On Tue, Jan 24, 2012 at 11:20 AM, jeff jennings <[email protected]> wrote: > A fellow who works for me remotely called me this morning and said he was > accessing one of our servers via ssh and the connection dropped. > > so I looked in the the ossec active-response.log file and saw he had been > blocked. > > here are his lines. > > can someone tell me why he was blocked? > > Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/host-deny.sh add > - 273.9.66.246 1327412771.231959 31106
Rule 31106 was triggered. That rule requires <if_sid>31103, 31104, 31105</if_sid> and <id>^200</id>. It could very well be a false positive. The web stuff is tricky. > Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh > add - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/host-deny.sh > delete - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh > delete - 273.9.66.246 1327412771.231959 31106 > > thanks in advance >
