On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: > Thanks for explication. > IP is not set anywhere else. > > Sorry for the lack of information : > > Ossec 2.6 is installed on server and agents with Suse Linux. > > # ossec.conf on Ossec Server > <ossec_config> > ... > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > <command> > <name>route-null</name> > <executable>route-null.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>host-deny</command> > <location>all</location> > <level>10</level> > <rules_id>11306</rules_id> > <timeout>900</timeout> > <repeated_offenders>15,30,60,120</repeated_offenders> > </active-response> > > <active-response>--> > <command>firewall-drop</command> > <location>all</location> > <level>10</level> > <rules_id>11306</rules_id> > <timeout>900</timeout> > <repeated_offenders>15,30,60,120</repeated_offenders> > </active-response> > </ossec_config> > ... > > # ossec.conf on Ossec agent > <ossec_config> > <client> > <server-ip>1.1.1.2</server-ip> > </client> > <active-response> > <repeated_offenders>15,30,60,120</repeated_offenders> > </active-response> > </ossec_config> > > Is there any other information that can help ? >
Operating system? > Thanks in advance for your help. > > Note : when ossec execute "firewall-drop delete" and "host-deny delete" > after timeout, it's ok : IP is now allowed. > But when I execute these commands manually, firewall and hosts.deny are > modified, but IP remains blocked... > That doesn't make any sense. Are you positive you haven't missed something? All the scripts do is remove the IP from the firewall or hosts.deny. Perhaps the firewall rules have to be re-applied or something? Other than that, I have no clue. I've never seen this problem, and don't know why your system would be blocking something without any reason to block it (ossec doesn't directly do any blocking). You'd think there'd be a log somewhere though... > Zoe > > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: >> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >> > Thanks for reply. >> > >> > No, IP is not blocked anywhere else. >> > IP is not in firewall, neither in hosts.deny. But is still blocked until >> > timeout expired. >> > After 900s (timeout), IP is allowed, but not before. Evend if deleted >> > from >> > firewall and hosts.deny. >> > >> > The question : how is defined timeout ? Where or how can i remove it >> > after >> > active-response is applied ? >> > >> >> Remove it from where-ever you set it. The supplied AR scripts don't do >> anything fancy. Generally if you remove the IP from the firewall block >> and from the hosts.deny block it'll be allowed. If you remove the >> block from every place you have OSSEC set the block, it won't be >> blocked (by OSSEC) anymore. It's that simple. >> Since you haven't provided any useful information, that's all I can >> help with. My guess would be you aren't using your tools correctly, >> but that's just a guess. >> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: >> >> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >> >> > Hi guys, >> >> > >> >> > I set up ossec since few months now, but I have some problems with >> >> > active-responses. >> >> > >> >> > Active-responses work well, no problem with it. >> >> > When an alert is detected, a lot of failed authentication from the >> >> > same >> >> > IP >> >> > for example, IP is blacklisted in the firewall, and all connections >> >> > are >> >> > dropped. >> >> > I use a timeout of 900s and repeated_offenders. >> >> > >> >> > But, in some cases, it arrived that a legitimate IP was blacklisted : >> >> > wrong >> >> > password or other. It was blacklisted for 900s. >> >> > >> >> > I want to manually unblock the IP, so I execute the command : >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 >> >> > >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and is >> >> > also >> >> > deleted from hosts.deny. >> >> > >> >> > But 1.1.1.1 is still not allowing to connect to agent, until timeout >> >> > of >> >> > 900s >> >> > expired. >> >> > >> >> > My question : is there a way to manually unblock 1.1.1.1 ? before >> >> > timeout >> >> > expiration ? >> >> > Did active-response modify anything else, apart of adding a drop rule >> >> > in >> >> > firewall and an IP in hosts.deny in my case ?? >> >> > >> >> >> >> How would we know? >> >> >> >> > I already try a reboot of agent, it doesn't help. >> >> > >> >> > I'm using ossec2.6. >> >> > >> >> > Thanks for any help. >> >> > >> >> > Zoe >> >> >> >> If you remove the IP from the hosts.deny and the firewall block, it >> >> should be allowed. Unless you've blocked the IP somewhere else.
