Hi Francesca,
I had no clue about this "different" behavior from FreeBSD. The active
responses are shell scripts at /var/ossec/active-response/bin/. So
you can easily edit the file host-deny.sh to fix it for now. You don't
need to worry about the next update removing it, because I will
fix this before that...
*btw, why don't you include /etc/hosts.deny on your /etc/hosts.allow?
That way, you will only need to change the format from
'echo "ALL:${IP}" >> /etc/hosts.deny' to
'echo "ALL:${IP}: deny" >> /etc/hosts.deny'
Hope it helps..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/3/06, Francesca Smith <[EMAIL PROTECTED]> wrote:
On Tuesday 03 October 2006 12:00, gentuxx wrote:
Hiya,
Thanks for that .. :-)
But maybe I need to re-phrase.
Where would I edit the code to allow this and also have it not be overwritten
with each update ??
Or is this even possible without a rewrite for Freebsd ??
> Francesca Smith wrote:
> > Hello,
> >
> > Freebsd does not use /etc/hosts.deny but rather inserts all wrapper rules
> > into /etc/hosts.allow.
> >
> > Also the formatting is ALL: XXX.XXX.XXX.XXX: deny.
> >
> > I am wondering just what part of the code will I have to hack up to
> > insert this. And if this has been noticed or considered already ??
>
> I don't use the active-response features, so take this with a grain of
> salt. My understanding is that when an active-response (AR) rule is
> triggered, the appropriate "action" is taken. That action is defined in
> your ossec.conf, and is usually deny-host.sh or something of your own
> design.
>
> That being said, you should be able to tailor the AR to whatever your
> system requires.
>
> > Previously I have taken to doing a include statement in /etc/hosts.allow
> > to a file like /etc/hosts.evil with the temporary block rules in there.
> >
> > Rules apply from top to bottom and the first rule "sticks" and later
> > rules do not apply. So I usually place this include statement before any
> > rules for sshd access lockdown for example.
--
Kindest Regards,
Francesca Smith
"No Problems Only Solutions"
Lady Linux Internet Services
Baltimore, Maryland 21217
