The agent in this case is running on Red Hat Enterprise Linux ES release 3, so I think Ossec's active response script just places the offending IP in the /etc/hosts.deny file and adds it to iptables. Not sure if this is what you were after???
On May 6, 10:57 pm, "dan (ddp)" <[email protected]> wrote: > Most of the ossec active response scripts are pretty simple, but there > isn't anything stopping you from extending one to fit this goal. > You could take whichever script you're currently using and add some > parts to keep track of who was banned previously and when. Then do a > lookup on that, ban again for longer, and update the database. > Which script are you currently using to block those IPs? > > On Wed, May 5, 2010 at 11:37 PM, [email protected] > > > > <[email protected]> wrote: > > Hi All, > > > Is there a way to make OSSEC extend the Active Response timeout of 600 > > sec if it detects the SAME IP continuing to hammer the server after > > already being removed the first time. > > > Eg: Here we have 81.208.15.156 continually trying to FTP in with the > > user Administrator using some dictionary attack. OSSEC detects this > > and bans them for 10 mins. When the IP is removed, the dictionary > > attack continues and they end up being banned again. On the second > > detection, can we add some smarts to OSSEC's Active Response and ban > > them for a longer period??? > > > Thu May 6 13:08:03 EST 2010 /usr/local/ossec/active-response/bin/ > > firewall-drop.sh add - 81.208.15.156 1273115275.2479428 100004 > > Thu May 6 13:08:03 EST 2010 /usr/local/ossec/active-response/bin/host- > > deny.sh add - 81.208.15.156 1273115275.2479428 100004 > > Thu May 6 13:18:33 EST 2010 /usr/local/ossec/active-response/bin/host- > > deny.sh delete - 81.208.15.156 1273115275.2479428 100004 > > Thu May 6 13:18:33 EST 2010 /usr/local/ossec/active-response/bin/ > > firewall-drop.sh delete - 81.208.15.156 1273115275.2479428 100004 > > Thu May 6 13:23:44 EST 2010 /usr/local/ossec/active-response/bin/ > > firewall-drop.sh add - 81.208.15.156 1273116216.3236494 100004 > > Thu May 6 13:23:44 EST 2010 /usr/local/ossec/active-response/bin/host- > > deny.sh add - 81.208.15.156 1273116216.3236494 100004 > > > Thanks. > > > Andy- Hide quoted text - > > - Show quoted text -
