# file locations on IPFire systems.
my %module_file_locations = (
"HTTPD" => "/var/log/httpd/error_log",
- "OWNCLOUD" => "/var/owncloud/data/owncloud.log",
- "SNORT" => "/var/log/snort.alert",
+ "SNORT" => "/var/log/snort/alert",
"SSH" => "/var/log/messages",
);
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
-# Pakfire meta file for owncloud.
-# (File exists when the addon is installed.)
-my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud";
-
-
# File declarations.
my $settingsfile = "${General::swroot}/guardian/settings";
my $ignoredfile = "${General::swroot}/guardian/ignored";
$settings{'GUARDIAN_LOGLEVEL'} = 'info';
$settings{'GUARDIAN_BLOCKCOUNT'} = '3';
$settings{'GUARDIAN_BLOCKTIME'} = '86400';
+$settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP';
$settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3';
-# Default settings for owncloud if installed.
-if ( -e "$owncloud_meta") {
- $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off';
-}
-
my $errormessage = '';
&Header::showhttpheaders();
$errormessage = "$Lang::tr{'guardian invalid blocktime'}";
}
- # Check if the bloccount is valid.
+ # Check if the blockcount is valid.
unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) {
$errormessage = "$Lang::tr{'guardian invalid blockcount'}";
}
# Generate the ID for the new entry.
#
- # Sort the keys by it's ID and store them in an array.
+ # Sort the keys by their ID and store them in an array.
my @keys = sort { $a <=> $b } keys %ignored;
# Reverse the key array.
&General::writehasharray($ignoredfile, \%ignored);
# Regenerate the ignore file.
- # &GenerateIgnoreFile();
+ &GenerateIgnoreFile();
}
# Check if guardian is running.
if ($pid > 0) {
# Send reload command through socket connection.
- &Guardian::Socket::Client("reload");
+ &Guardian::Socket::Client("reload-ignore-list");
}
## Toggle Enabled/Disabled for an existing entry on the ignore list.
&General::writehasharray($ignoredfile, \%ignored);
# Regenerate the ignore file.
- # &GenerateIgnoreFile();
+ &GenerateIgnoreFile();
# Check if guardian is running.
if ($pid > 0) {
# Send reload command through socket connection.
- &Guardian::Socket::Client("reload");
+ &Guardian::Socket::Client("reload-ignore-list");
}
}
&General::writehasharray($ignoredfile, \%ignored);
# Regenerate the ignore file.
- # &GenerateIgnoreFile();
+ &GenerateIgnoreFile();
# Check if guardian is running.
if ($pid > 0) {
# Send reload command through socket connection.
- &Guardian::Socket::Client("reload");
+ &Guardian::Socket::Client("reload-ignore-list");
}
## Block a user given address or subnet.
my $orange = $netsettings{'ORANGE_ADDRESS'};
my $red = $netsettings{'RED_ADDRESS'};
+ # File declarations.
+ my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
+ my $dns1file = "${General::swroot}/red/dns1";
+ my $dns2file = "${General::swroot}/red/dns2";
+
# Get gateway address.
- my $gateway = &General::get_gateway();
+ my $gateway = &_get_address_from_file($gatewayfile);
+
+ # Get addresses from the used dns servers.
+ my $dns1 = &_get_address_from_file($dns1file);
+ my $dns2 = &_get_address_from_file($dns2file);
# Check if any input has been performed.
if ($input eq '') {
}
# Check if the given input is one of the interface addresses or our gateway.
- elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
+ elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") {
$errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
}
$selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
$selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
$selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected';
+ $selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected';
&Header::openpage($Lang::tr{'guardian configuration'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage);
&Header::closebox();
}
+ ### Java Script ###
+ print<<END;
+ <script>
+ var update_options = function() {
+
+ var logfacility = \$("#GUARDIAN_LOG_FACILITY").val();
+ var loglevel = \$("#GUARDIAN_LOGLEVEL").val();
+
+ if (logfacility === undefined)
+ return;
+
+ if (loglevel === undefined)
+ return;
+
+ // Show / Hide input for specifying the path to the logfile.
