Hi guys
I have an ossec infrastructure in my network and want all of my servers
to block an IP address if there is any sign of an intruder. So I
configured the ossec.conf on my server like this (read here
http://www.ossec.net/main/manual/manual-active-responses/):
<!-- Active Response Config -->
<active-response>
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>7200</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>7200</timeout>
</active-response>
Ok. On my firewall is an ossec agent and when it detects an intruder it
blocks the IP, but only on the local machine. So I tried to test my
ossec server if it blocks an IP on every server in my network. I tried
to connect to my ossec server via ssh and enter wrong passwords. After a
while I get an eMail with an level 10 alert from the server but nothing
else happens. So I changed the configuration on the ossec server to a
local block:
<!-- Active Response Config -->
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>7200</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>7200</timeout>
</active-response>
I tested the ossec server again. Connection via ssh, wrong passwords
and... I am blocked on the ossec server. I don't know why only the local
configuration works. Has anyone of you an idea?
Thanks in advance.
--
Andre Pawlowski
-------------------------------------------------------------------
Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
-Albert Einstein
