Eya, Dimitri!
This eMail from the list should give you the idea on how to do it.
Regards,
Lars
Hi Kayvan,
In order to make active-response work on agents, you should configure
the
"server" with active-response I think.
Then you may specify the active-reponse location (i.e.,local,
analysis-server,
defined-agent or all)
I'm adding related parts of my configuration file to give idea:
/var/ossec/etc/ossec.conf on server:
----
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
----
I have no configuration for active-response on agent,
however, I answered "Yes" to the active-response questions on
both server and agent installation.
You can find detailed informaion about active-response configuration at
http://www.ossec.net/en/manual.html -> 7.1.2 Responses Configuration.
Best Regards,
Ahmet Ozturk.
Kayvan A. Sylvan wrote:
> I have one outward-facing host, let's call it ssh-host, with an
> ssh port accessible to the WAN.
>
> I have another host inside my firewall, called engserver.
>
> I installed OSSEC on engserver as a "server" install, but
> without active response.
>
> I installed the "client" install on ssh-host, answering "Yes" to the
> active response questions. ssh-host is an OSSEC agent of engserver
> and I see email alerts, so I know things are working correctly.
>
> However, looking at /var/ossec/active-response/ on ssh-host, it
> seems that
> the active response stuff is not activated. I *know* this host gets
> a lot of scans and brute force attempts to login.
>
> Does anyone know what's going on? The /var/ossec/etc/ossec.conf
> on ssh-host seems very minimal and does not mention any of the
> stuff for host-deny or firewall-deny.
>
> Thanks!
> ---Kayvan
Am 08.08.2006 um 22:52 schrieb Dimitri Yioulos:
>
> Hello to all.
>
> First, congratulations to the development team on an exellent piece of
> software (recognized by SANS, no less)! It was easy to install, and
> tweaking to one's own specifications is straightforward. I very much
> look forward to future releases.
>
> Apologies if this is completely lame, but one tweak that I'd like some
> help on is firewalling. I have installed ossec-hids on a separate
> server, and added the agent piece to other server which mainly sit in
> a DMZ. I have iptables/router on yet another box that has been
> serving my organization admirabley (I'd also like to monitor this box
> with ossec-hids).
>
> What I'd like to do use the iptables/router box to be the recipient of
> ip addresses added to the deny list, rather than the ossec-hids
> server. I'm thinking that this should be possible, but don't know
> how to do it. Can someone help?
>
> Many thanks, and best wishes.
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
