]>
git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/guardian/guardian.pl
2 # based on V 1.7 guardian enhanced for IPFire and snort 2.8
3 # Read the readme file for changes
5 # Enhanced for IPFire by IPFire Team
6 # Added Portscan detection for non syslog system
7 # Added SSH-Watch for SSH-Bruteforce Attacks
8 # An suppected IP will be blocked on all interfaces
12 print "OS shows $OS\n";
17 if (defined($opt_h)) {
18 print "Guardian v1.7 \n";
19 print "guardian.pl [-hd] <-c config>\n";
20 print " -h shows help\n";
21 print " -d run in debug mode (doesn't fork, output goes to STDOUT)\n";
22 print " -c specifiy a configuration file other than the default (/etc/guardian.conf)\n";
28 print "My ip address and interface are: $hostipaddr $interface\n";
30 if ($hostipaddr !~ /\d+\.\d+\.\d+\.\d+/) {
31 print "This ip address is bad : $hostipaddr\n";
32 die "I need a good host ipaddress\n";
35 $networkaddr = $hostipaddr;
36 $networkaddr =~ s/\d+$/0/;
37 $gatewayaddr = `cat /var/ipfire/red/remote-ipaddress 2>/dev/null`;
38 $broadcastaddr = $hostipaddr;
39 $broadcastaddr =~ s/\d+$/255/;
42 print "My gatewayaddess is: $gatewayaddr\n";
44 # This is the target hash. If a packet was destened to any of these, then the
45 # sender of that packet will get denied, unless it is on the ignore list..
47 %targethash = ( "$networkaddr" => 1,
48 "$broadcastaddr" => 1,
49 "0" => 1, # This is what gets sent to &checkem if no
50 # destination was found.
57 if ( -e
$targetfile ) {
61 if (!defined($opt_d)) {
62 print "Becoming a daemon..\n";
64 } else { print "Running in debug mode..\n"; }
66 open (ALERT
, $alert_file) or die "can't open alert file: $alert_file: $!\n";
67 seek (ALERT
, 0, 2); # set the position to EOF.
68 # this is the same as a tail -f :)
70 open (ALERT2
, "/var/log/messages" ) or die "can't open /var/log/messages: $!\n";
71 seek (ALERT2
, 0, 2); # set the position to EOF.
72 # this is the same as a tail -f :)
79 if (defined($opt_d)) {
82 if (/\[\*\*\]\s+(.*)\s+\[\*\*\]/){
85 if (/(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
86 &checkem
($1, $2, $type);
88 if (/(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
89 &checkem
($1, $2, $type);
95 if (seek(ALERT2
,0,1)){
98 if ($_=~/.*sshd.*Failed password for .* from.*/) {
99 my @array=split(/ /,$_);
101 if ( $array[11] eq "port" ) {
103 } elsif ( $array[11] eq "from" ) {
108 &checkssh
($temp, "possible SSH-Bruteforce Attack");}
112 # Run this stuff every 30 seconds..
113 if ($counter == 30) {
114 &remove_blocks
; # This might get moved elsewhere, depending on how much load
115 # it puts on the system..
124 my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
125 $atime,$mtime,$ctime,$blksize,$blocks) = stat($alert_file);
126 if ($size < $previous_size) { # The filesize is smaller than last
127 close (ALERT
); # we checked, so we need to reopen it
128 open (ALERT
, "$alert_file"); # This should still work in our main while
129 $previous_size=$size; # loop (I hope)
130 write_log
("Log filename changed. Reopening $alert_file\n");
132 $previous_size=$size;
138 my ($source, $dest,$type) = @_;
141 return 1 if ($source eq $hostipaddr);
142 # this should prevent is from nuking ourselves
144 return 1 if ($source eq $gatewayaddr); # or our gateway
145 if ($ignore{$source} == 1) { # check our ignore list..
146 &write_log
("$source\t$type\n");
147 &write_log
("Ignoring attack because $source is in my ignore list\n");
151 # if the offending packet was sent to us, the network, or the broadcast, then
152 if ($targethash{$dest} == 1) {
153 &ipchain
($source, $dest, $type);
155 # you will see this if the destination was not in the $targethash, and the
156 # packet was not ignored before the target check..
158 &write_log
("Odd.. source = $source, dest = $dest - No action done.\n");
159 if (defined ($opt_d)) {
160 foreach $key (keys %targethash) {
161 &write_log
("targethash{$key} = $targethash{$key}\n");
168 my ($source,$type) = @_;
171 return 1 if ($source eq $hostipaddr);
172 # this should prevent is from nuking ourselves
174 return 1 if ($source eq $gatewayaddr); # or our gateway
176 return 0 if ($sshhash{$source} > 4); # allready blocked
178 if ( ($ignore{$source} == 1) ){
179 &write_log
("Ignoring attack because $source is in my ignore list\n");
183 if ($sshhash{$source} == 4 ) {
184 &write_log
("source = $source, blocking for ssh attack.\n");
185 &ipchain
($source, "", $type);
186 $sshhash{$source} = $sshhash{$source}+1;
190 if ($sshhash{$source} eq "" ){
191 $sshhash{$source} = 1;
192 &write_log
("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n");
196 $sshhash{$source} = $sshhash{$source}+1;
197 &write_log
("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n");
201 my ($source, $dest, $type) = @_;
202 &write_log
("$source\t$type\n");
203 if ($hash{$source} eq "") {
204 &write_log
("Running '$blockpath $source $interface'\n");
205 system ("$blockpath $source $interface");
206 $hash{$source} = time() + $TimeLimit;
208 # We have already blocked this one, but snort detected another attack. So
209 # we should update the time blocked..
