Awesome thanks both for the help. I'll implement this and see how it goes.
Two more questions...First is there a way to test this active- response? I'd like to test it rather than wait for the next person to try and scan for things to attack on my server. And second, does this active response have to be added on the clients I want to be effected or just on the server? My OSSEC install is basically out-of-the-box and I haven't looked into whether it uses a central agent configuration or that each agent requires changes to their config files. Thanks - Trey On May 7, 5:50 pm, Jeremy Lee <[email protected]> wrote: > Check out the how-to > here:http://www.ossec.net/main/manual/manual-active-response/bin > > The route null script is called "route-null.sh" - you would specify the > script in the AR configuration (in ossec.conf) per the doc. > > Also, just so you know, all AR scripts live in > /var/ossec/active-responses/bin > > > > > > > > On Sat, May 7, 2011 at 3:42 PM, treydock <[email protected]> wrote: > > The route-null idea might be best for me as I don't use IPtables > > regularly. How could I use route-null with the configuration Frank > > provided? > > > Thanks > > - Trey > > > On May 7, 3:00 pm, Jeremy Lee <[email protected]> wrote: > > > You could also try using the route-null/null-route script to drop > > offending > > > IPs. I find this less "intrusive" and complicated versus dealing with > > > iptables. > > > > On Sat, May 7, 2011 at 12:30 PM, treydock <[email protected]> wrote: > > > > I run CentOS 5.5 on the system with iptables. How does iptables have > > > > to be configured to allow this? > > > > > On May 7, 8:05 am, Frank Stefan Sundberg Solli <[email protected]> > > > > wrote: > > > > > Hi. > > > > > > Yes you can do ban on the "multiple 400 errors from same source IP" > > > > > > Take this example > > > > > > <active-response> > > > > > <command>firewall-drop</command> > > > > > <location>local</location> > > > > > <rules_id>5720, 11210</rules_id> <!-- Multiple SSHD auth > > failures, > > > > > proftpd --> > > > > > <timeout>600</timeout> > > > > > </active-response>
