Thank you, gentlemen! As long as it is possible, I will forge ahead and try an implementation. BP9906's elaboration on how to push the command back to the agent machine will be valuable.
murf On Jan 6, 11:36 am, BP9906 <[email protected]> wrote: > As Dan mentions, yes, you'll need rule(s) to detect/log/alert on what > you're looking for, then use ossec.conf on ossec server to trigger an > active-response either locally on the agent (web server where the log > originated) or active-response on the ossec server. We actually do > active-response on the ossec server, created a custom script that does > a bunch of stuff and then issues the agent_control -b <ip> -u <id> -f > <active-response> for the specific agent(s) involved. This can be > particularly useful when dealing with many webservers load-balanced. > > On Jan 5, 12:08 pm, murf <[email protected]> wrote: > > > > > > > > > Hello, forgive me if I'm a total noob, > > but I have a particular scenario that I would like to > > implement, and I'm wondering if ossec could be used-- > > my first impression is that with the server/agent setup, > > this might be achievable... ? > > > Here it is: > > > Lets say I have N hosts in a cloud. Each runs a particular > > set of servers open to public access. All hosts have their > > own firewall, and all hosts reside in a common IP range (big or > > small). > > > I've been noting that the bad guys are scanning my hosts by > > IP, and usually within a few minutes, they hit each server in turn. > > I have fail2ban running, and it does a fair job of picking up on the > > attempts and triggering. I'm using iptables to block ip's. Sorry, I > > don't > > want to utter heresy ;), I'm trying to give ossec due diligence. > > > What I'd like to do is, if ANY machine gets attacked, I'd like to > > report back to the server, and have the server set up the blocking IP > > and then have it command all the other agents to block that IP also. > > > This way, the attacker might get a peek at one or two systems, > > but will find nothing but a wall at all the other servers. > > > Can ossec do this easily? > > > murf
