On Wed, Apr 25, 2012 at 9:05 AM, jfranz <[email protected]> wrote: > Hi guys, > > I'm pretty new to OSSEC and running in problems getting a centralized > configuration done. > > I'm running OSSEC-Server on a CentOS 6.2 box and OSSEC-Agent on a > Ubuntu 12.04 box. Everything is working fine so far (only plain > installation and connecting the agent to the server). > > Here comes the trouble: I changed the host-deny and firewall-drop > commands inside the ossec.conf of the server to location "all". As I > understand it, this means that i.e. if somebody is bruteforcing the > sshd running on the agent, the host-deny and firewall-drop active > responses should trigger both on the agent and the server. I my case, > this doesn't work. I can see the sshd bruteforce attack inside the > logs on the server, so the connection between agent and server works, > but only the agent which was under attack blocked the ip via iptables > and host.deny, and not the server. >
Unfortunately I think this is the way it works. "all" actually means "all agents," not "all systems." I think this might be worth looking into... > As I understand it, the agent uses the ossec.conf and *_rules.xml > files from the server?!?! > No. Each agent uses its own ossec.conf, and possibly the agent.conf from the server. The rules and decoders are only handled on the server. The agent passes a log message to the server, which then compares it to the decoders/rules. > I my case, the server config file has the following md5sum: > 1dd21647768bd23ac2a83e62adbbc0ca ossec.conf > > The agent is using a different one: > > OSSEC HIDS agent_control. Agent information: > Agent ID: 001 > Agent Name: Client1 > IP address: 10.17.0.15 > Status: Active > > Operating system: Linux testing 3.2.0-22-generic-pae #35-Ubuntu SMP Tu.. > Client version: OSSEC HIDS v2.6 / 77843f5c451af0a872a5e4733655aa1e > Last keep alive: Wed Apr 25 14:55:16 2012 > > Syscheck last started at: Wed Apr 25 14:30:15 2012 > Rootcheck last started at: Wed Apr 25 14:40:43 2012 > > This one is located under ../shared/agent.conf on the server: > 77843f5c451af0a872a5e4733655aa1e shared/agent.conf > > The OSSEC documentation says that I can push a centralized > configuration from the server to the agent, by creating the file > ../shared/agent.conf. In my case, this file already exists and > contains a perl script. > That's wrong. I don't know why there would be a perl script there. Something went haywire in your installation. > I'm stuck. So, how can I use a centralized set of rules that I created > in the local_rules.xml on the server and push it to the agent and how > can an alarm on of the agents can be triggered on all agents > connecting to the same server? > > I would really appreciate if anybody could help me out with this, > because OSSEC seems to be really nice! > > Best regards, > _joern_
