Hello everyone, I'm receiving a lot of alerts on one of my servers where the ossec agent is running that someone was attempting to get in. That would not be surprising, if there was a different ip in each email - but there is not.
1. I did some troubleshooting by trying to ban an ip permanently from the ossec server: /var/ossec/bin/agent_control -b 219.146.225.147 -f firewall- drop2147483647 -u 004 OSSEC HIDS agent_control: Running active response 'firewall- drop2147483647' on: 004 and the ip was added to iptables correctly. 2. I checked if rules are not exempted in local_rules.xml - all is ok. 3. I checked if these ips are not whitelisted - they are not. My question is how can I check what is wrong on the client or agent when the rule is fired, and why the attackers are not added to DROP in iptables? Peter
