Regarding unblocking an IP that has become blocked In your active responses log /var/ossec/logs/active-responses.log
You will see entries similar to the below: /var/ossec/active-response/bin/firewall-drop.sh add - 123.123.123.123 1328136255.31737 31151 /var/ossec/active-response/bin/host-deny.sh add - 123.123.123.123 1328136255.31737 31151 You can reverse those blocks by changing add to delete /var/ossec/active-response/bin/firewall-drop.sh delete - 123.123.123.123 1328136255.31737 31151 /var/ossec/active-response/bin/host-deny.sh delete - 123.123.123.123 1328136255.31737 31151 If it is yourself you keep blocking add a whitelist entry for yourself in /var/ossec/etc/ossec.conf and bounce ossec. Something like the below. <global> ... ... <white_list>123.123.123.123</white_list> ... ... </global> I have not figured out increasing the threshold for failed http logins yet but it is on a to do list. Thanks,
