http://devio.us/~ddp/ossec/docs/syntax/head_ossec_config.active-response.html#element-location
<location>all</location> On Thu, Jan 5, 2012 at 3:08 PM, murf <[email protected]> wrote: > Hello, forgive me if I'm a total noob, > but I have a particular scenario that I would like to > implement, and I'm wondering if ossec could be used-- > my first impression is that with the server/agent setup, > this might be achievable... ? > > Here it is: > > Lets say I have N hosts in a cloud. Each runs a particular > set of servers open to public access. All hosts have their > own firewall, and all hosts reside in a common IP range (big or > small). > > I've been noting that the bad guys are scanning my hosts by > IP, and usually within a few minutes, they hit each server in turn. > I have fail2ban running, and it does a fair job of picking up on the > attempts and triggering. I'm using iptables to block ip's. Sorry, I > don't > want to utter heresy ;), I'm trying to give ossec due diligence. > > What I'd like to do is, if ANY machine gets attacked, I'd like to > report back to the server, and have the server set up the blocking IP > and then have it command all the other agents to block that IP also. > > This way, the attacker might get a peek at one or two systems, > but will find nothing but a wall at all the other servers. > > Can ossec do this easily? > > murf
