} = ''; |
85 | ||
01dbccb1 | 86 | $settings{'GUARDIAN_ENABLED'} = 'off'; |
723648ac SS |
87 | $settings{'GUARDIAN_MONITOR_SNORT'} = 'on'; |
88 | $settings{'GUARDIAN_MONITOR_SSH'} = 'on'; | |
89 | $settings{'GUARDIAN_MONITOR_HTTPD'} = 'on'; | |
90 | $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = ''; | |
52958991 | 91 | $settings{'GUARDIAN_LOG_FACILITY'} = 'syslog'; |
a35a0668 SS |
92 | $settings{'GUARDIAN_LOGLEVEL'} = 'info'; |
93 | $settings{'GUARDIAN_BLOCKCOUNT'} = '3'; | |
01dbccb1 | 94 | $settings{'GUARDIAN_BLOCKTIME'} = '86400'; |
2d17c6e6 | 95 | $settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP'; |
01dbccb1 | 96 | $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log'; |
52958991 | 97 | $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3'; |
01dbccb1 | 98 | |
28981fac SS |
99 | # Default settings for owncloud if installed. |
100 | if ( -e "$owncloud_meta") { | |
723648ac | 101 | $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off'; |
28981fac | 102 | } |
01dbccb1 SS |
103 | |
104 | my $errormessage = ''; | |
105 | ||
106 | &Header::showhttpheaders(); | |
107 | ||
108 | # Get GUI values. | |
109 | &Header::getcgihash(\%settings); | |
01dbccb1 | 110 | |
f8c3bfe0 SS |
111 | # Check if guardian is running and grab some stats. |
112 | &daemonstats(); | |
922ddf0e | 113 | my $pid = $pid[0]; |
f8c3bfe0 | 114 | |
01dbccb1 SS |
115 | ## Perform input checks and save settings. |
116 | # | |
117 | if ($settings{'ACTION'} eq $Lang::tr{'save'}) { | |
01dbccb1 | 118 | # Check for valid blocktime. |
96655fa6 | 119 | unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) { |
01dbccb1 | 120 | $errormessage = "$Lang::tr{'guardian invalid blocktime'}"; |
a35a0668 SS |
121 | } |
122 | ||
d68ead3d | 123 | # Check if the blockcount is valid. |
96655fa6 | 124 | unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) { |
a35a0668 | 125 | $errormessage = "$Lang::tr{'guardian invalid blockcount'}"; |
01dbccb1 SS |
126 | } |
127 | ||
128 | # Check Logfile. | |
96655fa6 | 129 | unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9\.\/]+$/) { |
a35a0668 | 130 | $errormessage = "$Lang::tr{'guardian invalid logfile'}"; |
01dbccb1 SS |
131 | } |
132 | ||
01dbccb1 | 133 | # Only continue if no error message has been set. |
96655fa6 | 134 | if($errormessage eq '') { |
01dbccb1 SS |
135 | # Write configuration settings to file. |
136 | &General::writehash("${General::swroot}/guardian/settings", \%settings); | |
137 | ||
138 | # Update configuration files. | |
139 | &BuildConfiguration(); | |
140 | } | |
141 | ||
7edbe063 | 142 | ## Add/edit an entry to the ignore file. |
01dbccb1 | 143 | # |
7edbe063 | 144 | } elsif (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::tr{'update'})) { |
01dbccb1 SS |
145 | |
146 | # Check if any input has been performed. | |
7edbe063 | 147 | if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') { |
01dbccb1 SS |
148 | |
149 | # Check if the given input is no valid IP-address or IP-address with subnet, display an error message. | |
7edbe063 | 150 | if ((!&General::validip($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($settings{'IGNORE_ENTRY_ADDRESS'}))) { |
01dbccb1 SS |
151 | $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; |
152 | } | |
153 | } else { | |
154 | $errormessage = "$Lang::tr{'guardian empty input'}"; | |
155 | } | |
156 | ||
157 | # Go further if there was no error. | |
158 | if ($errormessage eq '') { | |
7edbe063 SS |
159 | my %ignored = (); |
160 | my $id; | |
161 | my $status; | |
162 | ||
163 | # Assign hash values. | |
164 | my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'}; | |
165 | my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'}; | |
166 | ||
167 | # Read-in ignoredfile. | |
168 | &General::readhasharray($ignoredfile, \%ignored); | |
169 | ||
170 | # Check if we should edit an existing entry and got an ID. | |
171 | if (($settings{'ACTION'} eq $Lang::tr{'update'}) && ($settings{'ID'})) { | |
172 | # Assin the provided id. | |
173 | $id = $settings{'ID'}; | |
174 | ||
175 | # Undef the given ID. | |
176 | undef($settings{'ID'}); | |
177 | ||
178 | # Grab the configured status of the corresponding entry. | |
179 | $status = $ignored{$id}[2]; | |
180 | } else { | |
181 | # Each newly added entry automatically should be enabled. | |
182 | $status = "enabled"; | |
01dbccb1 | 183 | |
7edbe063 SS |
184 | # Generate the ID for the new entry. |
185 | # | |
d68ead3d | 186 | # Sort the keys by their ID and store them in an array. |
7edbe063 | 187 | my @keys = sort { $a <=> $b } keys %ignored; |
01dbccb1 | 188 | |
7edbe063 SS |
189 | # Reverse the key array. |
190 | my @reversed = reverse(@keys); | |
191 | ||
192 | # Obtain the last used id. | |
193 | my $last_id = @reversed[0]; | |
194 | ||
195 | # Increase the last id by one and use it as id for the new entry. | |
196 | $id = ++$last_id; | |
197 | } | |
198 | ||
199 | # Add/Modify the entry to/in the ignored hash. | |
200 | $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"]; | |
201 | ||
202 | # Write the changed ignored hash to the ignored file. | |
203 | &General::writehasharray($ignoredfile, \%ignored); | |
204 | ||
205 | # Regenerate the ignore file. | |
97849142 | 206 | &GenerateIgnoreFile(); |
01dbccb1 SS |
207 | } |
208 | ||
f8c3bfe0 SS |
209 | # Check if guardian is running. |
210 | if ($pid > 0) { | |
