Greetings: When I first installed the ossec server (now server and agents are on version 1.3), and then the ossec agents, I answered "no" to active response.
>From testing, I can tell the rules for multi-attempt attacks on ssh -- 5712,5720 -- appear to be very accurate, so I wanted to enable active response for those two rules. On the ossec server I edited /var/ossec/etc/ossec.conf to remove any disable entries for active response and add the following: <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>5712,5720</rules_id> <timeout>600</timeout> </active-response> Then on four servers hit the hardest by brute force SSH attempts, I edited their /var/ossec/etc/ossec.conf files to remove the disabled active-response lines (3 lines). Then I restarted ossec on the server, then the agents. Yet, as 5712 and 5720 rules fire after the restart, I log onto the four servers which are sending the alerts to the ossec server and check iptables for the attacking IP and do not find it present. If I did not answer "yes" to active response on installation, do I have to re-install ossec and answer "yes" to active response in order for active response to work? Thank you.
