Hi guys, I set up ossec since few months now, but I have some problems with active-responses.
Active-responses work well, no problem with it. When an alert is detected, a lot of failed authentication from the same IP for example, IP is blacklisted in the firewall, and all connections are dropped. I use a timeout of 900s and repeated_offenders. But, in some cases, it arrived that a legitimate IP was blacklisted : wrong password or other. It was blacklisted for 900s. I want to manually unblock the IP, so I execute the command : # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and is also deleted from hosts.deny. But 1.1.1.1 is still not allowing to connect to agent, until timeout of 900s expired. My question : is there a way to manually unblock 1.1.1.1 ? before timeout expiration ? Did active-response modify anything else, apart of adding a drop rule in firewall and an IP in hosts.deny in my case ?? I already try a reboot of agent, it doesn't help. I'm using ossec2.6. Thanks for any help. Zoe