af6856af | 211 | # Send reload command through socket connection. |
1cc65323 | 212 | &Guardian::Socket::Client("reload-ignore-list"); |
f8c3bfe0 SS |
213 | } |
214 | ||
7edbe063 | 215 | ## Toggle Enabled/Disabled for an existing entry on the ignore list. |
01dbccb1 | 216 | # |
7edbe063 SS |
217 | |
218 | } elsif ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { | |
219 | my %ignored = (); | |
220 | ||
221 | # Only go further, if an ID has been passed. | |
222 | if ($settings{'ID'}) { | |
223 | # Assign the given ID. | |
224 | my $id = $settings{'ID'}; | |
225 | ||
226 | # Undef the given ID. | |
227 | undef($settings{'ID'}); | |
228 | ||
229 | # Read-in ignoredfile. | |
230 | &General::readhasharray($ignoredfile, \%ignored); | |
231 | ||
232 | # Grab the configured status of the corresponding entry. | |
233 | my $status = $ignored{$id}[2]; | |
234 | ||
235 | # Switch the status. | |
236 | if ($status eq "disabled") { | |
237 | $status = "enabled"; | |
238 | } else { | |
239 | $status = "disabled"; | |
240 | } | |
241 | ||
242 | # Modify the status of the existing entry. | |
243 | $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"]; | |
244 | ||
245 | # Write the changed ignored hash to the ignored file. | |
246 | &General::writehasharray($ignoredfile, \%ignored); | |
247 | ||
248 | # Regenerate the ignore file. | |
97849142 | 249 | &GenerateIgnoreFile(); |
7edbe063 SS |
250 | |
251 | # Check if guardian is running. | |
252 | if ($pid > 0) { | |
253 | # Send reload command through socket connection. | |
1cc65323 | 254 | &Guardian::Socket::Client("reload-ignore-list"); |
01dbccb1 SS |
255 | } |
256 | } | |
7edbe063 SS |
257 | |
258 | ## Remove entry from ignore list. | |
259 | # | |
260 | } elsif ($settings{'ACTION'} eq $Lang::tr{'remove'}) { | |
261 | my %ignored = (); | |
262 | ||
263 | # Read-in ignoredfile. | |
264 | &General::readhasharray($ignoredfile, \%ignored); | |
265 | ||
266 | # Drop entry from the hash. | |
267 | delete($ignored{$settings{'ID'}}); | |
268 | ||
269 | # Undef the given ID. | |
270 | undef($settings{'ID'}); | |
271 | ||
272 | # Write the changed ignored hash to the ignored file. | |
273 | &General::writehasharray($ignoredfile, \%ignored); | |
274 | ||
275 | # Regenerate the ignore file. | |
97849142 | 276 | &GenerateIgnoreFile(); |
01dbccb1 | 277 | |
f8c3bfe0 SS |
278 | # Check if guardian is running. |
279 | if ($pid > 0) { | |
af6856af | 280 | # Send reload command through socket connection. |
1cc65323 | 281 | &Guardian::Socket::Client("reload-ignore-list"); |
f8c3bfe0 SS |
282 | } |
283 | ||
01dbccb1 SS |
284 | ## Block a user given address or subnet. |
285 | # | |
286 | } elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) { | |
287 | ||
c973d6da SS |
288 | # Assign some temporary variables used for input validation. |
289 | my $input = $settings{'ADDRESS_BLOCK'}; | |
290 | my $green = $netsettings{'GREEN_ADDRESS'}; | |
291 | my $blue = $netsettings{'BLUE_ADDRESS'}; | |
292 | my $orange = $netsettings{'ORANGE_ADDRESS'}; | |
293 | my $red = $netsettings{'RED_ADDRESS'}; | |
01dbccb1 | 294 | |
c232e348 SS |
295 | # File declarations. |
296 | my $gatewayfile = "${General::swroot}/red/remote-ipaddress"; | |
297 | my $dns1file = "${General::swroot}/red/dns1"; | |
298 | my $dns2file = "${General::swroot}/red/dns2"; | |
299 | ||
c973d6da | 300 | # Get gateway address. |
c232e348 SS |
301 | my $gateway = &_get_address_from_file($gatewayfile); |
302 | ||
303 | # Get addresses from the used dns servers. | |
304 | my $dns1 = &_get_address_from_file($dns1file); | |
305 | my $dns2 = &_get_address_from_file($dns2file); | |
01dbccb1 | 306 | |
c973d6da SS |
307 | # Check if any input has been performed. |
308 | if ($input eq '') { | |
309 | $errormessage = "$Lang::tr{'guardian empty input'}"; | |
310 | } | |
311 | ||
312 | # Check if the given input is localhost (127.0.0.1). | |
313 | elsif ($input eq "127.0.0.1") { | |
314 | $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; | |
315 | } | |
316 | ||
317 | # Check if the given input is anywhere (0.0.0.0). | |
318 | elsif ($input eq "0.0.0.0") { | |
319 | $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; | |
320 | } | |
321 | ||
322 | # Check if the given input is one of the interface addresses or our gateway. | |
62fd0e6f | 323 | elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") { |
c973d6da SS |
324 | $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; |
325 | } | |
326 | ||
327 | # Check if the given input is a valid IP address. | |
328 | elsif (!&General::validip($input)) { | |
329 | $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; | |
330 | } | |
01dbccb1 SS |
331 | |
332 | # Go further if there was no error. | |
333 | if ($errormessage eq '') { | |
334 | my $block = $settings{'ADDRESS_BLOCK'}; | |
335 | ||
af6856af SS |
336 | # Send command to block the specified address through socket connection. |
337 | &Guardian::Socket::Client("block $block"); | |
01dbccb1 SS |
338 | } |
339 | ||
340 | ## Unblock address or subnet. | |
341 | # | |
342 | } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock'}) { | |
343 | ||
344 | # Check if no empty input has been performed. | |
345 | if ($settings{'ADDRESS_UNBLOCK'} ne '') { | |
346 | ||
347 | # Check if the given input is no valid IP-address or IP-address with subnet, display an error message. | |
