As Dan mentions, yes, you'll need rule(s) to detect/log/alert on what you're looking for, then use ossec.conf on ossec server to trigger an active-response either locally on the agent (web server where the log originated) or active-response on the ossec server. We actually do active-response on the ossec server, created a custom script that does a bunch of stuff and then issues the agent_control -b <ip> -u <id> -f <active-response> for the specific agent(s) involved. This can be particularly useful when dealing with many webservers load-balanced.
On Jan 5, 12:08 pm, murf <[email protected]> wrote: > Hello, forgive me if I'm a total noob, > but I have a particular scenario that I would like to > implement, and I'm wondering if ossec could be used-- > my first impression is that with the server/agent setup, > this might be achievable... ? > > Here it is: > > Lets say I have N hosts in a cloud. Each runs a particular > set of servers open to public access. All hosts have their > own firewall, and all hosts reside in a common IP range (big or > small). > > I've been noting that the bad guys are scanning my hosts by > IP, and usually within a few minutes, they hit each server in turn. > I have fail2ban running, and it does a fair job of picking up on the > attempts and triggering. I'm using iptables to block ip's. Sorry, I > don't > want to utter heresy ;), I'm trying to give ossec due diligence. > > What I'd like to do is, if ANY machine gets attacked, I'd like to > report back to the server, and have the server set up the blocking IP > and then have it command all the other agents to block that IP also. > > This way, the attacker might get a peek at one or two systems, > but will find nothing but a wall at all the other servers. > > Can ossec do this easily? > > murf
