The community-maintained documentation platform of IPFire

User Tools

Site Tools


The Guardian 2.0 Addon

Guardian is an extension to the IPFire Intrusion Detection System, which enables automatic blocking of IP addresses which are associated with intrusion attempts.

Since the legacy version, guardian massively has been improved by the IPFire team and now is able to detect and prevent from brute force attacks against the IPFire web interface and SSH daemon.

Technically guardian monitors (based on its configuration) several different files for modifications and parses the recently added lines. For each offensive IP address guardian internal uses a counter, when this counter reaches the configured maximum amount an iptables rule will be created which drops the complete traffic for a dedicated time interval.

Advantages and disadvantages

  • The blocking mechanism of Guardian is based on IP addresses. If an attacker changes his address, Guardian can not prevent him from attacking again.
  • A huge part of the intelligence relies entirely on Snort and the usage of sensible rules.
  • Possible false-positives based on the used Snort ruleset, may generate bans for several harmless systems.


Guardian completely can be managed by using the IPFire web interface. A corresponding menu entry will be displayed after the addon has been installed.

Monitor Snort alert file

This option allows you to enable or disable the monitoring of the snort alert file. If you are not using Snort or do not want to attend to its alerts, set this option to off. The default value is on.

SSH Brute-force detection

Enables or disables the Brute-force detection for the local running SSH daemon. The default setting will be on.

HTTPD Brute-force detection

By using this option, guardian will detect Brute-force login attempts against the IPFire web interface. Defaults to on.

Log facility

The log facility option allows to configure where guardian should sent any generated log messages. Available facilities are:

  • syslog: Directly send the messages to the system log.
  • file: Write all messages to a defined file.
  • console: This option is only used for debugging purposes and requires to launch guardian in the foreground to get any log messages displayed.

Log level

This drop down menu allows you to configure the log level of guardian. This setting affects the amount of messages which are written to the log file.

  • off: Nothing will be logged.
  • info: Default - write a log message when an address has been blocked or is unblocked.
  • debug: Very detailed logging - Only use this level for development or debug purposes, it can result in a very large log file. Cannot be chosen if the log facility is set to “Syslog”.

Priority level (Snort)

This menu configures the minimum priority level to react when snort gains any alerts. Each snort rule is assigned a priority level which is from 1-4, with 1 being the highest and 4 the lowest (a packet has passed). This setting is only considered when the snort file monitoring is enabled. Default value is 3.

If you are seeing a lot of false positives, that is IP addresses being blocked incorrectly, it is recommended that you change the Priority level to 2.

Strike Threshold (Snort)

The Strike Threshold contains the maximum amount of attempts for an aggressive IP address before it will be blocked. The minimum value has to be at least “1”. The default setting is 3.

Firewall action

This option allows to configure if a “DROP” or “REJECT” rule should be created if an attacker gets blocked by guardian. More details can be found here.

For several reasons, it might be better to use “DROP”, especially in case the firewall machine is directly connected to the internet. The “REJECT” option sends an ICMP package back to the source, which reveals that there is something answering. In case of “DROP”, it will look like the destination went offline. You might want to look here for further information.

Block time

The block time describes the time interval, which has to be passed until a block against an IP address automatically get released again. Default value is 86400 seconds which equals to 24 hours.

Log file

This option only will be displayed if the log facility is set to “File” and allows to configure the location of guardians log file.

Ignored Hosts

Guardian has a built-in support for ignoring attacks from single hosts or whole subnets. It feature can be used to prevent critical devices or systems on your local networks from incorrectly being blocked by guardian.

The ignore list easily can be manipulated by using the web interface. Existing elements from the list can be dropped by clicking the trash icon next to each.

A new entry can be added by using the input field and using the Add button.

Valid inputs are all kind of single IPv4 addresses or networks. Guardian accepts networks with an appended prefix ( or netmask in dot-decimal notation (

Currently blocked hosts

A full list of all currently blocked IP addresses is displayed in the web interface.

An single list entry can be dropped by clicking the trash icon next to the IP address.

A single host manually can be blocked by filling in its IP address into the input field and using the Block button.

The complete list can be flushed by using the Unblock All button.

addons/guardian/start.txt · Last modified: 2018/10/06 23:00 by Jon