Hello,
We have installed Guardian on our IpFire but the brute force ssh are not dropped. IDS is activated with the “emerging threats community rules”, Guardian is activated too but it does not capture brute force attempts in SSH.
Do you know how to help us?
We are in core 138
Thank you
Hello Benjamin,
installed and tested guardian in a virtual environment and it works as expected.
Feb 3 13:20:57 [debug] Logger successfully initialized…
Feb 3 13:20:57 [debug] Using firewall engine: IPtables
Feb 3 13:20:57 [debug] Ignore list currently contains 3 entries:
Feb 3 13:20:57 [debug] - ::1
Feb 3 13:20:57 [debug] - 127.0.0.1
Feb 3 13:20:57 [debug] - 192.168.122.224
Feb 3 13:20:57 [debug] Starting worker thread for /var/log/messages
Feb 3 13:20:57 [debug] Starting worker thread for /var/log/httpd/error_log
Feb 3 13:20:57 [info] Guardian 2.0.2 successfully started…
Feb 3 13:21:46 [debug] QUEUE - Processed event: count 192.168.122.1 SSH Possible SSH-Bruteforce Attack for user: root.
Feb 3 13:21:46 [debug] SSH reported Possible SSH-Bruteforce Attack for user: root. for address: 192.168.122.1
You easily can try to debug guardian by switching the log target to “file” and the log level to “debug”.
Please also keep in mind guardian only can determine the brute-force attacks against the IPFire instance!
I hope, I was able to help you.
Best regards,
-Stefan
Thanks for your help…
I have no idea what’s happened on our system… Here’s the /var/log/guardian/guardian.log :
Feb 3 13:40:28 [debug] Logger successfully initialized…
Feb 3 13:40:28 [debug] Using firewall engine: IPtables
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/local-ipaddress will be included…
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/remote-ipaddress will be included…
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/dns1 will be included…
Feb 3 13:40:28 [debug] Addresses from /var/ipfire/red/dns2 will be included…
Feb 3 13:40:28 [debug] Ignore list currently contains 8 entries:
Feb 3 13:40:28 [debug] - ::1
Feb 3 13:40:28 [debug] - 10.167.13.100
Feb 3 13:40:28 [debug] - 127.0.0.1
Feb 3 13:40:28 [debug] - 192.168.0.253
Feb 3 13:40:28 [debug] - 192.168.0.254
Feb 3 13:40:28 [debug] - 192.168.120.1
Feb 3 13:40:28 [debug] - [DNS1_ADDRESS]
Feb 3 13:40:28 [debug] - [DNS2_ADDRESS]
Feb 3 13:40:28 [debug] Starting worker thread for /var/log/messages
Feb 3 13:40:28 [debug] Starting worker thread for /var/log/httpd/error_log
When i try to log 3 times with bad password, nothing happens…
?? Very weird
Okay,
The log /var/log/message file reached its limit due to another overly verbose process. Suddenly, the ssh connection messages were not written there and Guardian could therefore see nothing 
Thank you 
However, I can see the errors in /var/log/httpd/error.log but guardian does not blacklist
Hello Benjamin,
you are right - tested and reproduced. Guardian here is also not recognizing wrong http login attempts.
I’ll dig deeper and provide a fix.
https://bugzilla.ipfire.org/show_bug.cgi?id=12289
Thanks for finding this bug,
-Stefan
You’re welcome,
Thanks for your help
One more thing I just noticed … After a while and for no real reason, guardian does not log anything (/var/log/guardian/guardian.log). You have to restart the guardian service.