Hi Dimitri,
Just complementing Ahmet's response. By default, ossec blocks the ip at /etc/hosts.deny and at the firewall, so you would need to remove it from the firewall and from hosts.deny (no need to restart ossec). Try the following: -Look at your iptables config and remove any block for your windows IP ( maybe iptables -F if you don't have any other rule). -Remove any block from /etc/hosts.deny too. -Restart ossec on the server to make sure that it is reading your white_list entries. Every time you change the config you need to restart ossec. *We currently only support class A,B or Cs in the white list, so you could use: <white_list>192.168.100.0/24</white_list> Instead of /22 (going to be fixed soon). Your ip 192.168.100.53 should not be blocked anymore... Let us know how it goes.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/9/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hello list members. In order to use various tools on my OSSEC-HIDS server and agent boxes, I've whitelisted my two desktop boxes - WinXP and SimplyMepis Linux. From the Linux desktop, using cli ssh and sftp tools, I have no trouble getting into the OSSEC-HIDS server or agents. From the Windows desktop, however, I keep getting added to hosts.deny when using either Putty (ssh) or WinSCP3 (sftp). I then have to remove the entry fr the WinXP desktop from hosts.deny and restart the OSSEC-HIDS server (merely removing the entry from hosts.deny doesn't work). I have, as per instruction, added a separate entry in ossec.conf for each LAN address I want to whitelist. Is this a possible bug, or am I doing something wrong? I tried whitelisting my entire LAN by adding <white_list>192.168.100.0/22</white_list>, but that didn't seem to work. If this isn't something I'm doing wrong, might I suggest adding this ability in a future release? Regards, Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
