On Thu, Feb 24, 2011 at 4:29 PM, Joel Brooks <[email protected]> wrote: > hey gang, > > OK, on to a new problem with active responses... > > I've got active responses working. the one i'm mainly interested > right now is the SSHD bruce force rule/response (rule id=5712). >
Oh, for the archives what did you do to fix this? > when this rule is matched, the firewall drop command is executed, but > the active-response.log shows: > > Thu Feb 24 16:07:28 EST 2011 Unable to run (iptables returning != 2): > 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - > berlin219.server4you.de 1298581018.65613 5703 > Thu Feb 24 16:07:29 EST 2011 Unable to run (iptables returning != 2): > 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - > berlin219.server4you.de 1298581018.65613 5703 > > running the script by hand, I see that the script is being called with > a hostname, not an ip address, so iptables rejects the rule. > > the host name in the active-response.log is not resolveable. > > my /var/log/secure shows: > > 2011-02-24T15:56:52.505288-05:00 linode0 sshd[17907]: reverse mapping > checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE > BREAK-IN ATTEMPT! > /var/log/secure:2011-02-24T15:56:52.594892-05:00 linode0 sshd[17909]: > reverse mapping checking getaddrinfo for berlin219.server4you.de > failed - POSSIBLE BREAK-IN ATTEMPT! > > is there a way to get the IP for this rule instead of the hostname? > > thanks, > > J > >
