Thanks for reply. No, IP is not blocked anywhere else. IP is not in firewall, neither in hosts.deny. But is still blocked until timeout expired. After 900s (timeout), IP is allowed, but not before. Evend if deleted from firewall and hosts.deny.
The question : how is defined timeout ? Where or how can i remove it after active-response is applied ? On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: > > On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected] <javascript:>> > wrote: > > Hi guys, > > > > I set up ossec since few months now, but I have some problems with > > active-responses. > > > > Active-responses work well, no problem with it. > > When an alert is detected, a lot of failed authentication from the same > IP > > for example, IP is blacklisted in the firewall, and all connections are > > dropped. > > I use a timeout of 900s and repeated_offenders. > > > > But, in some cases, it arrived that a legitimate IP was blacklisted : > wrong > > password or other. It was blacklisted for 900s. > > > > I want to manually unblock the IP, so I execute the command : > > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 > > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 > > > > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and is > also > > deleted from hosts.deny. > > > > But 1.1.1.1 is still not allowing to connect to agent, until timeout of > 900s > > expired. > > > > My question : is there a way to manually unblock 1.1.1.1 ? before > timeout > > expiration ? > > Did active-response modify anything else, apart of adding a drop rule in > > firewall and an IP in hosts.deny in my case ?? > > > > How would we know? > > > I already try a reboot of agent, it doesn't help. > > > > I'm using ossec2.6. > > > > Thanks for any help. > > > > Zoe > > If you remove the IP from the hosts.deny and the firewall block, it > should be allowed. Unless you've blocked the IP somewhere else. >