348 | if ((!&General::validip($settings{'ADDRESS_UNBLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_UNBLOCK'}))) { | |
349 | $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; | |
350 | } | |
351 | ||
352 | } else { | |
353 | $errormessage = "$Lang::tr{'guardian empty input'}"; | |
354 | } | |
355 | ||
356 | # Go further if there was no error. | |
357 | if ($errormessage eq '') { | |
358 | my $unblock = $settings{'ADDRESS_UNBLOCK'}; | |
359 | ||
af6856af SS |
360 | # Send command to unblock the given address through socket connection. |
361 | &Guardian::Socket::Client("unblock $unblock"); | |
01dbccb1 SS |
362 | } |
363 | ||
364 | ## Unblock all. | |
365 | # | |
366 | } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock all'}) { | |
367 | ||
af6856af SS |
368 | # Send flush command through socket connection. |
369 | &Guardian::Socket::Client("flush"); | |
01dbccb1 SS |
370 | } |
371 | ||
7edbe063 | 372 | # Load settings from files. |
36dbcf2e | 373 | &General::readhash("${General::swroot}/guardian/settings", \%settings); |
7edbe063 | 374 | &General::readhasharray("${General::swroot}/guardian/ignored", \%ignored); |
01dbccb1 SS |
375 | |
376 | # Call functions to generate whole page. | |
377 | &showMainBox(); | |
378 | &showIgnoreBox(); | |
379 | ||
380 | # Display area only if guardian is running. | |
f8c3bfe0 | 381 | if ( ($memory != 0) && ($pid > 0) ) { |
01dbccb1 SS |
382 | &showBlockedBox(); |
383 | } | |
384 | ||
385 | # Function to display the status of guardian and allow base configuration. | |
386 | sub showMainBox() { | |
387 | my %checked = (); | |
7899718f | 388 | my %selected = (); |
01dbccb1 SS |
389 | |
390 | $checked{'GUARDIAN_ENABLED'}{'on'} = ''; | |
391 | $checked{'GUARDIAN_ENABLED'}{'off'} = ''; | |
392 | $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked'; | |
723648ac SS |
393 | $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} = ''; |
394 | $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} = ''; | |
395 | $checked{'GUARDIAN_MONITOR_SNORT'}{$settings{'GUARDIAN_MONITOR_SNORT'}} = "checked='checked'"; | |
396 | $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = ''; | |
397 | $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = ''; | |
398 | $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'"; | |
399 | $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = ''; | |
400 | $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = ''; | |
401 | $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'"; | |
402 | $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = ''; | |
403 | $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = ''; | |
404 | $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'"; | |
01dbccb1 | 405 | |
52958991 | 406 | $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected'; |
4a7fc9f6 | 407 | $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected'; |
52958991 | 408 | $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected'; |
2d17c6e6 | 409 | $selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected'; |
7899718f | 410 | |
01dbccb1 SS |
411 | &Header::openpage($Lang::tr{'guardian configuration'}, 1, ''); |
412 | &Header::openbigbox('100%', 'left', '', $errormessage); | |
413 | ||
414 | # Print errormessage if there is one. | |
415 | if ($errormessage) { | |
416 | &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); | |
417 | print "<font class='base'>$errormessage </font>\n"; | |
418 | &Header::closebox(); | |
419 | } | |
420 | ||
2daa1f5b SS |
421 | ### Java Script ### |
422 | print<<END; | |
423 | <script> | |
f617f21c | 424 | var update_options = function() { |
2daa1f5b SS |
425 | |
426 | var logfacility = \$("#GUARDIAN_LOG_FACILITY").val(); | |
f617f21c | 427 | var loglevel = \$("#GUARDIAN_LOGLEVEL").val(); |
2daa1f5b SS |
428 | |
429 | if (logfacility === undefined) | |
430 | return; | |
431 | ||
f617f21c SS |
432 | if (loglevel === undefined) |
433 | return; | |
434 | ||
435 | // Show / Hide input for specifying the path to the logfile. | |
2daa1f5b SS |
436 | if (logfacility === "file") { |
437 | \$(".GUARDIAN_LOGFILE").show(); | |
438 | } else { | |
439 | \$(".GUARDIAN_LOGFILE").hide(); | |
440 | } | |
f617f21c SS |
441 | |
442 | // Show / Hide loglevel debug if the facility is set to syslog. | |
443 | if (logfacility === "syslog") { | |
444 | \$("#loglevel_debug").hide(); | |
445 | } else { | |
446 | \$("#loglevel_debug").show(); | |
447 | } | |
448 | ||
449 | // Show / Hide logfacility syslog if the loglevel is set to debug. | |
450 | if (loglevel === "debug") { | |
451 | \$("#logfacility_syslog").hide(); | |
452 | } else { | |
453 | \$("#logfacility_syslog").show(); | |
454 | } | |
2daa1f5b SS |
455 | }; |
456 | ||
457 | \$(document).ready(function() { | |
f617f21c SS |
458 | \$("#GUARDIAN_LOG_FACILITY").change(update_options); |
459 | \$("#GUARDIAN_LOGLEVEL").change(update_options); | |
460 | update_options(); | |
2daa1f5b SS |
461 | |
462 | // Show / Hide snort priority level option, based if | |
463 | // snort is enabled / disabled. | |
464 | if (\$('input[name=GUARDIAN_MONITOR_SNORT]:checked').val() == 'on') { | |
465 | \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').show(); | |
466 | } else { | |
467 | \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').hide(); | |
468 | } | |
469 | ||
