Thanks for explication.
IP is not set anywhere else.
Sorry for the lack of information :
Ossec 2.6 is installed on server and agents with Suse Linux.
# ossec.conf on Ossec Server
<ossec_config>
...
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>host-deny</command>
<location>all</location>
<level>10</level>
<rules_id>11306</rules_id>
<timeout>900</timeout>
<repeated_offenders>15,30,60,120</repeated_offenders>
</active-response>
<active-response>-->
<command>firewall-drop</command>
<location>all</location>
<level>10</level>
<rules_id>11306</rules_id>
<timeout>900</timeout>
<repeated_offenders>15,30,60,120</repeated_offenders>
</active-response>
</ossec_config>
...
# ossec.conf on Ossec agent
<ossec_config>
<client>
<server-ip>1.1.1.2</server-ip>
</client>
<active-response>
<repeated_offenders>15,30,60,120</repeated_offenders>
</active-response>
</ossec_config>
Is there any other information that can help ?
Thanks in advance for your help.
Note : when ossec execute "firewall-drop delete" and "host-deny delete"
after timeout, it's ok : IP is now allowed.
But when I execute these commands manually, firewall and hosts.deny are
modified, but IP remains blocked...
Zoe
On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote:
>
> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected] <javascript:>>
> wrote:
> > Thanks for reply.
> >
> > No, IP is not blocked anywhere else.
> > IP is not in firewall, neither in hosts.deny. But is still blocked until
> > timeout expired.
> > After 900s (timeout), IP is allowed, but not before. Evend if deleted
> from
> > firewall and hosts.deny.
> >
> > The question : how is defined timeout ? Where or how can i remove it
> after
> > active-response is applied ?
> >
>
> Remove it from where-ever you set it. The supplied AR scripts don't do
> anything fancy. Generally if you remove the IP from the firewall block
> and from the hosts.deny block it'll be allowed. If you remove the
> block from every place you have OSSEC set the block, it won't be
> blocked (by OSSEC) anymore. It's that simple.
> Since you haven't provided any useful information, that's all I can
> help with. My guess would be you aren't using your tools correctly,
> but that's just a guess.
>
> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote:
> >>
> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote:
> >> > Hi guys,
> >> >
> >> > I set up ossec since few months now, but I have some problems with
> >> > active-responses.
> >> >
> >> > Active-responses work well, no problem with it.
> >> > When an alert is detected, a lot of failed authentication from the
> same
> >> > IP
> >> > for example, IP is blacklisted in the firewall, and all connections
> are
> >> > dropped.
> >> > I use a timeout of 900s and repeated_offenders.
> >> >
> >> > But, in some cases, it arrived that a legitimate IP was blacklisted :
> >> > wrong
> >> > password or other. It was blacklisted for 900s.
> >> >
> >> > I want to manually unblock the IP, so I execute the command :
> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1
> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1
> >> >
> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and is
> >> > also
> >> > deleted from hosts.deny.
> >> >
> >> > But 1.1.1.1 is still not allowing to connect to agent, until timeout
> of
> >> > 900s
> >> > expired.
> >> >
> >> > My question : is there a way to manually unblock 1.1.1.1 ? before
> >> > timeout
> >> > expiration ?
> >> > Did active-response modify anything else, apart of adding a drop rule
> in
> >> > firewall and an IP in hosts.deny in my case ??
> >> >
> >>
> >> How would we know?
> >>
> >> > I already try a reboot of agent, it doesn't help.
> >> >
> >> > I'm using ossec2.6.
> >> >
> >> > Thanks for any help.
> >> >
> >> > Zoe
> >>
> >> If you remove the IP from the hosts.deny and the firewall block, it
> >> should be allowed. Unless you've blocked the IP somewhere else.
>
