###############################################################################
use strict;
-use Locale::Codes::Country;
use Guardian::Socket;
# enable only the following on debugging purpose
# file locations on IPFire systems.
my %module_file_locations = (
"HTTPD" => "/var/log/httpd/error_log",
- "SNORT" => "/var/log/snort/alert",
"SSH" => "/var/log/messages",
);
our %color = ();
our %mainsettings = ();
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
# File declarations.
my $settingsfile = "${General::swroot}/guardian/settings";
my $ignoredfile = "${General::swroot}/guardian/ignored";
# Create empty settings and ignoredfile if they do not exist yet.
-unless (-e "$settingsfile") { system("touch $settingsfile"); }
-unless (-e "$ignoredfile") { system("touch $ignoredfile"); }
+unless (-e "$settingsfile") { &General::system("touch", "$settingsfile"); }
+unless (-e "$ignoredfile") { &General::system("touch", "$ignoredfile"); }
our %settings = ();
our %ignored = ();
$settings{'ACTION'} = '';
$settings{'GUARDIAN_ENABLED'} = 'off';
-$settings{'GUARDIAN_MONITOR_SNORT'} = 'on';
$settings{'GUARDIAN_MONITOR_SSH'} = 'on';
$settings{'GUARDIAN_MONITOR_HTTPD'} = 'on';
$settings{'GUARDIAN_MONITOR_OWNCLOUD'} = '';
$settings{'GUARDIAN_BLOCKTIME'} = '86400';
$settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP';
$settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
-$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3';
my $errormessage = '';
# File declarations.
my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
- my $dns1file = "${General::swroot}/red/dns1";
- my $dns2file = "${General::swroot}/red/dns2";
# Get gateway address.
- my $gateway = &_get_address_from_file($gatewayfile);
-
- # Get addresses from the used dns servers.
- my $dns1 = &_get_address_from_file($dns1file);
- my $dns2 = &_get_address_from_file($dns2file);
+ my $gateway = &General::grab_address_from_file($gatewayfile);
# Check if any input has been performed.
if ($input eq '') {
}
# Check if the given input is one of the interface addresses or our gateway.
- elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") {
+ elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
$errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
}
$checked{'GUARDIAN_ENABLED'}{'on'} = '';
$checked{'GUARDIAN_ENABLED'}{'off'} = '';
$checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked';
- $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} = '';
- $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} = '';
- $checked{'GUARDIAN_MONITOR_SNORT'}{$settings{'GUARDIAN_MONITOR_SNORT'}} = "checked='checked'";
$checked{'GUARDIAN_MONITOR_SSH'}{'off'} = '';
$checked{'GUARDIAN_MONITOR_SSH'}{'on'} = '';
$checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'";
$selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
$selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
- $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected';
$selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected';
&Header::openpage($Lang::tr{'guardian configuration'}, 1, '');
\$("#GUARDIAN_LOG_FACILITY").change(update_options);
\$("#GUARDIAN_LOGLEVEL").change(update_options);
update_options();
-
- // Show / Hide snort priority level option, based if
- // snort is enabled / disabled.
- if (\$('input[name=GUARDIAN_MONITOR_SNORT]:checked').val() == 'on') {
- \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').show();
- } else {
- \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').hide();
- }
-
- // Show/Hide snort priority level when GUARDIAN_MONITOR_SNORT get changed.
- \$('input[name=GUARDIAN_MONITOR_SNORT]').change(function() {
- \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').toggle();
- });
});
</script>
END
<td colspan='2'><br></td>
</tr>
- <tr>
- <td width='25%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td>
- <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> /
- <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td>
- </tr>
-
<tr>
<td width='25%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
<td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
</tr>
- <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL">
+ <tr>
<td colspan='2'><br></td>
</tr>
- <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL">
- <td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td>
- <td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'>
- <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>$Lang::tr{'guardian priolevel_high'}</option>
- <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>$Lang::tr{'guardian priolevel_medium'}</option>
- <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>$Lang::tr{'guardian priolevel_low'}</option>
- <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>$Lang::tr{'guardian priolevel_very_low'}</option>
+ <tr>
+ <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td>
+ <td><select name='GUARDIAN_FIREWALL_ACTION'>
+ <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option>
+ <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option>
</select></td>
<td width='25%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
</tr>
<tr>
- <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td>
- <td><select name='GUARDIAN_FIREWALL_ACTION'>
- <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option>
- <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option>
- </select></td>
-
<td width='25%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
<td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
</tr>
my @hosts;
