On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: > Thanks for reply. > > No, IP is not blocked anywhere else. > IP is not in firewall, neither in hosts.deny. But is still blocked until > timeout expired. > After 900s (timeout), IP is allowed, but not before. Evend if deleted from > firewall and hosts.deny. > > The question : how is defined timeout ? Where or how can i remove it after > active-response is applied ? >
Remove it from where-ever you set it. The supplied AR scripts don't do anything fancy. Generally if you remove the IP from the firewall block and from the hosts.deny block it'll be allowed. If you remove the block from every place you have OSSEC set the block, it won't be blocked (by OSSEC) anymore. It's that simple. Since you haven't provided any useful information, that's all I can help with. My guess would be you aren't using your tools correctly, but that's just a guess. > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >> > Hi guys, >> > >> > I set up ossec since few months now, but I have some problems with >> > active-responses. >> > >> > Active-responses work well, no problem with it. >> > When an alert is detected, a lot of failed authentication from the same >> > IP >> > for example, IP is blacklisted in the firewall, and all connections are >> > dropped. >> > I use a timeout of 900s and repeated_offenders. >> > >> > But, in some cases, it arrived that a legitimate IP was blacklisted : >> > wrong >> > password or other. It was blacklisted for 900s. >> > >> > I want to manually unblock the IP, so I execute the command : >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >> > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 >> > >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and is >> > also >> > deleted from hosts.deny. >> > >> > But 1.1.1.1 is still not allowing to connect to agent, until timeout of >> > 900s >> > expired. >> > >> > My question : is there a way to manually unblock 1.1.1.1 ? before >> > timeout >> > expiration ? >> > Did active-response modify anything else, apart of adding a drop rule in >> > firewall and an IP in hosts.deny in my case ?? >> > >> >> How would we know? >> >> > I already try a reboot of agent, it doesn't help. >> > >> > I'm using ossec2.6. >> > >> > Thanks for any help. >> > >> > Zoe >> >> If you remove the IP from the hosts.deny and the firewall block, it >> should be allowed. Unless you've blocked the IP somewhere else.
