Daniel, I've disabled the active-response because it was blocking IP's that, due to our circumstances, we did not want. We have 1 server on the public networks that serves as a mail-forwarder and DNS machine. I would like to use active response on this one when it detects attempts based on ssh brute force (which happens several times a day). I've already changed some of the rules so that certain events (multiple spam attempts, etc..) report at a lower level. It seems like level 10+ is where I'd like it to run the firewall-drop and host-deny scripts. Is the example below the way to do this as well?
Ex: <active-response> <command>firewall-drop</command> <location>defined-agent</location> <agent_id>001</agent_id> <level>10</level> <timeout>600</timeout> </active-response> <active-response> <command>host-deny</command> <location>defined-agent</location> <agent_id>001</agent_id> <level>10</level> <timeout>600</timeout> </active-response> Thanks in advance -Joel -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Friday, September 08, 2006 10:36 AM To: [email protected] Subject: [ossec-list] Re: Firewall actions... question. Hi Forrest, Having the ossec-server in the internal system is actually the right way of doing it. To configure ossec to always do the blocking at the firewall, just change your active response configuration from "local" to "defined-agent" and give the agent_id of the firewall. Example (running all firewall-drop responses on the agent 003): <active-response> <command>firewall-drop</command> <location>defined-agent</location> <agent_id>003</agent_id> <level>6</level> <timeout>600</timeout> </active-response> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/8/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote: > > I have a server and agent that I'm testing. > > The configuration is: > > agent = firewall > server = internal system > > The internal system is being NAT'd to for mail and some other things. > What I want to have happen is firewall rules get dropped in for the > active-response, but they should be sent to the agent (firewall) not > the server. > > I realize that's backwards about how it normally works; however, it > seems to me that having the "server" on the peripheral network isn't > the most secure way of doing this. > > I will reconfigure it all if necessary, if that's the only way this > will really work well... > > > Thanks. > >
