Hi, I think it's because of some 500 errors, that crawler causes.
Here is active-responses.log fragment: Sun Oct 9 03:47:23 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh delete - 66.249.71.115 1318120556.20115 31104 Sun Oct 9 03:47:23 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh delete - 66.249.71.115 1318120556.20115 31104 Sun Oct 9 03:49:09 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh add - 66.249.71.106 1318121349.21573 31104 Sun Oct 9 03:49:09 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh add - 66.249.71.106 1318121349.21573 31104 Sun Oct 9 03:52:09 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh delete - 66.249.71.108 1318120882.21061 31104 Sun Oct 9 03:52:09 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh delete - 66.249.71.108 1318120882.21061 31104 Sun Oct 9 03:57:42 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh add - 66.249.71.121 1318121862.22144 31104 Sun Oct 9 03:57:42 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh add - 66.249.71.121 1318121862.22144 31104 Sun Oct 9 03:59:12 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh delete - 66.249.71.106 1318121349.21573 31104 Sun Oct 9 03:59:12 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh delete - 66.249.71.106 1318121349.21573 31104 Sun Oct 9 04:01:37 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh add - 66.249.71.120 1318122097.22788 31104 Sun Oct 9 04:01:37 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh add - 66.249.71.120 1318122097.22788 31104 Sun Oct 9 04:09:07 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh delete - 66.249.71.121 1318121862.22144 31104 Sun Oct 9 04:09:07 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh delete - 66.249.71.121 1318121862.22144 31104 Sun Oct 9 04:12:07 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh delete - 66.249.71.120 1318122097.22788 31104 Sun Oct 9 04:12:07 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh delete - 66.249.71.120 1318122097.22788 31104 Sun Oct 9 06:50:31 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh add - 66.249.71.44 1318132231.40024 31104 Sun Oct 9 06:50:31 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh add - 66.249.71.44 1318132231.40024 31104 Sun Oct 9 07:01:01 EEST 2011 /usr/bin/ossec/active-response/bin/ firewall-drop.sh delete - 66.249.71.44 1318132231.40024 31104 Sun Oct 9 07:01:01 EEST 2011 /usr/bin/ossec/active-response/bin/host- deny.sh delete - 66.249.71.44 1318132231.40024 31104 On Oct 7, 4:39 pm, Daniel Cid <[email protected]> wrote: > Hey, > > Can you find the rule that is causing it to get blocked? Just search > for their hostname > is the OSSEC alert logs (or in the active response log). > > thanks, > > Daniel B. Cid > dcid ( at ) ossec.net > > > > > > > > On Wed, Oct 5, 2011 at 11:17 AM, Justinas Lelys <[email protected]> wrote: > > Hi, > > how could I whitelist google crawler? Ossec adds it to iptables drop: > > > target prot opt source destination > > DROP all -- crawl-66-249-72-44.googlebot.com anywhere > > > Tried to add in ossec.conf > > <white_list>crawl-66-249-72-44.googlebot.com</white_list> > > > Restarted ossec, but ossec still adds iptables rule to block crawler.. > > Crawler hostname varies..
