Hi Kayvan, Just complementing what Ahmet said. On the server/agent model, the active response is all controlled in the server side, so if you disable it on the server, the agent is not going to do it also. So, you need to enable it on the server and configure ossec to execute it on the agent only.
Hope it helps. -- Daniel B. Cid dcid @ ( at ) ossec.net On 6/13/06, Kayvan A. Sylvan <[EMAIL PROTECTED]> wrote: > I have one outward-facing host, let's call it ssh-host, with an > ssh port accessible to the WAN. > > I have another host inside my firewall, called engserver. > > I installed OSSEC on engserver as a "server" install, but > without active response. > > I installed the "client" install on ssh-host, answering "Yes" to the > active response questions. ssh-host is an OSSEC agent of engserver > and I see email alerts, so I know things are working correctly. > > However, looking at /var/ossec/active-response/ on ssh-host, it seems that > the active response stuff is not activated. I *know* this host gets > a lot of scans and brute force attempts to login. > > Does anyone know what's going on? The /var/ossec/etc/ossec.conf > on ssh-host seems very minimal and does not mention any of the > stuff for host-deny or firewall-deny. > > Thanks! > ---Kayvan > -- > Kayvan A. Sylvan | Proud husband of | Father to my kids: > Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) > http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