470 | // Show/Hide snort priority level when GUARDIAN_MONITOR_SNORT get changed. | |
471 | \$('input[name=GUARDIAN_MONITOR_SNORT]').change(function() { | |
472 | \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').toggle(); | |
473 | }); | |
474 | }); | |
475 | </script> | |
476 | END | |
477 | ||
478 | ||
01dbccb1 SS |
479 | |
480 | # Draw current guardian state. | |
481 | &Header::openbox('100%', 'center', $Lang::tr{'guardian'}); | |
482 | ||
f8c3bfe0 | 483 | # Get current status of guardian. |
01dbccb1 | 484 | &daemonstats(); |
922ddf0e | 485 | $pid = $pid[0]; |
01dbccb1 SS |
486 | |
487 | # Display some useful information related to guardian, if daemon is running. | |
f8c3bfe0 | 488 | if ( ($memory != 0) && ($pid > 0) ){ |
01dbccb1 SS |
489 | print <<END; |
490 | <table width='95%' cellspacing='0' class='tbl'> | |
491 | <tr> | |
492 | <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th> | |
493 | </tr> | |
494 | <tr> | |
495 | <td class='base'>$Lang::tr{'guardian daemon'}</td> | |
496 | <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td> | |
497 | </tr> | |
498 | <tr> | |
499 | <td class='base'></td> | |
500 | <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td> | |
501 | <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td> | |
502 | </tr> | |
503 | <tr> | |
504 | <td class='base'></td> | |
922ddf0e | 505 | <td bgcolor='$color{'color22'}' align='center'>$pid</td> |
01dbccb1 SS |
506 | <td bgcolor='$color{'color22'}' align='center'>$memory KB</td> |
507 | </tr> | |
508 | </table> | |
509 | END | |
510 | } else { | |
511 | # Otherwise display a hint that the service is not launched. | |
512 | print <<END; | |
513 | <table width='95%' cellspacing='0' class='tbl'> | |
514 | <tr> | |
515 | <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th> | |
516 | </tr> | |
517 | <tr> | |
518 | <td class='base'>$Lang::tr{'guardian daemon'}</td> | |
519 | <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td> | |
520 | </tr> | |
521 | </table> | |
522 | END | |
523 | } | |
524 | ||
525 | &Header::closebox(); | |
526 | ||
527 | # Draw elements for guardian configuration. | |
528 | &Header::openbox('100%', 'center', $Lang::tr{'guardian configuration'}); | |
529 | ||
530 | print <<END; | |
531 | <form method='post' action='$ENV{'SCRIPT_NAME'}'> | |
532 | ||
533 | <table width='95%'> | |
534 | <tr> | |
d2fea55e | 535 | <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td> |
01dbccb1 | 536 | </tr> |
c5f633c9 | 537 | |
01dbccb1 | 538 | <tr> |
c5f633c9 | 539 | <td width='25%' class='base'>$Lang::tr{'guardian enabled'}:</td> |
d2fea55e | 540 | <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td> |
01dbccb1 | 541 | </tr> |
c5f633c9 | 542 | |
26fcd31e SS |
543 | <tr> |
544 | <td colspan='2'><br></td> | |
545 | </tr> | |
c5f633c9 | 546 | |
26fcd31e | 547 | <tr> |
c5f633c9 | 548 | <td width='25%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td> |
723648ac SS |
549 | <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> / |
550 | <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td> | |
26fcd31e | 551 | </tr> |
c5f633c9 | 552 | |
26fcd31e | 553 | <tr> |
c5f633c9 | 554 | <td width='25%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td> |
723648ac SS |
555 | <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> / |
556 | <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td> | |
26fcd31e | 557 | </tr> |
c5f633c9 | 558 | |
26fcd31e | 559 | <tr> |
c5f633c9 | 560 | <td width='25%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td> |
723648ac SS |
561 | <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> / |
562 | <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td> | |
26fcd31e | 563 | </tr> |
28981fac | 564 | END |
c5f633c9 | 565 | |
28981fac SS |
566 | # Display owncloud checkbox when the addon is installed. |
567 | if ( -e "$owncloud_meta" ) { | |
568 | print"<tr>\n"; | |
c5f633c9 | 569 | print"<td width='25%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n"; |
723648ac SS |
570 | print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n"; |
571 | print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n"; | |
28981fac SS |
572 | print"</tr>\n"; |
573 | } | |
574 | print <<END; | |
52958991 SS |
575 | <tr> |
576 | <td colspan='2'><br></td> | |
577 | </tr> | |
c5f633c9 | 578 | |
52958991 SS |
579 | <tr> |
580 | <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td> | |
c5f633c9 MF |
581 | <td width='25%'><select id='GUARDIAN_LOG_FACILITY' name='GUARDIAN_LOG_FACILITY'> |
582 | <option id='logfacility_syslog' value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>$Lang::tr{'guardian logtarget_syslog'}</option> | |
583 | <option id='logfacility_file' value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>$Lang::tr{'guardian logtarget_file'}</option> | |
584 | <option id='logfacility_console' value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>$Lang::tr{'guardian logtarget_console'}</option> | |
585 | </select></td> | |
586 | ||
587 | <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td> | |
588 | <td width='25%'><select id='GUARDIAN_LOGLEVEL' name='GUARDIAN_LOGLEVEL'> | |
589 | <option id='loglevel_off' value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>$Lang::tr{'guardian loglevel_off'}</option> | |
590 | <option id='loglevel_info' value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>$Lang::tr{'guardian loglevel_info'}</option> | |
