I have one outward-facing host, let's call it ssh-host, with an ssh port accessible to the WAN.
I have another host inside my firewall, called engserver.
I installed OSSEC on engserver as a "server" install, but
without active response.
I installed the "client" install on ssh-host, answering "Yes" to the
active response questions. ssh-host is an OSSEC agent of engserver
and I see email alerts, so I know things are working correctly.
However, looking at /var/ossec/active-response/ on ssh-host, it seems that
the active response stuff is not activated. I *know* this host gets
a lot of scans and brute force attempts to login.
Does anyone know what's going on? The /var/ossec/etc/ossec.conf
on ssh-host seems very minimal and does not mention any of the
stuff for host-deny or firewall-deny.
Thanks!
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
pgpnIHOPG7egf.pgp
Description: PGP signature