+ if (logfacility === "file") {
+ \$(".GUARDIAN_LOGFILE").show();
+ } else {
+ \$(".GUARDIAN_LOGFILE").hide();
+ }
+
+ // Show / Hide loglevel debug if the facility is set to syslog.
+ if (logfacility === "syslog") {
+ \$("#loglevel_debug").hide();
+ } else {
+ \$("#loglevel_debug").show();
+ }
+
+ // Show / Hide logfacility syslog if the loglevel is set to debug.
+ if (loglevel === "debug") {
+ \$("#logfacility_syslog").hide();
+ } else {
+ \$("#logfacility_syslog").show();
+ }
+ };
+
+ \$(document).ready(function() {
+ \$("#GUARDIAN_LOG_FACILITY").change(update_options);
+ \$("#GUARDIAN_LOGLEVEL").change(update_options);
+ update_options();
+
+ // Show / Hide snort priority level option, based if
+ // snort is enabled / disabled.
+ if (\$('input[name=GUARDIAN_MONITOR_SNORT]:checked').val() == 'on') {
+ \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').show();
+ } else {
+ \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').hide();
+ }
+
+ // Show/Hide snort priority level when GUARDIAN_MONITOR_SNORT get changed.
+ \$('input[name=GUARDIAN_MONITOR_SNORT]').change(function() {
+ \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').toggle();
+ });
+ });
+ </script>
+END
+
+
# Draw current guardian state.
&Header::openbox('100%', 'center', $Lang::tr{'guardian'});
<tr>
<td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td>
</tr>
+
<tr>
- <td width='20%' class='base'>$Lang::tr{'guardian enabled'}:</td>
+ <td width='25%' class='base'>$Lang::tr{'guardian enabled'}:</td>
<td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td>
</tr>
+
<tr>
<td colspan='2'><br></td>
</tr>
+
<tr>
- <td width='20%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td>
+ <td width='25%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td>
<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> /
<input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td>
</tr>
+
<tr>
- <td width='20%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
+ <td width='25%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
<input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td>
</tr>
+
<tr>
- <td width='20%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
+ <td width='25%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> /
<input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td>
</tr>
-END
- # Display owncloud checkbox when the addon is installed.
- if ( -e "$owncloud_meta" ) {
- print"<tr>\n";
- print"<td width='20%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n";
- print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n";
- print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n";
- print"</tr>\n";
- }
- print <<END;
+
<tr>
<td colspan='2'><br></td>
</tr>
+
<tr>
<td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td>
- <td><select name='GUARDIAN_LOG_FACILITY'>
- <option value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>syslog</option>
- <option value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>file</option>
- <option value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>console</option>
+ <td width='25%'><select id='GUARDIAN_LOG_FACILITY' name='GUARDIAN_LOG_FACILITY'>
+ <option id='logfacility_syslog' value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>$Lang::tr{'guardian logtarget_syslog'}</option>
+ <option id='logfacility_file' value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>$Lang::tr{'guardian logtarget_file'}</option>
+ <option id='logfacility_console' value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>$Lang::tr{'guardian logtarget_console'}</option>
+ </select></td>
+
+ <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
+ <td width='25%'><select id='GUARDIAN_LOGLEVEL' name='GUARDIAN_LOGLEVEL'>
+ <option id='loglevel_off' value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>$Lang::tr{'guardian loglevel_off'}</option>
+ <option id='loglevel_info' value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>$Lang::tr{'guardian loglevel_info'}</option>
+ <option id='loglevel_debug' value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>$Lang::tr{'guardian loglevel_debug'}</option>
</select></td>
</tr>
- <tr>
+
+ <tr class="GUARDIAN_LOGFILE">
<td colspan='2'><br></td>
</tr>
- <tr>
- <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
- <td><select name='GUARDIAN_LOGLEVEL'>
- <option value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>off</option>
- <option value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>info</option>
- <option value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>debug</option>
- </select></td>
+
+ <tr class="GUARDIAN_LOGFILE">
+ <td width='25%' class='base'>$Lang::tr{'guardian logfile'}:</td>
+ <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
</tr>
- <tr>
+
+ <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL">
<td colspan='2'><br></td>
</tr>
- <tr>
+
+ <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL">
