On Tuesday 03 October 2006 16:09, Francesca Smith wrote: Oops, I forgot to add I need to edit this in host-deny script for deletes.
From 'cat /etc/hosts.deny | grep -v "ALL:${IP}$"> /tmp/hosts.deny.$$' To 'cat /etc/hosts.deny | grep -v "${IP}$"> /tmp/hosts.deny.$$' > On Tuesday 03 October 2006 15:33, Daniel Cid wrote: > Hi Daniel, > > Sorry about mixing up your name earlier :-( > > Anyhow here is what I did > > 1. Inserted this rule in /etc/hosts.allow near the top "ALL: > /etc/hosts.deny : deny" > > 2. Modified the host-deny script to only echo the IP like so "echo "${IP} " > > >> /etc/hosts.deny > > Works like a charm. This also may apply to some of the big Iron Unixes like > Solaris etc. > > > Hi Francesca, > > > > I had no clue about this "different" behavior from FreeBSD. The active > > responses are shell scripts at /var/ossec/active-response/bin/. So > > you can easily edit the file host-deny.sh to fix it for now. You don't > > need to worry about the next update removing it, because I will > > fix this before that... > > > > *btw, why don't you include /etc/hosts.deny on your /etc/hosts.allow? > > That way, you will only need to change the format from > > 'echo "ALL:${IP}" >> /etc/hosts.deny' to > > 'echo "ALL:${IP}: deny" >> /etc/hosts.deny' > > > > Hope it helps.. > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 10/3/06, Francesca Smith <[EMAIL PROTECTED]> wrote: > > > On Tuesday 03 October 2006 12:00, gentuxx wrote: > > > Hiya, > > > > > > Thanks for that .. :-) > > > > > > But maybe I need to re-phrase. > > > > > > Where would I edit the code to allow this and also have it not be > > > overwritten with each update ?? > > > > > > Or is this even possible without a rewrite for Freebsd ?? > > > > > > > Francesca Smith wrote: > > > > > Hello, > > > > > > > > > > Freebsd does not use /etc/hosts.deny but rather inserts all wrapper > > > > > rules into /etc/hosts.allow. > > > > > > > > > > Also the formatting is ALL: XXX.XXX.XXX.XXX: deny. > > > > > > > > > > I am wondering just what part of the code will I have to hack up to > > > > > insert this. And if this has been noticed or considered already ?? > > > > > > > > I don't use the active-response features, so take this with a grain > > > > of salt. My understanding is that when an active-response (AR) rule > > > > is triggered, the appropriate "action" is taken. That action is > > > > defined in your ossec.conf, and is usually deny-host.sh or something > > > > of your own design. > > > > > > > > That being said, you should be able to tailor the AR to whatever your > > > > system requires. > > > > > > > > > Previously I have taken to doing a include statement in > > > > > /etc/hosts.allow to a file like /etc/hosts.evil with the temporary > > > > > block rules in there. > > > > > > > > > > Rules apply from top to bottom and the first rule "sticks" and > > > > > later rules do not apply. So I usually place this include statement > > > > > before any rules for sshd access lockdown for example. > > > > > > -- > > > Kindest Regards, > > > > > > Francesca Smith > > > > > > "No Problems Only Solutions" > > > Lady Linux Internet Services > > > Baltimore, Maryland 21217 -- Kindest Regards, Francesca Smith "No Problems Only Solutions" Lady Linux Internet Services Baltimore, Maryland 21217