# Launch helper to get chains from iptables.
- system('/usr/local/bin/getipstat');
-
- # Open temporary file which contains the chains and rules.
- open (FILE, '/var/tmp/iptables.txt');
+ open (FILE, '/usr/local/bin/getipstat | ');
- # Loop through the entire file.
+ # Loop through the entire output.
while (<FILE>) {
my $line = $_;
# Close filehandle.
close(FILE);
- # Remove recently created temporary files of the "getipstat" binary.
- system("rm -f /var/tmp/iptables.txt");
- system("rm -f /var/tmp/iptablesmangle.txt");
- system("rm -f /var/tmp/iptablesnat.txt");
-
# Convert entries, sort them, write back and store the sorted entries into new array.
my @sorted = map { $_->[0] }
sort { $a->[1] <=> $b->[1] }
my $configfile = "${General::swroot}/guardian/guardian.conf";
# Create the configfile if none exists yet.
- unless (-e "$configfile") { system("touch $configfile"); }
+ unless (-e "$configfile") { &General::system("touch", "$configfile"); }
# Open configfile for writing.
open(FILE, ">$configfile");
# Module settings.
print FILE "\n# Module settings.\n";
- # Check if SNORT is enabled and add snort priority.
- if ($settings{'GUARDIAN_MONITOR_SNORT'} eq "on") {
- print FILE "SnortPriorityLevel = $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}\n";
- }
-
close(FILE);
# Generate ignore file.
&Guardian::Socket::Client("reload");
} else {
# Launch guardian.
- system("/usr/local/bin/addonctrl guardian start &>/dev/null");
+ &General::system("/usr/local/bin/addonctrl", "guardian", "start");
}
} else {
# Stop the daemon.
- system("/usr/local/bin/addonctrl guardian stop &>/dev/null");
+ &General::system("/usr/local/bin/addonctrl", "guardian", "stop");
}
}
&General::readhasharray($ignoredfile, \%ignored);
# Create the guardian.ignore file if not exist yet.
- unless (-e "$ignorefile") { system("touch $ignorefile"); }
+ unless (-e "$ignorefile") { &General::system("touch", "$ignorefile"); }
# Open ignorefile for writing.
open(FILE, ">$ignorefile");
# File declarations.
my $public_address_file = "${General::swroot}/red/local-ipaddress";
my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
- my $dns1file = "${General::swroot}/red/dns1";
- my $dns2file = "${General::swroot}/red/dns2";
# Write the obtained addresses to the ignore file.
print FILE "# IPFire local interfaces.\n";
print FILE "# Include the corresponding files to obtain the addresses.\n";
print FILE "Include_File = $public_address_file\n";
print FILE "Include_File = $gatewayfile\n";
- print FILE "Include_File = $dns1file\n";
- print FILE "Include_File = $dns2file\n";
# Add all user defined hosts and networks to the ignore file.
#
close(FILE);
}
-
-# Private subfunction to obtain IP-addresses from given file names.
-#
-sub _get_address_from_file ($) {
- my $file = shift;
-
- # Check if the file exists.
- if (-e $file) {
- # Open the given file.
- open(FILE, "$file") or die "Could not open $file.";
-
- # Obtain the address from the first line of the file.
- my $address = <FILE>;
-
- # Close filehandle
- close(FILE);
-
- # Remove newlines.
- chomp $address;
-
- # Check if the grabbed address is valid.
- if (&General::validip($address)) {
- # Return the address.
- return $address;
- }
- }
-
- # Return nothing.
- return;
-}