<td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td>
<td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'>
- <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>1</option>
- <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>2</option>
- <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>3</option>
- <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>4</option>
+ <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>$Lang::tr{'guardian priolevel_high'}</option>
+ <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>$Lang::tr{'guardian priolevel_medium'}</option>
+ <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>$Lang::tr{'guardian priolevel_low'}</option>
+ <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>$Lang::tr{'guardian priolevel_very_low'}</option>
</select></td>
+
+ <td width='25%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
+ <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
</tr>
+
<tr>
<td colspan='2'><br></td>
</tr>
+
<tr>
- <td width='20%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
- <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
- </tr>
- <tr>
- <td width='20%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
+ <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td>
+ <td><select name='GUARDIAN_FIREWALL_ACTION'>
+ <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option>
+ <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option>
+ </select></td>
+
+ <td width='25%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
<td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
</tr>
- <tr>
- <td width='20%' class='base'>$Lang::tr{'guardian logfile'}:</td>
- <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
- </tr>
+
</table>
END
<td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
</tr>
END
- # Check if some hosts have been add to be ignored.
+ # Check if some hosts have been added to be ignored.
if (keys (%ignored)) {
my $col = "";
- # Loop through all entries of the hash..
+ # Loop through all entries of the hash.
while( (my $key) = each %ignored) {
# Assign data array positions to some nice variable names.
my $address = $ignored{$key}[0];
&Header::closebox();
}
-# Function to list currently bocked addresses from guardian and unblock them or add custom entries to block.
+# Function to list currently blocked addresses from guardian and unblock them or add custom entries to block.
sub showBlockedBox() {
&Header::openbox('100%', 'center', $Lang::tr{'guardian blocked hosts'});
</tr>
END
- # Lauch function to get the currently blocked hosts.
+ # Launch function to get the currently blocked hosts.
my @blocked_hosts = &GetBlockedHosts();
my $id = 0;
END
}
- # If the loop only has been runs once the id still is "0", which means there are no
+ # If the loop only has been run once the id still is "0", which means there are no
# additional entries (blocked hosts) in the iptables chain.
if ($id == 0) {
# Create new, empty array.
my @hosts;
- # Lauch helper to get chains from iptables.
+ # Launch helper to get chains from iptables.
system('/usr/local/bin/getipstat');
# Open temporary file which contains the chains and rules.
- open (FILE, '/srv/web/ipfire/html/iptables.txt');
+ open (FILE, '/var/tmp/iptables.txt');
# Loop through the entire file.
while (<FILE>) {
next if ($line =~ /^Chain/);
next if ($line =~ /^ pkts/);
- # Generate array, based on the line content (seperator is a single or multiple space's)
+ # Generate array, based on the line content (separator is a single or multiple space)
my @comps = split(/\s{1,}/, $line);
my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps;
close(FILE);
# Remove recently created temporary files of the "getipstat" binary.
- system(rm -f "/srv/web/ipfire/html/iptables.txt");
- system(rm -f "/srv/web/ipfire/html/iptablesmangle.txt");
- system(rm -f "/srv/web/ipfire/html/iptablesnat.txt");
+ system("rm -f /var/tmp/iptables.txt");
+ system("rm -f /var/tmp/iptablesmangle.txt");
+ system("rm -f /var/tmp/iptablesnat.txt");
# Convert entries, sort them, write back and store the sorted entries into new array.
my @sorted = map { $_->[0] }
my $configfile = "${General::swroot}/guardian/guardian.conf";
+ # Create the configfile if none exists yet.
+ unless (-e "$configfile") { system("touch $configfile"); }
+
# Open configfile for writing.
open(FILE, ">$configfile");
print FILE "IgnoreFile = $ignorefile\n\n";
# Configured block values.
- print FILE "# Configured block values.\n";
+ print FILE "# Configured block settings.\n";
print FILE "BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n";
- print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n\n";
+ print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n";
+ print FILE "FirewallAction = $settings{'GUARDIAN_FIREWALL_ACTION'}\n\n";
# Enabled modules.
# Loop through whole settings hash.
close(FILE);
+ # Generate ignore file.
