On Thu, Jul 12, 2012 at 8:05 PM, cosmaschi cristian <[email protected]> wrote: > I have nothing in hosts.deny > > but i see something weird in the logs > tail -f /var/ossec/logs/active-responses.log > > > > > Thu Jul 12 19:54:47 EDT 2012 Unable to run (iptables returning != 2): 1 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1342136225.17069214 5706
Your sshd isn't resolving the IP/hostname properly and is instead logging UNKNOWN. Fix that and it should work. > Thu Jul 12 19:54:48 EDT 2012 Unable to run (iptables returning != 2): 2 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1342136225.17069214 5706 > Thu Jul 12 19:54:50 EDT 2012 Unable to run (iptables returning != 2): 3 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1342136225.17069214 5706 > Thu Jul 12 19:54:53 EDT 2012 Unable to run (iptables returning != 2): 4 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1342136225.17069214 5706 > Thu Jul 12 19:54:57 EDT 2012 Unable to run (iptables returning != 2): 5 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1342136225.17069214 5706 > Thu Jul 12 19:55:02 EDT 2012 Unable to run (iptables returning != 2): 6 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1342136225.17069214 5706 > > Thanks > > > On Thu, Jul 12, 2012 at 9:27 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jul 11, 2012 at 9:59 PM, cosmaschi cristian >> <[email protected]> wrote: >> > my las Active responce log is from Mon Jun 4 21:23:43 EDT 2012 ups:| >> > thas >> > bad >> > >> > attached are ossec.conf and asterisk rules >> > >> > Thanks >> > >> >> >> So you have a very basic active response configuration. I think the >> host-deny entry will be triggered and the firewall-drop one will not. >> Try commenting out the host-deny entry, or check your hosts.deny file >> to see if that's getting the entries instead of iptables. >> >> > >> > >> > >> > On Wed, Jul 11, 2012 at 9:48 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Jul 11, 2012 9:43 PM, "cosmaschi cristian" >> >> <[email protected]> >> >> wrote: >> >> > >> >> > i see that the rules are being processed , but when i check ip >> >> > tables >> >> > to se if the host was blocked ... nothing... >> >> > >> >> > its used to work util 2 days ago... >> >> > >> >> >> >> What changed? What is your configuration? How did you check iptables? >> >> Anything in the active response log? Why didn't you include that info? >> >> >> >> > >> >> > Results: >> >> > Total alerts found: 424 >> >> > >> >> > >> >> > >> >> > Alert list >> >> > 2012 Jul 11 20:56:00 Rule Id: 6212 level: 10 >> >> > Location: (Hp22) 209.217.109.82->/var/log/messages >> >> > Src IP: 0:55:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 >> >> > in >> >> > handle_request_register: Registration from >> >> > '<sip:[email protected]:5060>' >> >> > failed for '99.251.108.141:5060' - No matching peer found >> >> > Login session failed (invalid extension). ** Alert >> >> > 1342054561.21049945: >> >> > - syslog,asterisk, >> >> > >> >> >> >> It looks like you're using the broken web ui. Stop that. Either fix it >> >> or >> >> don't use it, and definitely give me an un-messed up alert. >> >> >> >> > >> >> > >> >> > On Wed, Jul 11, 2012 at 9:33 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> >> >> >> On Jul 11, 2012 9:31 PM, "cosmaschi cristian" >> >> >> <[email protected]> wrote: >> >> >> > >> >> >> > Hello , >> >> >> > >> >> >> > Im trying to debug on ossec , following >> >> >> > http://www.ossec.net/doc/faq/unexpected.html >> >> >> > >> >> >> > example If you have logs similar to the following in >> >> >> > /var/ossec/queue/ossec/queue: >> >> >> > >> >> >> > when i run >> >> >> > >> >> >> > tail -f /var/ossec/queue/ossec/queue >> >> >> > >> >> >> > >> >> >> >> >> >> That page does not tell you to do that. It probably wants you to >> >> >> tail >> >> >> the logfile: >> >> >> `tail -f /var/ossec/logs/ossec.log` >> >> >> >> >> >> > i get >> >> >> > >> >> >> > tail: cannot open `/var/ossec/queue/ossec/queue' for reading: No >> >> >> > such >> >> >> > device or address >> >> >> > tail: no files remaining >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> > >> >> > >> > >> > > >