591 | <option id='loglevel_debug' value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>$Lang::tr{'guardian loglevel_debug'}</option> | |
52958991 SS |
592 | </select></td> |
593 | </tr> | |
c5f633c9 MF |
594 | |
595 | <tr class="GUARDIAN_LOGFILE"> | |
26fcd31e SS |
596 | <td colspan='2'><br></td> |
597 | </tr> | |
c5f633c9 MF |
598 | |
599 | <tr class="GUARDIAN_LOGFILE"> | |
600 | <td width='25%' class='base'>$Lang::tr{'guardian logfile'}:</td> | |
601 | <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td> | |
7899718f | 602 | </tr> |
c5f633c9 | 603 | |
2daa1f5b | 604 | <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL"> |
a35a0668 SS |
605 | <td colspan='2'><br></td> |
606 | </tr> | |
c5f633c9 | 607 | |
2daa1f5b | 608 | <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL"> |
4a7fc9f6 | 609 | <td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td> |
52958991 | 610 | <td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'> |
c5f633c9 MF |
611 | <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>$Lang::tr{'guardian priolevel_high'}</option> |
612 | <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>$Lang::tr{'guardian priolevel_medium'}</option> | |
613 | <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>$Lang::tr{'guardian priolevel_low'}</option> | |
614 | <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>$Lang::tr{'guardian priolevel_very_low'}</option> | |
4a7fc9f6 | 615 | </select></td> |
c5f633c9 MF |
616 | |
617 | <td width='25%' class='base'>$Lang::tr{'guardian blockcount'}:</td> | |
618 | <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td> | |
4a7fc9f6 | 619 | </tr> |
c5f633c9 | 620 | |
4a7fc9f6 SS |
621 | <tr> |
622 | <td colspan='2'><br></td> | |
623 | </tr> | |
c5f633c9 | 624 | |
2d17c6e6 | 625 | <tr> |
c5f633c9 | 626 | <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td> |
2d17c6e6 SS |
627 | <td><select name='GUARDIAN_FIREWALL_ACTION'> |
628 | <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option> | |
629 | <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option> | |
630 | </select></td> | |
c5f633c9 MF |
631 | |
632 | <td width='25%' class='base'>$Lang::tr{'guardian blocktime'}:</td> | |
d2fea55e | 633 | <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td> |
01dbccb1 | 634 | </tr> |
c5f633c9 | 635 | |
01dbccb1 SS |
636 | </table> |
637 | END | |
638 | ||
639 | print <<END; | |
640 | <hr> | |
641 | ||
642 | <table width='95%'> | |
643 | <tr> | |
644 | <td> </td> | |
645 | <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> | |
646 | <td> </td> | |
647 | </tr> | |
648 | </table> | |
649 | </form> | |
650 | END | |
651 | ||
652 | &Header::closebox(); | |
653 | } | |
654 | ||
655 | # Function to show elements of the guardian ignorefile and allow to add or remove single members of it. | |
656 | sub showIgnoreBox() { | |
657 | &Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'}); | |
658 | ||
659 | print <<END; | |
7edbe063 | 660 | <table width='80%'> |
01dbccb1 | 661 | <tr> |
7edbe063 SS |
662 | <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td> |
663 | <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td> | |
664 | <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> | |
01dbccb1 SS |
665 | </tr> |
666 | END | |
d68ead3d | 667 | # Check if some hosts have been added to be ignored. |
7edbe063 | 668 | if (keys (%ignored)) { |
01dbccb1 SS |
669 | my $col = ""; |
670 | ||
d68ead3d | 671 | # Loop through all entries of the hash. |
7edbe063 SS |
672 | while( (my $key) = each %ignored) { |
673 | # Assign data array positions to some nice variable names. | |
674 | my $address = $ignored{$key}[0]; | |
675 | my $remark = $ignored{$key}[1]; | |
676 | my $status = $ignored{$key}[2]; | |
677 | ||
678 | # Check if the key (id) number is even or not. | |
679 | if ($settings{'ID'} eq $key) { | |
680 | $col="bgcolor='${Header::colouryellow}'"; | |
681 | } elsif ($key % 2) { | |
01dbccb1 SS |
682 | $col="bgcolor='$color{'color22'}'"; |
683 | } else { | |
684 | $col="bgcolor='$color{'color20'}'"; | |
685 | } | |
686 | ||
7edbe063 SS |
687 | # Choose icon for the checkbox. |
688 | my $gif; | |
689 | my $gdesc; | |
690 | ||
691 | # Check if the status is enabled and select the correct image and description. | |
692 | if ($status eq 'enabled' ) { | |
693 | $gif = 'on.gif'; | |
694 | $gdesc = $Lang::tr{'click to disable'}; | |
695 | } else { | |
696 | $gif = 'off.gif'; | |
697 | $gdesc = $Lang::tr{'click to enable'}; | |
698 | } | |
699 | ||
01dbccb1 SS |
700 | print <<END; |
701 | <tr> | |
7edbe063 SS |
702 | <td width='20%' class='base' $col>$address</td> |
703 | <td width='65%' class='base' $col>$remark</td> | |
704 | ||
705 | <td align='center' $col> | |
706 | <form method='post' action='$ENV{'SCRIPT_NAME'}'> | |
707 | <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> | |
708 | <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' /> | |
709 | <input type='hidden' name='ID' value='$key' /> | |
710 | </form> | |
711 | </td> | |
712 | ||
713 | <td align='center' $col> | |
714 | <form method='post' action='$ENV{'SCRIPT_NAME'}'> | |
715 | <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> | |
716 | <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> | |
717 | <input type='hidden' name='ID' value='$key' /> | |
