From 9f9b2b8ebc2751064503fed22602f7608d8c316e Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 9 Jan 2020 09:15:05 +0100 Subject: [PATCH] guardian: Remove code for DNS servers. In the past this code was used to add the DNS servers to the ignore list and prevent them from being blocked by guardian. Because of the switch to suricata as IPS, guardian now prevents from password brute-forcing on SSH and/or the webserver, so this code is not longer needed and safly can be removed. Signed-off-by: Stefan Schantl --- html/cgi-bin/guardian.cgi | 44 ++------------------------------------- lfs/guardian | 2 +- 2 files changed, 3 insertions(+), 43 deletions(-) diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi index 36d84bb5b8..71316523fa 100644 --- a/html/cgi-bin/guardian.cgi +++ b/html/cgi-bin/guardian.cgi @@ -280,15 +280,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { # File declarations. my $gatewayfile = "${General::swroot}/red/remote-ipaddress"; - my $dns1file = "${General::swroot}/red/dns1"; - my $dns2file = "${General::swroot}/red/dns2"; # Get gateway address. - my $gateway = &_get_address_from_file($gatewayfile); - - # Get addresses from the used dns servers. - my $dns1 = &_get_address_from_file($dns1file); - my $dns2 = &_get_address_from_file($dns2file); + my $gateway = &General::grab_address_from_file($gatewayfile); # Check if any input has been performed. if ($input eq '') { @@ -306,7 +300,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { } # Check if the given input is one of the interface addresses or our gateway. - elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") { + elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") { $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}"; } @@ -989,8 +983,6 @@ sub GenerateIgnoreFile() { # File declarations. my $public_address_file = "${General::swroot}/red/local-ipaddress"; my $gatewayfile = "${General::swroot}/red/remote-ipaddress"; - my $dns1file = "${General::swroot}/red/dns1"; - my $dns2file = "${General::swroot}/red/dns2"; # Write the obtained addresses to the ignore file. print FILE "# IPFire local interfaces.\n"; @@ -1012,8 +1004,6 @@ sub GenerateIgnoreFile() { print FILE "# Include the corresponding files to obtain the addresses.\n"; print FILE "Include_File = $public_address_file\n"; print FILE "Include_File = $gatewayfile\n"; - print FILE "Include_File = $dns1file\n"; - print FILE "Include_File = $dns2file\n"; # Add all user defined hosts and networks to the ignore file. # @@ -1045,33 +1035,3 @@ sub GenerateIgnoreFile() { close(FILE); } - -# Private subfunction to obtain IP-addresses from given file names. -# -sub _get_address_from_file ($) { - my $file = shift; - - # Check if the file exists. - if (-e $file) { - # Open the given file. - open(FILE, "$file") or die "Could not open $file."; - - # Obtain the address from the first line of the file. - my $address = ; - - # Close filehandle - close(FILE); - - # Remove newlines. - chomp $address; - - # Check if the grabbed address is valid. - if (&General::validip($address)) { - # Return the address. - return $address; - } - } - - # Return nothing. - return; -} diff --git a/lfs/guardian b/lfs/guardian index 31d1dcb43c..a40480c0c8 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 17 +PAK_VER = 18 DEPS = "perl-inotify2 perl-Net-IP" -- 2.39.5