hey gang, OK, on to a new problem with active responses...
I've got active responses working. the one i'm mainly interested right now is the SSHD bruce force rule/response (rule id=5712). when this rule is matched, the firewall drop command is executed, but the active-response.log shows: Thu Feb 24 16:07:28 EST 2011 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - berlin219.server4you.de 1298581018.65613 5703 Thu Feb 24 16:07:29 EST 2011 Unable to run (iptables returning != 2): 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - berlin219.server4you.de 1298581018.65613 5703 running the script by hand, I see that the script is being called with a hostname, not an ip address, so iptables rejects the rule. the host name in the active-response.log is not resolveable. my /var/log/secure shows: 2011-02-24T15:56:52.505288-05:00 linode0 sshd[17907]: reverse mapping checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE BREAK-IN ATTEMPT! /var/log/secure:2011-02-24T15:56:52.594892-05:00 linode0 sshd[17909]: reverse mapping checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE BREAK-IN ATTEMPT! is there a way to get the IP for this rule instead of the hostname? thanks, J