210 $hash{$source} = time() + $TimeLimit;
214 sub build_ignore_hash
{
215 # This would cause is to ignore all broadcasts if it
216 # got set.. However if unset, then the attacker could spoof the packet to make
217 # it look like it came from the network, and a reply to the spoofed packet
218 # could be seen if the attacker were on the local network.
219 # $ignore{$networkaddr}=1;
221 # same thing as above, just with the broadcast instead of the network.
222 # $ignore{$broadcastaddr}=1;
224 $ignore{$gatewayaddr}=1;
225 $ignore{$hostipaddr}=1;
226 if ($ignorefile ne "") {
227 open (IGNORE
, $ignorefile);
231 next if (/\#/); #skip comments
232 next if (/^\s*$/); # and blank lines
237 &write_log
("Loaded $count addresses from $ignorefile\n");
239 &write_log
("No ignore file was loaded!\n");
245 $opt_c = "/etc/guardian.conf";
249 die "Need a configuration file.. please use to the -c option to name a configuration file\n";
252 open (CONF
, $opt_c) or die "Cannot read the config file $opt_c, $!\n";
255 next if (/^\s*$/); #skip blank lines
256 next if (/^#/); # skip comment lines
257 if (/LogFile\s+(.*)/) {
260 if (/Interface\s+(.*)/) {
262 if ( $interface eq "" ) {
263 $interface = `cat /var/ipfire/ethernet/settings | grep RED_DEV | cut -d"=" -f2`;
266 if (/AlertFile\s+(.*)/) {
269 if (/IgnoreFile\s+(.*)/) {
272 if (/TargetFile\s+(.*)/) {
275 if (/TimeLimit\s+(.*)/) {
278 if (/HostIpAddr\s+(.*)/) {
281 if (/HostGatewayByte\s+(.*)/) {
282 $hostgatewaybyte = $1;
286 if ($alert_file eq "") {
287 print "Warning! AlertFile is undefined.. Assuming /var/log/snort.alert\n";
288 $alert_file="/var/log/snort.alert";
290 if ($hostipaddr eq "") {
291 print "Warning! HostIpAddr is undefined! Attempting to guess..\n";
292 $hostipaddr = `cat /var/ipfire/red/local-ipaddress`;
293 print "Got it.. your HostIpAddr is $hostipaddr\n";
295 if ($ignorefile eq "") {
296 print "Warning! IgnoreFile is undefined.. going with default ignore list (hostname and gateway)!\n";
298 if ($hostgatewaybyte eq "") {
299 print "Warning! HostGatewayByte is undefined.. gateway will not be in ignore list!\n";
301 if ($logfile eq "") {
302 print "Warning! LogFile is undefined.. Assuming debug mode, output to STDOUT\n";
306 print "Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT\n";
310 foreach $mypath (split (/:/, $ENV{PATH
})) {
311 if (-x
"$mypath/guardian_block.sh") {
312 $blockpath = "$mypath/guardian_block.sh";
314 if (-x
"$mypath/guardian_unblock.sh") {
315 $unblockpath = "$mypath/guardian_unblock.sh";
319 if ($blockpath eq "") {
320 print "Error! Could not find guardian_block.sh. Please consult the README. \n";
323 if ($unblockpath eq "") {
324 print "Warning! Could not find guardian_unblock.sh. Guardian will not be\n";
325 print "able to remove blocked ip addresses. Please consult the README file\n";
327 if ($TimeLimit eq "") {
328 print "Warning! Time limit not defined. Defaulting to absurdly long time limit\n";
329 $TimeLimit = 999999999;
335 my $date = localtime();
336 if (defined($opt_d)) { # we are in debug mode, and not daemonized
337 print STDOUT
$message;
339 open (LOG
, ">>$logfile");
340 print LOG
$date.": ".$message;
352 &write_log
("Guardian process id $$\n");
353 $home = (getpwuid($>))[7] || die "No home directory!\n";
354 chdir($home); # go to my homedir
355 setpgrp(0,0); # become process leader
359 print "Testing...\n";
363 sub sig_handler_setup
{
364 $SIG{INT
} = \
&clean_up_and_exit
; # kill -2
365 $SIG{TERM
} = \
&clean_up_and_exit
; # kill -9
366 $SIG{QUIT
} = \
&clean_up_and_exit
; # kill -3
367 # $SIG{HUP} = \&flush_and_reload; # kill -1
373 foreach $source (keys %hash) {
374 if ($hash{$source} < $time) {
375 &call_unblock
($source, "expiring block of $source\n");
376 delete ($hash{$source});
382 my ($source, $message) = @_;
383 &write_log
("$message");
384 system ("$unblockpath $source $interface");
387 sub clean_up_and_exit
{
389 &write_log
("received kill sig.. shutting down\n");
390 foreach $source (keys %hash) {
391 &call_unblock
($source, "removing $source for shutdown\n");
396 sub load_targetfile
{
398 open (TARG
, "$targetfile") or die "Cannot open $targetfile\n";
401 next if (/\#/); #skip comments
402 next if (/^\s*$/); # and blank lines
407 print "Loaded $count addresses from $targetfile\n";
412 print "Scanning for aliases on $interface and add them to the target hash...";
414 open (IFCONFIG
, "/sbin/ip addr show $interface |");
415 my @lines = <IFCONFIG
>;
418 foreach $line (@lines) {
419 if ( $line =~ /inet (\d+\.\d+\.\d+\.\d+)/) {
421 print " got $ip on $interface ... ";
422 $targethash{'$ip'} = "1";