# PyGuardian - Архитектура системы ``` ┌─────────────────────────────────────────────────────────────────┐ │ PyGuardian Architecture │ └─────────────────────────────────────────────────────────────────┘ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ auth.log │ │ Telegram Bot │ │ iptables/ │ │ Monitoring │ │ Interface │ │ nftables │ └─────────┬───────┘ └─────────┬───────┘ └─────────┬───────┘ │ │ │ │ Real-time │ Commands │ Block/Unblock │ Events │ & Status │ IP addresses │ │ │ v v v ┌─────────────────────────────────────────────────────────────────┐ │ main.py │ │ Event Coordinator │ └─────────┬───────────────────────┬───────────────────────┬───────┘ │ │ │ v v v ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ monitor.py │ │ storage.py │ │ firewall.py │ │ │ │ │ │ │ │ • LogMonitor │◄──►│ • SQLite DB │◄──►│ • FirewallMgr │ │ • LogParser │ │ • Statistics │ │ • iptables API │ │ • AttackDetector│ │ • Ban Management│ │ • nftables API │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │ │ │ │ │ v v v ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ Events │ │ Database │ │ Network │ │ │ │ │ │ │ │ • Failed login │ │ • attack_attempts│ │ • IP blocking │ │ • Invalid user │ │ • banned_ips │ │ • Auto-unban │ │ • Brute force │ │ • daily_stats │ │ • Whitelist │ └─────────────────┘ └─────────────────┘ └─────────────────┘ ┌─────────────────────────────────────────────────────────────────┐ │ Data Flow │ └─────────────────────────────────────────────────────────────────┘ 1. LogMonitor reads auth.log in real-time ↓ 2. LogParser extracts attack events ↓ 3. AttackDetector analyzes patterns ↓ 4. Storage records attempts and statistics ↓ 5. FirewallManager blocks malicious IPs ↓ 6. TelegramBot sends notifications ↓ 7. Admin receives alerts and can manage via bot ┌─────────────────────────────────────────────────────────────────┐ │ Component Details │ └─────────────────────────────────────────────────────────────────┘ monitor.py: ├── LogMonitor: Real-time file monitoring with inotify ├── LogParser: Regex-based log pattern extraction ├── AttackDetector: Threshold-based attack detection └── Auto-ban: Automatic IP blocking logic storage.py: ├── SQLite Database: Async database operations ├── Attack Logging: IP, timestamp, attempt details ├── Statistics: Daily/weekly aggregated stats └── Ban Management: Active/expired ban tracking firewall.py: ├── FirewallManager: Abstraction layer ├── IptablesFirewall: iptables command execution ├── NftablesFirewall: nftables rule management └── Cleanup: Automated rule maintenance bot.py: ├── TelegramBot: Command handler and UI ├── Admin Authentication: Telegram ID verification ├── Interactive Commands: Status, ban, unban, details └── Notifications: Real-time attack alerts main.py: ├── Configuration: YAML config loading ├── Component Initialization: Service startup ├── Task Coordination: Async event loops └── Graceful Shutdown: Signal handling ┌─────────────────────────────────────────────────────────────────┐ │ Security Model │ └─────────────────────────────────────────────────────────────────┘ • Root Privileges: Required for firewall management • Telegram Auth: Admin ID verification only • Whitelist Protection: CIDR/IP exclusion rules • Rate Limiting: Configurable thresholds • Graceful Degradation: Component failure isolation • Logging: Comprehensive audit trail