Thanks both for the help!! I got this working and tested that the active-response indeed works.
For other's reference I blogged this here, http://itscblog.tamu.edu/protecting-web-servers-with-ossec/ Thanks again - Trey On May 7, 5:50 pm, Jeremy Lee <[email protected]> wrote: > Check out the how-to > here:http://www.ossec.net/main/manual/manual-active-response/bin > > The route null script is called "route-null.sh" - you would specify the > script in the AR configuration (in ossec.conf) per the doc. > > Also, just so you know, all AR scripts live in > /var/ossec/active-responses/bin > > > > > > > > On Sat, May 7, 2011 at 3:42 PM, treydock <[email protected]> wrote: > > The route-null idea might be best for me as I don't use IPtables > > regularly. How could I use route-null with the configuration Frank > > provided? > > > Thanks > > - Trey > > > On May 7, 3:00 pm, Jeremy Lee <[email protected]> wrote: > > > You could also try using the route-null/null-route script to drop > > offending > > > IPs. I find this less "intrusive" and complicated versus dealing with > > > iptables. > > > > On Sat, May 7, 2011 at 12:30 PM, treydock <[email protected]> wrote: > > > > I run CentOS 5.5 on the system with iptables. How does iptables have > > > > to be configured to allow this? > > > > > On May 7, 8:05 am, Frank Stefan Sundberg Solli <[email protected]> > > > > wrote: > > > > > Hi. > > > > > > Yes you can do ban on the "multiple 400 errors from same source IP" > > > > > > Take this example > > > > > > <active-response> > > > > > <command>firewall-drop</command> > > > > > <location>local</location> > > > > > <rules_id>5720, 11210</rules_id> <!-- Multiple SSHD auth > > failures, > > > > > proftpd --> > > > > > <timeout>600</timeout> > > > > > </active-response>