+ &GenerateIgnoreFile();
+
# Check if guardian should be started or stopped.
if($settings{'GUARDIAN_ENABLED'} eq 'on') {
if($pid > 0) {
system("/usr/local/bin/addonctrl guardian stop &>/dev/null");
}
}
+
+sub GenerateIgnoreFile() {
+ my %ignored = ();
+
+ # Read-in ignoredfile.
+ &General::readhasharray($ignoredfile, \%ignored);
+
+ # Create the guardian.ignore file if not exist yet.
+ unless (-e "$ignorefile") { system("touch $ignorefile"); }
+
+ # Open ignorefile for writing.
+ open(FILE, ">$ignorefile");
+
+ # Config file header.
+ print FILE "# Autogenerated configuration file.\n";
+ print FILE "# All user modifications will be overwritten.\n\n";
+
+ # Add IFPire interfaces and gateway to the ignore file.
+ #
+ # Assign some temporary variables for the IPFire interfaces.
+ my $green = $netsettings{'GREEN_ADDRESS'};
+ my $blue = $netsettings{'BLUE_ADDRESS'};
+ my $orange = $netsettings{'ORANGE_ADDRESS'};
+
+ # File declarations.
+ my $public_address_file = "${General::swroot}/red/local-ipaddress";
+ my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
+ my $dns1file = "${General::swroot}/red/dns1";
+ my $dns2file = "${General::swroot}/red/dns2";
+
+ # Write the obtained addresses to the ignore file.
+ print FILE "# IPFire local interfaces.\n";
+ print FILE "$green\n";
+
+ # Check if a blue interface exists.
+ if ($blue) {
+ # Add blue address.
+ print FILE "$blue\n";
+ }
+
+ # Check if an orange interface exists.
+ if ($orange) {
+ # Add orange address.
+ print FILE "$orange\n";
+ }
+
+ print FILE "\n# IPFire red interface, gateway and used DNS-servers.\n";
+ print FILE "# Include the corresponding files to obtain the addresses.\n";
+ print FILE "Include_File = $public_address_file\n";
+ print FILE "Include_File = $gatewayfile\n";
+ print FILE "Include_File = $dns1file\n";
+ print FILE "Include_File = $dns2file\n";
+
+ # Add all user defined hosts and networks to the ignore file.
+ #
+ # Check if the hash contains any elements.
+ if (keys (%ignored)) {
+ # Write headline.
+ print FILE "\n# User defined hosts/networks.\n";
+
+ # Loop through the entire hash and write the host/network
+ # and remark to the ignore file.
+ while ( (my $key) = each %ignored) {
+ my $address = $ignored{$key}[0];
+ my $remark = $ignored{$key}[1];
+ my $status = $ignored{$key}[2];
+
+ # Check if the status of the entry is "enabled".
+ if ($status eq "enabled") {
+ # Check if the address/network is valid.
+ if ((&General::validip($address)) || (&General::validipandmask($address))) {
+ # Write the remark to the file.
+ print FILE "# $remark\n";
+
+ # Write the address/network to the ignore file.
+ print FILE "$address\n\n";
+ }
+ }
+ }
+ }
+
+ close(FILE);
+}
+
+# Private subfunction to obtain IP-addresses from given file names.
+#
+sub _get_address_from_file ($) {
+ my $file = shift;
+
+ # Check if the file exists.
+ if (-e $file) {
+ # Open the given file.
+ open(FILE, "$file") or die "Could not open $file.";
+
+ # Obtain the address from the first line of the file.
+ my $address = <FILE>;
+
+ # Close filehandle
+ close(FILE);
+
+ # Remove newlines.
+ chomp $address;
+
+ # Check if the grabbed address is valid.
+ if (&General::validip($address)) {
+ # Return the address.
+ return $address;
+ }
+ }
+
+ # Return nothing.
+ return;
+}
projects / ipfire-2.x.git / blobdiff