]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/guardian/guardian.pl
3 # Read the readme file for changes
8 print "OS shows $OS\n";
13 if (defined($opt_h)) {
14 print "Guardian v1.7 \n";
15 print "guardian.pl [-hd] <-c config>\n";
16 print " -h shows help\n";
17 print " -d run in debug mode (doesn't fork, output goes to STDOUT)\n";
18 print " -c specifiy a configuration file other than the default (/etc/guardian.conf)\n";
24 print "My ip address and interface are: $hostipaddr $interface\n";
26 if ($hostipaddr !~ /\d+\.\d+\.\d+\.\d+/) {
27 print "This ip address is bad : $hostipaddr\n";
28 die "I need a good host ipaddress\n";
31 $networkaddr = $hostipaddr;
32 $networkaddr =~ s/\d+$/0/;
33 $gatewayaddr = $hostipaddr;
34 $gatewayaddr =~ s/\d+$/$hostgatewaybyte/;
35 $broadcastaddr = $hostipaddr;
36 $broadcastaddr =~ s/\d+$/255/;
39 # This is the target hash. If a packet was destened to any of these, then the
40 # sender of that packet will get denied, unless it is on the ignore list..
42 %targethash = ( "$networkaddr" => 1,
43 "$broadcastaddr" => 1,
44 "0" => 1, # This is what gets sent to &checkem if no
45 # destination was found.
48 if ( -e
$targetfile ) {
52 if (!defined($opt_d)) {
53 print "Becoming a daemon..\n";
55 } else { print "Running in debug mode..\n"; }
57 open (ALERT
, $alert_file) or die "can't open alert file: $alert_file: $!\n";
58 seek (ALERT
, 0, 2); # set the position to EOF.
59 # this is the same as a tail -f :)
66 if (/snort/) { #syslog file
67 if (defined($opt_d)) {print "$_\n";}
68 # This is *much* cleaner, and should work on all systems
70 ($junk,$reason) = split (/\]:/,$_,2);
73 if ($str=~/(\d+\.\d+\.\d+\.\d+)/) {
75 # write_log ("Found $array[$#array]\n");
78 if ($array[1] eq "") { $array[1]=0; }
79 # this should work if snort didn't report the target address.
80 # $array[1] should be the target address (portscans don't show this)
81 &checkem
($array[0], $array[1], $reason);
82 } else { # snort.alert type file for backwards compat
83 if (defined($opt_d)) {print "$_\n";}
84 if (/\[\*\*\]\s+(.*)\s+\[\*\*\]/){
87 if (/(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
88 &checkem
($1, $2, $type);
93 # Run this stuff every 30 seconds..
95 &remove_blocks
; # This might get moved elsewhere, depending on how much load
96 # it puts on the system..
99 } else { $counter=$counter+1; }
103 my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
104 $atime,$mtime,$ctime,$blksize,$blocks) = stat($alert_file);
105 if ($size < $previous_size) { # The filesize is smaller than last
106 close (ALERT
); # we checked, so we need to reopen it
107 open (ALERT
, "$alert_file"); # This should still work in our main while
108 $previous_size=$size; # loop (I hope)
109 write_log
("Log filename changed. Reopening $alert_file\n");
111 $previous_size=$size;
117 my ($source, $dest,$type) = @_;
119 my $date = localtime();
120 return 1 if ($source eq $hostipaddr); # this should prevent is from nuking
122 return 1 if ($source eq $gatewayaddr); # or our gateway
123 if ($ignore{$source} == 1) { # check our ignore list..
124 &write_log
("$date: ");
125 &write_log
("$source\t$type\n");
126 &write_log
("Ignoring attack because $source is in my ignore list\n");
129 # if the offending packet was sent to us, the network, or the broadcast, then
130 if ($targethash{$dest} == 1) {
131 &write_log
("$date: ");
132 &ipchain
($source, $dest, $type);
134 # you will see this if the destination was not in the $targethash, and the
135 # packet was not ignored before the target check..
137 &write_log
("Odd.. source = $source, dest = $dest - No action done.\n");
138 if (defined ($opt_d)) {
139 foreach $key (keys %targethash) {
140 &write_log
("targethash{$key} = $targethash{$key}\n");
147 my ($source, $dest, $type) = @_;
148 &write_log
("$source\t$type\n");
149 if ($hash{$source} eq "") {
150 &write_log
("Running '$blockpath $source $interface'\n");
151 system ("$blockpath $source $interface");
152 $hash{$source} = time() + $TimeLimit;
154 # We have already blocked this one, but snort detected another attack. So
155 # we should update the time blocked..
156 $hash{$source} = time() + $TimeLimit;
160 sub build_ignore_hash
{
161 # This would cause is to ignore all broadcasts if it
162 # got set.. However if unset, then the attacker could spoof the packet to make
163 # it look like it came from the network, and a reply to the spoofed packet
164 # could be seen if the attacker were on the local network.
165 # $ignore{$networkaddr}=1;
167 # same thing as above, just with the broadcast instead of the network.
