Hi Kayvan,
In order to make active-response work on agents, you should configure the
"server" with active-response I think.
Then you may specify the active-reponse location (i.e.,local, analysis-server,
defined-agent or all)
I'm adding related parts of my configuration file to give idea:
/var/ossec/etc/ossec.conf on server:
----
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
----
I have no configuration for active-response on agent,
however, I answered "Yes" to the active-response questions on
both server and agent installation.
You can find detailed informaion about active-response configuration at
http://www.ossec.net/en/manual.html -> 7.1.2 Responses Configuration.
Best Regards,
Ahmet Ozturk.
Kayvan A. Sylvan wrote:
> I have one outward-facing host, let's call it ssh-host, with an
> ssh port accessible to the WAN.
>
> I have another host inside my firewall, called engserver.
>
> I installed OSSEC on engserver as a "server" install, but
> without active response.
>
> I installed the "client" install on ssh-host, answering "Yes" to the
> active response questions. ssh-host is an OSSEC agent of engserver
> and I see email alerts, so I know things are working correctly.
>
> However, looking at /var/ossec/active-response/ on ssh-host, it seems that
> the active response stuff is not activated. I *know* this host gets
> a lot of scans and brute force attempts to login.
>
> Does anyone know what's going on? The /var/ossec/etc/ossec.conf
> on ssh-host seems very minimal and does not mention any of the
> stuff for host-deny or firewall-deny.
>
> Thanks!
> ---Kayvan
--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
