We have installed Guardian on our IpFire but the brute force ssh are not dropped. IDS is activated with the “emerging threats community rules”, Guardian is activated too but it does not capture brute force attempts in SSH.
installed and tested guardian in a virtual environment and it works as expected.
Feb 3 13:20:57 [debug] Logger successfully initialized…
Feb 3 13:20:57 [debug] Using firewall engine: IPtables
Feb 3 13:20:57 [debug] Ignore list currently contains 3 entries:
Feb 3 13:20:57 [debug] - ::1
Feb 3 13:20:57 [debug] - 127.0.0.1
Feb 3 13:20:57 [debug] - 192.168.122.224
Feb 3 13:20:57 [debug] Starting worker thread for /var/log/messages
Feb 3 13:20:57 [debug] Starting worker thread for /var/log/httpd/error_log
Feb 3 13:20:57 [info] Guardian 2.0.2 successfully started…
Feb 3 13:21:46 [debug] QUEUE - Processed event: count 192.168.122.1 SSH Possible SSH-Bruteforce Attack for user: root.
Feb 3 13:21:46 [debug] SSH reported Possible SSH-Bruteforce Attack for user: root. for address: 192.168.122.1
You easily can try to debug guardian by switching the log target to “file” and the log level to “debug”.
Please also keep in mind guardian only can determine the brute-force attacks against the IPFire instance!
I have no idea what’s happened on our system… Here’s the /var/log/guardian/guardian.log :
Feb 3 13:40:28 [debug] Logger successfully initialized…
Feb 3 13:40:28 [debug] Using firewall engine: IPtables
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/local-ipaddress will be included…
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/remote-ipaddress will be included…
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/dns1 will be included…
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/dns2 will be included…
Feb 3 13:40:28 [debug] Ignore list currently contains 8 entries:
Feb 3 13:40:28 [debug] - ::1
Feb 3 13:40:28 [debug] - 10.167.13.100
Feb 3 13:40:28 [debug] - 127.0.0.1
Feb 3 13:40:28 [debug] - 192.168.0.253
Feb 3 13:40:28 [debug] - 192.168.0.254
Feb 3 13:40:28 [debug] - 192.168.120.1
Feb 3 13:40:28 [debug] - [DNS1_ADDRESS]
Feb 3 13:40:28 [debug] - [DNS2_ADDRESS]
Feb 3 13:40:28 [debug] Starting worker thread for /var/log/messages
Feb 3 13:40:28 [debug] Starting worker thread for /var/log/httpd/error_log
When i try to log 3 times with bad password, nothing happens…
The log /var/log/message file reached its limit due to another overly verbose process. Suddenly, the ssh connection messages were not written there and Guardian could therefore see nothing
One more thing I just noticed … After a while and for no real reason, guardian does not log anything (/var/log/guardian/guardian.log). You have to restart the guardian service.