168 # $ignore{$broadcastaddr}=1;
170 $ignore{$gatewayaddr}=1;
171 $ignore{$hostipaddr}=1;
172 if ($ignorefile ne "") {
173 open (IGNORE
, $ignorefile);
176 next if (/\#/); #skip comments
177 next if (/^\s*$/); # and blank lines
182 print "Loaded $count addresses from $ignorefile\n";
184 print "No ignore file was loaded!\n";
190 $opt_c = "/etc/guardian.conf";
193 die "Need a configuration file.. please use to the -c option to name a
194 configuration file\n";
196 open (CONF
, $opt_c) or die "Cannot read the config file $opt_c, $!\n";
199 next if (/^\s*$/); #skip blank lines
200 next if (/^#/); # skip comment lines
201 if (/LogFile\s+(.*)/) {
204 if (/Interface\s+(.*)/) {
207 if (/AlertFile\s+(.*)/) {
210 if (/IgnoreFile\s+(.*)/) {
213 if (/TargetFile\s+(.*)/) {
216 if (/TimeLimit\s+(.*)/) {
219 if (/HostIpAddr\s+(.*)/) {
222 if (/HostGatewayByte\s+(.*)/) {
223 $hostgatewaybyte = $1;
225 # if (/ipchainsPath\s+(.*)/) {
226 # $ipchains_path = $1;
229 if ($interface eq "") {
230 die "Fatal! Interface is undefined.. Please define it in $opt_o with keyword Interface\n";
232 if ($alert_file eq "") {
233 print "Warning! AlertFile is undefined.. Assuming /var/log/snort.alert\n";
234 $alert_file="/var/log/snort.alert";
236 if ($hostipaddr eq "") {
237 print "Warning! HostIpAddr is undefined! Attempting to guess..\n";
238 $hostipaddr = &get_ip
($interface);
239 print "Got it.. your HostIpAddr is $hostipaddr\n";
241 if ($ignorefile eq "") {
242 print "Warning! IgnoreFile is undefined.. going with default ignore list (hostname and gateway)!\n";
244 if ($hostgatewaybyte eq "") {
245 print "Warning! HostGatewayByte is undefined.. gateway will not be in ignore list!\n";
247 if ($logfile eq "") {
248 print "Warning! LogFile is undefined.. Assuming debug mode, output to STDOUT\n";
252 print "Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT\n";
255 foreach $mypath (split (/:/, $ENV{PATH
})) {
256 if (-x
"$mypath/guardian_block.sh") {
257 $blockpath = "$mypath/guardian_block.sh";
259 if (-x
"$mypath/guardian_unblock.sh") {
260 $unblockpath = "$mypath/guardian_unblock.sh";
263 if ($blockpath eq "") {
264 print "Error! Could not find guardian_block.sh. Please consult the README. \n";
267 if ($unblockpath eq "") {
268 print "Warning! Could not find guardian_unblock.sh. Guardian will not be\n";
269 print "able to remove blocked ip addresses. Please consult the README file\n";
271 if ($TimeLimit eq "") {
272 print "Warning! Time limit not defined. Defaulting to absurdly long time limit\n";
273 $TimeLimit = 999999999;
280 if (defined($opt_d)) { # we are in debug mode, and not daemonized
281 print STDOUT
$message;
283 open (LOG
, ">>$logfile");
298 &write_log
("Guardian process id $$\n");
299 $home = (getpwuid($>))[7] || die "No home directory!\n";
300 chdir($home); # go to my homedir
301 setpgrp(0,0); # become process leader
305 print "Testing...\n";
310 my ($interface) = $_[0];
312 open (IFCONFIG
, "/bin/netstat -iee |grep $interface -A7 |");
314 if ($OS eq "FreeBSD") {
315 if (/inet (\d+\.\d+\.\d+\.\d+)/) {
319 if ($OS eq "Linux") {
320 if (/inet addr:(\d+\.\d+\.\d+\.\d+)/) {
326 if ($ip eq "") { die "Couldn't figure out the ip address\n"; }
330 sub sig_handler_setup
{
331 $SIG{TERM
} = \
&clean_up_and_exit
; # kill
332 $SIG{QUIT
} = \
&clean_up_and_exit
; # kill -3
333 # $SIG{HUP} = \&flush_and_reload; # kill -1
339 foreach $source (keys %hash) {
340 if ($hash{$source} < $time) {
341 &call_unblock
($source, "expiring block of $source\n");
342 delete ($hash{$source});
348 my ($source, $message) = @_;
349 &write_log
("$message");
350 system ("$unblockpath $source $interface");
353 sub clean_up_and_exit
{
355 &write_log
("received kill sig.. shutting down\n");
356 foreach $source (keys %hash) {
357 &call_unblock
($source, "removing $source for shutdown\n");
362 sub load_targetfile
{
364 open (TARG
, "$targetfile") or die "Cannot open $targetfile\n";
367 next if (/\#/); #skip comments
368 next if (/^\s*$/); # and blank lines
373 print "Loaded $count addresses from $targetfile\n";