718 | </form> | |
719 | </td> | |
720 | ||
721 | <td align='center' $col> | |
722 | <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'> | |
01dbccb1 | 723 | <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'> |
7edbe063 | 724 | <input type='hidden' name='ID' value='$key'> |
01dbccb1 SS |
725 | <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'> |
726 | </form> | |
727 | </td> | |
728 | </tr> | |
729 | END | |
730 | } | |
01dbccb1 | 731 | } else { |
7edbe063 | 732 | # Print notice that currently no hosts are ignored. |
01dbccb1 SS |
733 | print "<tr>\n"; |
734 | print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; | |
735 | print "</tr>\n"; | |
736 | } | |
737 | ||
738 | print "</table>\n"; | |
739 | ||
7edbe063 | 740 | # Section to add new elements or edit existing ones. |
01dbccb1 | 741 | print <<END; |
1d5702a7 | 742 | <br> |
7edbe063 SS |
743 | <hr> |
744 | <br> | |
745 | ||
1d5702a7 | 746 | <div align='center'> |
7edbe063 SS |
747 | <table width='100%'> |
748 | END | |
749 | ||
750 | # Assign correct headline and button text. | |
751 | my $buttontext; | |
752 | my $entry_address; | |
753 | my $entry_remark; | |
754 | ||
755 | # Check if an ID (key) has been given, in this case an existing entry should be edited. | |
756 | if ($settings{'ID'} ne '') { | |
757 | $buttontext = $Lang::tr{'update'}; | |
758 | print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n"; | |
759 | ||
760 | # Grab address and remark for the given key. | |
761 | $entry_address = $ignored{$settings{'ID'}}[0]; | |
762 | $entry_remark = $ignored{$settings{'ID'}}[1]; | |
763 | } else { | |
764 | $buttontext = $Lang::tr{'add'}; | |
765 | print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n"; | |
766 | } | |
767 | ||
768 | print <<END; | |
01dbccb1 | 769 | <form method='post' action='$ENV{'SCRIPT_NAME'}'> |
7edbe063 | 770 | <input type='hidden' name='ID' value='$settings{'ID'}'> |
01dbccb1 | 771 | <tr> |
7edbe063 SS |
772 | <td width='30%'>$Lang::tr{'ip address'}: </td> |
773 | <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td> | |
774 | ||
775 | <td width='30%'>$Lang::tr{'remark'}: </td> | |
776 | <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td> | |
777 | <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td> | |
01dbccb1 SS |
778 | </tr> |
779 | </form> | |
780 | </table> | |
781 | </div> | |
782 | END | |
1d5702a7 SS |
783 | |
784 | &Header::closebox(); | |
01dbccb1 SS |
785 | } |
786 | ||
d68ead3d | 787 | # Function to list currently blocked addresses from guardian and unblock them or add custom entries to block. |
01dbccb1 SS |
788 | sub showBlockedBox() { |
789 | &Header::openbox('100%', 'center', $Lang::tr{'guardian blocked hosts'}); | |
790 | ||
01dbccb1 SS |
791 | print <<END; |
792 | <table width='60%'> | |
793 | <tr> | |
794 | <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td> | |
795 | </tr> | |
796 | END | |
797 | ||
d68ead3d | 798 | # Launch function to get the currently blocked hosts. |
5f462919 SS |
799 | my @blocked_hosts = &GetBlockedHosts(); |
800 | ||
01dbccb1 | 801 | my $id = 0; |
01dbccb1 | 802 | my $col = ""; |
01dbccb1 | 803 | |
5f462919 SS |
804 | # Loop through our blocked hosts array. |
805 | foreach my $blocked_host (@blocked_hosts) { | |
01dbccb1 SS |
806 | |
807 | # Increase id number for each element in the ignore file. | |
808 | $id++; | |
809 | ||
810 | # Check if the id number is even or not. | |
811 | if ($id % 2) { | |
812 | $col="bgcolor='$color{'color22'}'"; | |
813 | } else { | |
814 | $col="bgcolor='$color{'color20'}'"; | |
815 | } | |
816 | ||
817 | print <<END; | |
818 | <tr> | |
8b8413e5 | 819 | <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td> |
01dbccb1 SS |
820 | <td width='20%' align='center' $col> |
821 | <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'> | |
822 | <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'> | |
823 | <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'> | |
824 | <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'> | |
825 | </form> | |
826 | </td> | |
827 | </tr> | |
828 | END | |
829 | } | |
830 | ||
d68ead3d | 831 | # If the loop only has been run once the id still is "0", which means there are no |
01dbccb1 SS |
832 | # additional entries (blocked hosts) in the iptables chain. |
833 | if ($id == 0) { | |
834 | ||
835 | # Print notice that currently no hosts are blocked. | |
836 | print "<tr>\n"; | |
837 | print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; | |
838 | print "</tr>\n"; | |
839 | } | |
840 | ||
841 | print "</table>\n"; | |
842 | ||
01dbccb1 SS |
843 | # Section for a manual block of an IP-address. |
844 | print <<END; | |
1d5702a7 SS |
845 | <br> |
846 | <div align='center'> | |
847 | <table width='60%' border='0'> | |
01dbccb1 SS |
848 | <form method='post' action='$ENV{'SCRIPT_NAME'}'> |
849 | <tr> | |
850 | <td width='30%'>$Lang::tr{'guardian block a host'}: </td> | |
851 | <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td> | |
852 | <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td> | |
853 | <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td> | |
854 | </tr> | |
855 | </form> | |
856 | </table> | |
857 | </div> | |
858 | END | |
1d5702a7 SS |
859 | |
860 | &Header::closebox(); | |
01dbccb1 SS |
861 | } |
862 | ||
863 | &Header::closebigbox(); | |
864 | &Header::closepage(); | |
