Hi Peter, Note that the timeout for the active response is of 10 minutes, so after that the ip is going to be removed from block list. If you look at /var/ossec/logs/active-responses.log do you see the responses being called? (look at the agent that generated the alert and not at the server). If the entry is not there, please send to us your ossec.conf and some more information to understand/reproduce the issue.
http://www.ossec.net/wiki/index.php/Community_manual:BugReport Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/17/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > When I first installed the ossec server (now server and agents are on > version 1.3), and then the ossec agents, I answered "no" to active > response. > > >From testing, I can tell the rules for multi-attempt attacks on ssh -- > 5712,5720 -- appear to be very accurate, so I wanted to enable active > response for those two rules. > > On the ossec server I edited /var/ossec/etc/ossec.conf to remove any > disable entries for active response and add the following: > > <active-response> > <command>firewall-drop</command> > <location>local</location> > <rules_id>5712,5720</rules_id> > <timeout>600</timeout> > </active-response> > > Then on four servers hit the hardest by brute force SSH attempts, I > edited their /var/ossec/etc/ossec.conf files to remove the disabled > active-response lines (3 lines). > > Then I restarted ossec on the server, then the agents. > > Yet, as 5712 and 5720 rules fire after the restart, I log onto the > four servers which are sending the alerts to the ossec server and > check iptables for the attacking IP and do not find it present. > > If I did not answer "yes" to active response on installation, do I > have to re-install ossec and answer "yes" to active response in order > for active response to work? > > Thank you. > >
