On Tuesday 03 October 2006 16:09, Francesca Smith wrote:
Oops,
I forgot to add I need to edit this in host-deny script for deletes.
From
'cat /etc/hosts.deny | grep -v "ALL:${IP}$"> /tmp/hosts.deny.$$'
To
'cat /etc/hosts.deny | grep -v "${IP}$"> /tmp/hosts.deny.$$'
> On Tuesday 03 October 2006 15:33, Daniel Cid wrote:
> Hi Daniel,
>
> Sorry about mixing up your name earlier :-(
>
> Anyhow here is what I did
>
> 1. Inserted this rule in /etc/hosts.allow near the top "ALL:
> /etc/hosts.deny : deny"
>
> 2. Modified the host-deny script to only echo the IP like so "echo "${IP} "
>
> >> /etc/hosts.deny
>
> Works like a charm. This also may apply to some of the big Iron Unixes like
> Solaris etc.
>
> > Hi Francesca,
> >
> > I had no clue about this "different" behavior from FreeBSD. The active
> > responses are shell scripts at /var/ossec/active-response/bin/. So
> > you can easily edit the file host-deny.sh to fix it for now. You don't
> > need to worry about the next update removing it, because I will
> > fix this before that...
> >
> > *btw, why don't you include /etc/hosts.deny on your /etc/hosts.allow?
> > That way, you will only need to change the format from
> > 'echo "ALL:${IP}" >> /etc/hosts.deny' to
> > 'echo "ALL:${IP}: deny" >> /etc/hosts.deny'
> >
> > Hope it helps..
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 10/3/06, Francesca Smith <[EMAIL PROTECTED]> wrote:
> > > On Tuesday 03 October 2006 12:00, gentuxx wrote:
> > > Hiya,
> > >
> > > Thanks for that .. :-)
> > >
> > > But maybe I need to re-phrase.
> > >
> > > Where would I edit the code to allow this and also have it not be
> > > overwritten with each update ??
> > >
> > > Or is this even possible without a rewrite for Freebsd ??
> > >
> > > > Francesca Smith wrote:
> > > > > Hello,
> > > > >
> > > > > Freebsd does not use /etc/hosts.deny but rather inserts all wrapper
> > > > > rules into /etc/hosts.allow.
> > > > >
> > > > > Also the formatting is ALL: XXX.XXX.XXX.XXX: deny.
> > > > >
> > > > > I am wondering just what part of the code will I have to hack up to
> > > > > insert this. And if this has been noticed or considered already ??
> > > >
> > > > I don't use the active-response features, so take this with a grain
> > > > of salt. My understanding is that when an active-response (AR) rule
> > > > is triggered, the appropriate "action" is taken. That action is
> > > > defined in your ossec.conf, and is usually deny-host.sh or something
> > > > of your own design.
> > > >
> > > > That being said, you should be able to tailor the AR to whatever your
> > > > system requires.
> > > >
> > > > > Previously I have taken to doing a include statement in
> > > > > /etc/hosts.allow to a file like /etc/hosts.evil with the temporary
> > > > > block rules in there.
> > > > >
> > > > > Rules apply from top to bottom and the first rule "sticks" and
> > > > > later rules do not apply. So I usually place this include statement
> > > > > before any rules for sshd access lockdown for example.
> > >
> > > --
> > > Kindest Regards,
> > >
> > > Francesca Smith
> > >
> > > "No Problems Only Solutions"
> > > Lady Linux Internet Services
> > > Baltimore, Maryland 21217
--
Kindest Regards,
Francesca Smith
"No Problems Only Solutions"
Lady Linux Internet Services
Baltimore, Maryland 21217