865 | ||
866 | # Function to check if guardian has been started. | |
867 | # Grab process id and consumed memory if the daemon is running. | |
868 | sub daemonstats() { | |
869 | $memory = 0; | |
870 | # for pid and memory | |
871 | open(FILE, '/usr/local/bin/addonctrl guardian status | '); | |
872 | @guardian = <FILE>; | |
873 | close(FILE); | |
874 | $string = join("", @guardian); | |
875 | $string =~ s/[a-z_]//gi; | |
876 | $string =~ s/\[[0-1]\;[0-9]+//gi; | |
877 | $string =~ s/[\(\)\.]//gi; | |
878 | $string =~ s/ //gi; | |
879 | $string =~ s/\e//gi; | |
880 | @pid = split(/\s/,$string); | |
881 | if (open(FILE, "/proc/$pid[0]/statm")){ | |
882 | my $temp = <FILE>; | |
883 | @memory = split(/ /,$temp); | |
884 | close(FILE); | |
885 | } | |
886 | $memory+=$memory[0]; | |
887 | } | |
888 | ||
5f462919 | 889 | sub GetBlockedHosts() { |
5f462919 SS |
890 | # Create new, empty array. |
891 | my @hosts; | |
892 | ||
d68ead3d | 893 | # Launch helper to get chains from iptables. |
891ba055 SS |
894 | system('/usr/local/bin/getipstat'); |
895 | ||
896 | # Open temporary file which contains the chains and rules. | |
d68ead3d | 897 | open (FILE, '/var/tmp/iptables.txt'); |
891ba055 SS |
898 | |
899 | # Loop through the entire file. | |
900 | while (<FILE>) { | |
901 | my $line = $_; | |
902 | ||
903 | # Search for the guardian chain and extract | |
904 | # the lines between it and the next empty line | |
905 | # which is placed before the next firewall | |
906 | # chain starts. | |
907 | if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) { | |
908 | # Skip descriptive lines. | |
909 | next if ($line =~ /^Chain/); | |
910 | next if ($line =~ /^ pkts/); | |
911 | ||
d68ead3d | 912 | # Generate array, based on the line content (separator is a single or multiple space) |
891ba055 SS |
913 | my @comps = split(/\s{1,}/, $line); |
914 | my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps; | |
915 | ||
916 | # Assign different variable names. | |
917 | my $blocked_host = $source; | |
918 | ||
919 | # Add host to our hosts array. | |
920 | if ($blocked_host) { | |
921 | push(@hosts, $blocked_host); | |
922 | } | |
923 | } | |
924 | } | |
5f462919 | 925 | |
891ba055 SS |
926 | # Close filehandle. |
927 | close(FILE); | |
5f462919 | 928 | |
891ba055 | 929 | # Remove recently created temporary files of the "getipstat" binary. |
d68ead3d MF |
930 | system("rm -f /var/tmp/iptables.txt"); |
931 | system("rm -f /var/tmp/iptablesmangle.txt"); | |
932 | system("rm -f /var/tmp/iptablesnat.txt"); | |
5f462919 SS |
933 | |
934 | # Convert entries, sort them, write back and store the sorted entries into new array. | |
935 | my @sorted = map { $_->[0] } | |
936 | sort { $a->[1] <=> $b->[1] } | |
937 | map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/\./, $_))] } | |
938 | @hosts; | |
939 | ||
940 | # Return our sorted list. | |
941 | return @sorted | |
942 | } | |
943 | ||
01dbccb1 SS |
944 | sub BuildConfiguration() { |
945 | my %settings = (); | |
946 | &General::readhash("${General::swroot}/guardian/settings", \%settings); | |
947 | ||
948 | my $configfile = "${General::swroot}/guardian/guardian.conf"; | |
949 | ||
d68ead3d | 950 | # Create the configfile if none exists yet. |
c880c2cb SS |
951 | unless (-e "$configfile") { system("touch $configfile"); } |
952 | ||
7f728591 | 953 | # Open configfile for writing. |
01dbccb1 SS |
954 | open(FILE, ">$configfile"); |
955 | ||
52958991 SS |
956 | # Config file header. |
957 | print FILE "# Autogenerated configuration file.\n"; | |
958 | print FILE "# All user modifications will be overwritten.\n\n"; | |
28981fac | 959 | |
52958991 SS |
960 | # Settings for the logging mechanism. |
961 | print FILE "# Log settings.\n"; | |
962 | print FILE "LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n"; | |
963 | ||
964 | if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") { | |
965 | print FILE "LogFile = $settings{'GUARDIAN_LOGFILE'}\n"; | |
28981fac SS |
966 | } |
967 | ||
52958991 SS |
968 | print FILE "LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n"; |
969 | ||
970 | # IPFire related static settings. | |
971 | print FILE "# IPFire related settings.\n"; | |
972 | print FILE "FirewallEngine = IPtables\n"; | |
973 | print FILE "SocketOwner = nobody:nobody\n"; | |
974 | print FILE "IgnoreFile = $ignorefile\n\n"; | |
975 | ||
976 | # Configured block values. | |
2d17c6e6 | 977 | print FILE "# Configured block settings.\n"; |
52958991 | 978 | print FILE "BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n"; |
2d17c6e6 SS |
979 | print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n"; |
980 | print FILE "FirewallAction = $settings{'GUARDIAN_FIREWALL_ACTION'}\n\n"; | |
52958991 SS |
981 | |
982 | # Enabled modules. | |
983 | # Loop through whole settings hash. | |
984 | print FILE "# Enabled modules.\n"; | |
985 | foreach my $option (keys %settings) { | |
986 | # Search for enabled modules. | |
987 | if ($option =~ /GUARDIAN_MONITOR_(.*)/) { | |
988 | # Skip if module is not enabled. | |
989 | next unless($settings{$option} eq "on"); | |
990 | ||
991 | # Skip module if no file location is available. | |
992 | next unless(exists($module_file_locations{$1})); | |
993 | ||
994 | # Add enabled module and defined path to the config file. | |
995 | print FILE "Monitor_$1 = $module_file_locations{$1}\n"; | |
