Guardian is an extension to the IPFire Intrusion Detection System, which enables automatic blocking of IP addresses which are associated with intrusion attempts.
Since the legacy version, guardian massively has been improved by the IPFire team and now is able to detect and prevent from brute force attacks against the IPFire web interface and SSH daemon.
Technically guardian monitors (based on its configuration) several different files for modifications and parses the recently added lines. For each offensive IP address guardian internal uses a counter, when this counter reaches the configured maximum amount an iptables rule will be created which drops the complete traffic for a dedicated time interval.
Guardian completely can be managed by using the IPFire web interface. A corresponding menu entry will be displayed after the addon has been installed.
This option allows you to enable or disable the monitoring of the snort alert file. If you are not using Snort or do not want to attend to its alerts, set this option to off. The default value is on.
Enables or disables the Brute-force detection for the local running SSH daemon. The default setting will be on.
By using this option, guardian will detect Brute-force login attempts against the IPFire web interface. Defaults to on.
The log facility option allows to configure where guardian should sent any generated log messages. Available facilities are:
This drop down menu allows you to configure the log level of guardian. This setting affects the amount of messages which are written to the log file.
This menu configures the minimum priority level to react when snort gains any alerts. Each snort rule is assigned a priority level which is from 1-4, with 1 being the highest and 4 the lowest (a packet has passed). This setting is only considered when the snort file monitoring is enabled. Default value is 3.
If you are seeing a lot of false positives, that is IP addresses being blocked incorrectly, it is recommended that you change the Priority level to 2.
The Strike Threshold contains the maximum amount of attempts for an aggressive IP address before it will be blocked. The minimum value has to be at least “1”. The default setting is 3.
This option allows to configure if a “DROP” or “REJECT” rule should be created if an attacker gets blocked by guardian. More details can be found here.
For several reasons, it might be better to use “DROP”, especially in case the firewall machine is directly connected to the internet. The “REJECT” option sends an ICMP package back to the source, which reveals that there is something answering. In case of “DROP”, it will look like the destination went offline. You might want to look here for further information.
The block time describes the time interval, which has to be passed until a block against an IP address automatically get released again. Default value is 86400 seconds which equals to 24 hours.
This option only will be displayed if the log facility is set to “File” and allows to configure the location of guardians log file.
Guardian has a built-in support for ignoring attacks from single hosts or whole subnets. It feature can be used to prevent critical devices or systems on your local networks from incorrectly being blocked by guardian.
The ignore list easily can be manipulated by using the web interface. Existing elements from the list can be dropped by clicking the trash icon next to each.
A new entry can be added by using the input field and using the Add button.
Valid inputs are all kind of single IPv4 addresses or networks. Guardian accepts networks with an appended prefix (192.168.0.0/24) or netmask in dot-decimal notation (192.168.0.0/255.255.255.0).
A full list of all currently blocked IP addresses is displayed in the web interface.
An single list entry can be dropped by clicking the trash icon next to the IP address.
A single host manually can be blocked by filling in its IP address into the input field and using the Block button.
The complete list can be flushed by using the Unblock All button.