On Tuesday 03 October 2006 15:33, Daniel Cid wrote:
Hi Daniel,
Sorry about mixing up your name earlier :-(
Anyhow here is what I did
1. Inserted this rule in /etc/hosts.allow near the top "ALL: /etc/hosts.deny :
deny"
2. Modified the host-deny script to only echo the IP like so "echo "${IP} "
>> /etc/hosts.deny
Works like a charm. This also may apply to some of the big Iron Unixes like
Solaris etc.
> Hi Francesca,
>
> I had no clue about this "different" behavior from FreeBSD. The active
> responses are shell scripts at /var/ossec/active-response/bin/. So
> you can easily edit the file host-deny.sh to fix it for now. You don't
> need to worry about the next update removing it, because I will
> fix this before that...
>
> *btw, why don't you include /etc/hosts.deny on your /etc/hosts.allow?
> That way, you will only need to change the format from
> 'echo "ALL:${IP}" >> /etc/hosts.deny' to
> 'echo "ALL:${IP}: deny" >> /etc/hosts.deny'
>
> Hope it helps..
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 10/3/06, Francesca Smith <[EMAIL PROTECTED]> wrote:
> > On Tuesday 03 October 2006 12:00, gentuxx wrote:
> > Hiya,
> >
> > Thanks for that .. :-)
> >
> > But maybe I need to re-phrase.
> >
> > Where would I edit the code to allow this and also have it not be
> > overwritten with each update ??
> >
> > Or is this even possible without a rewrite for Freebsd ??
> >
> > > Francesca Smith wrote:
> > > > Hello,
> > > >
> > > > Freebsd does not use /etc/hosts.deny but rather inserts all wrapper
> > > > rules into /etc/hosts.allow.
> > > >
> > > > Also the formatting is ALL: XXX.XXX.XXX.XXX: deny.
> > > >
> > > > I am wondering just what part of the code will I have to hack up to
> > > > insert this. And if this has been noticed or considered already ??
> > >
> > > I don't use the active-response features, so take this with a grain of
> > > salt. My understanding is that when an active-response (AR) rule is
> > > triggered, the appropriate "action" is taken. That action is defined
> > > in your ossec.conf, and is usually deny-host.sh or something of your
> > > own design.
> > >
> > > That being said, you should be able to tailor the AR to whatever your
> > > system requires.
> > >
> > > > Previously I have taken to doing a include statement in
> > > > /etc/hosts.allow to a file like /etc/hosts.evil with the temporary
> > > > block rules in there.
> > > >
> > > > Rules apply from top to bottom and the first rule "sticks" and later
> > > > rules do not apply. So I usually place this include statement before
> > > > any rules for sshd access lockdown for example.
> >
> > --
> > Kindest Regards,
> >
> > Francesca Smith
> >
> > "No Problems Only Solutions"
> > Lady Linux Internet Services
> > Baltimore, Maryland 21217
--
Kindest Regards,
Francesca Smith
"No Problems Only Solutions"
Lady Linux Internet Services
Baltimore, Maryland 21217