996 | } | |
997 | } | |
998 | ||
999 | # Module settings. | |
1000 | print FILE "\n# Module settings.\n"; | |
1001 | # Check if SNORT is enabled and add snort priority. | |
1002 | if ($settings{'GUARDIAN_MONITOR_SNORT'} eq "on") { | |
1003 | print FILE "SnortPriorityLevel = $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}\n"; | |
1004 | } | |
01dbccb1 SS |
1005 | |
1006 | close(FILE); | |
1007 | ||
efd9c5ff SS |
1008 | # Generate ignore file. |
1009 | &GenerateIgnoreFile(); | |
1010 | ||
f8c3bfe0 SS |
1011 | # Check if guardian should be started or stopped. |
1012 | if($settings{'GUARDIAN_ENABLED'} eq 'on') { | |
1013 | if($pid > 0) { | |
af6856af SS |
1014 | # Send reload command through socket connection. |
1015 | &Guardian::Socket::Client("reload"); | |
f8c3bfe0 SS |
1016 | } else { |
1017 | # Launch guardian. | |
af6856af | 1018 | system("/usr/local/bin/addonctrl guardian start &>/dev/null"); |
f8c3bfe0 | 1019 | } |
01dbccb1 | 1020 | } else { |
f8c3bfe0 | 1021 | # Stop the daemon. |
af6856af | 1022 | system("/usr/local/bin/addonctrl guardian stop &>/dev/null"); |
01dbccb1 SS |
1023 | } |
1024 | } | |
97849142 SS |
1025 | |
1026 | sub GenerateIgnoreFile() { | |
1027 | my %ignored = (); | |
1028 | ||
1029 | # Read-in ignoredfile. | |
1030 | &General::readhasharray($ignoredfile, \%ignored); | |
1031 | ||
c880c2cb SS |
1032 | # Create the guardian.ignore file if not exist yet. |
1033 | unless (-e "$ignorefile") { system("touch $ignorefile"); } | |
1034 | ||
97849142 SS |
1035 | # Open ignorefile for writing. |
1036 | open(FILE, ">$ignorefile"); | |
1037 | ||
1038 | # Config file header. | |
1039 | print FILE "# Autogenerated configuration file.\n"; | |
1040 | print FILE "# All user modifications will be overwritten.\n\n"; | |
1041 | ||
1042 | # Add IFPire interfaces and gateway to the ignore file. | |
1043 | # | |
1044 | # Assign some temporary variables for the IPFire interfaces. | |
1045 | my $green = $netsettings{'GREEN_ADDRESS'}; | |
1046 | my $blue = $netsettings{'BLUE_ADDRESS'}; | |
1047 | my $orange = $netsettings{'ORANGE_ADDRESS'}; | |
97849142 SS |
1048 | |
1049 | # File declarations. | |
1cc65323 | 1050 | my $public_address_file = "${General::swroot}/red/local-ipaddress"; |
97849142 SS |
1051 | my $gatewayfile = "${General::swroot}/red/remote-ipaddress"; |
1052 | my $dns1file = "${General::swroot}/red/dns1"; | |
1053 | my $dns2file = "${General::swroot}/red/dns2"; | |
1054 | ||
97849142 SS |
1055 | # Write the obtained addresses to the ignore file. |
1056 | print FILE "# IPFire local interfaces.\n"; | |
1057 | print FILE "$green\n"; | |
1058 | ||
1059 | # Check if a blue interface exists. | |
1060 | if ($blue) { | |
1061 | # Add blue address. | |
1062 | print FILE "$blue\n"; | |
1063 | } | |
1064 | ||
1065 | # Check if an orange interface exists. | |
1066 | if ($orange) { | |
1067 | # Add orange address. | |
1068 | print FILE "$orange\n"; | |
1069 | } | |
1070 | ||
1071 | print FILE "\n# IPFire red interface, gateway and used DNS-servers.\n"; | |
1cc65323 SS |
1072 | print FILE "# Include the corresponding files to obtain the addresses.\n"; |
1073 | print FILE "Include_File = $public_address_file\n"; | |
1074 | print FILE "Include_File = $gatewayfile\n"; | |
1075 | print FILE "Include_File = $dns1file\n"; | |
1076 | print FILE "Include_File = $dns2file\n"; | |
97849142 SS |
1077 | |
1078 | # Add all user defined hosts and networks to the ignore file. | |
1079 | # | |
1080 | # Check if the hash contains any elements. | |
1081 | if (keys (%ignored)) { | |
1082 | # Write headline. | |
1cc65323 | 1083 | print FILE "\n# User defined hosts/networks.\n"; |
97849142 SS |
1084 | |
1085 | # Loop through the entire hash and write the host/network | |
1086 | # and remark to the ignore file. | |
1087 | while ( (my $key) = each %ignored) { | |
1088 | my $address = $ignored{$key}[0]; | |
1089 | my $remark = $ignored{$key}[1]; | |
1090 | my $status = $ignored{$key}[2]; | |
1091 | ||
1092 | # Check if the status of the entry is "enabled". | |
1093 | if ($status eq "enabled") { | |
1094 | # Check if the address/network is valid. | |
1095 | if ((&General::validip($address)) || (&General::validipandmask($address))) { | |
1096 | # Write the remark to the file. | |
1097 | print FILE "# $remark\n"; | |
1098 | ||
1099 | # Write the address/network to the ignore file. | |
1100 | print FILE "$address\n\n"; | |
1101 | } | |
1102 | } | |
1103 | } | |
1104 | } | |
1105 | ||
1106 | close(FILE); | |
1107 | } | |
1108 | ||
1109 | # Private subfunction to obtain IP-addresses from given file names. | |
1110 | # | |
1111 | sub _get_address_from_file ($) { | |
1112 | my $file = shift; | |
1113 | ||
1114 | # Check if the file exists. | |
1115 | if (-e $file) { | |
1116 | # Open the given file. | |
1117 | open(FILE, "$file") or die "Could not open $file."; | |
1118 | ||
1119 | # Obtain the address from the first line of the file. | |
1120 | my $address = <FILE>; | |
1121 | ||
1122 | # Close filehandle | |
1123 | close(FILE); | |
1124 | ||
1125 | # Remove newlines. | |
1126 | chomp $address; | |
1127 | ||
1128 | # Check if the grabbed address is valid. | |
1129 | if (&General::validip($address)) { | |
1130 | # Return the address. | |
1131 | return $address; | |
1132 | } | |
1133 | } | |
1134 | ||
1135 | # Return nothing. | |
1136 | return; | |
1137 | } |