Can’t Enable IPS on IPFire 2.27 (Core 167)

mirobot · 13 May 2022 09:57

I did’nt find any way to activate the Intrusion Prevention System (IPS) on IPFire 2.27. Here is a picture:

If I try to choose a ruleset - nothing happened. Who could help?

silvio · 13 May 2022 11:55

Have you tried to add a provider first?
Eventually select one of the Community Rulesets and download the rules.
After that restart the IDS.

Silvio

bbitsch · 13 May 2022 12:35

A quick look into the source of the page showed, that you really can start IPS only with a provider selected.
The additional entries shown in the wiki are displayed with a selected ruleset only.

mirobot · 13 May 2022 13:10

Yes, I tried to add a provider. After klicking “add” I see an empty white screen. But nothing happens.

bbitsch · 13 May 2022 13:41

Are there any messages in /var/log/httpd/error_log or /var/log/messages ?

I just tried to reproduce your situation.

stopped IPS
removed the IPS provider
no start button etc.
added my IPS provider
start is possible and functioning

Only difference: I had a ruleset already. But a manual update went through also.

robh · 11 June 2022 07:28

I had exactly the same problem as the OP, when I try and add an IPS Provider, after clicking the “add” button, I get a white screen.

Following @bbitsch 's suggestion, I checked in /var/log/hjttpd/error_log and found the following:

[Fri Jun 10 11:12:22.644834 2022] [core:notice] [pid 16552:tid 129761122461568] AH00094: Command line: '/usr/sbin/httpd'
Unable to write to file /var/ipfire/suricata/providers-settings at /var/ipfire/general-functions.pl line 902.
Unable to write to file /var/ipfire/suricata/providers-settings at /var/ipfire/general-functions.pl line 902.

I had tried twice, with two different providers which probably explains the repeated error messages.

TIA

robh · 11 June 2022 07:39

Googling the error message took me to this thread:
https://community.ipfire.org/t/ipfire-167-no-ruleset/7839 which had a slightly different problem, but the cause seems to have been the same.

It appears the wrong owner/group have been set for the file /var/ipfire/suricata/providers-settings. On my system they were root:root when they should have been nobody:nobody

Running the following command from the SSH console logged in to my firewall fixed the problem for me:

chown nobody:nobody /var/ipfire/suricata/providers-settings

br3ttski · 11 January 2023 08:53

@robh thankyou this “can’t enable IPS” fix also worked for me on ipfire 2.27 core 170