Operating System : Linux openSuse I agree with you : that doesn't make any sense :) Re-apply firewall rules ? already done, no change. A copy of my ossec.conf is above, have I missed something ? I "firewall-drop delete" on agent, have i to do it on server ? on server ad agents ? from server to agents ? I check ossec.log on server, active-response.log on agents, nothing strange there. Nothing in system logs. Can others log files help ?
On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: > > On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected] <javascript:>> > wrote: > > Thanks for explication. > > IP is not set anywhere else. > > > > Sorry for the lack of information : > > > > Ossec 2.6 is installed on server and agents with Suse Linux. > > > > # ossec.conf on Ossec Server > > <ossec_config> > > ... > > <command> > > <name>host-deny</name> > > <executable>host-deny.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <command> > > <name>firewall-drop</name> > > <executable>firewall-drop.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <command> > > <name>disable-account</name> > > <executable>disable-account.sh</executable> > > <expect>user</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <command> > > <name>restart-ossec</name> > > <executable>restart-ossec.sh</executable> > > <expect></expect> > > </command> > > > > <command> > > <name>route-null</name> > > <executable>route-null.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > > <active-response> > > <command>host-deny</command> > > <location>all</location> > > <level>10</level> > > <rules_id>11306</rules_id> > > <timeout>900</timeout> > > <repeated_offenders>15,30,60,120</repeated_offenders> > > </active-response> > > > > <active-response>--> > > <command>firewall-drop</command> > > <location>all</location> > > <level>10</level> > > <rules_id>11306</rules_id> > > <timeout>900</timeout> > > <repeated_offenders>15,30,60,120</repeated_offenders> > > </active-response> > > </ossec_config> > > ... > > > > # ossec.conf on Ossec agent > > <ossec_config> > > <client> > > <server-ip>1.1.1.2</server-ip> > > </client> > > <active-response> > > <repeated_offenders>15,30,60,120</repeated_offenders> > > </active-response> > > </ossec_config> > > > > Is there any other information that can help ? > > > > Operating system? > > > Thanks in advance for your help. > > > > Note : when ossec execute "firewall-drop delete" and "host-deny delete" > > after timeout, it's ok : IP is now allowed. > > But when I execute these commands manually, firewall and hosts.deny are > > modified, but IP remains blocked... > > > > That doesn't make any sense. Are you positive you haven't missed > something? All the scripts do is remove the IP from the firewall or > hosts.deny. Perhaps the firewall rules have to be re-applied or > something? > > Other than that, I have no clue. I've never seen this problem, and > don't know why your system would be blocking something without any > reason to block it (ossec doesn't directly do any blocking). You'd > think there'd be a log somewhere though... > > > Zoe > > > > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: > >> > >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: > >> > Thanks for reply. > >> > > >> > No, IP is not blocked anywhere else. > >> > IP is not in firewall, neither in hosts.deny. But is still blocked > until > >> > timeout expired. > >> > After 900s (timeout), IP is allowed, but not before. Evend if deleted > >> > from > >> > firewall and hosts.deny. > >> > > >> > The question : how is defined timeout ? Where or how can i remove it > >> > after > >> > active-response is applied ? > >> > > >> > >> Remove it from where-ever you set it. The supplied AR scripts don't do > >> anything fancy. Generally if you remove the IP from the firewall block > >> and from the hosts.deny block it'll be allowed. If you remove the > >> block from every place you have OSSEC set the block, it won't be > >> blocked (by OSSEC) anymore. It's that simple. > >> Since you haven't provided any useful information, that's all I can > >> help with. My guess would be you aren't using your tools correctly, > >> but that's just a guess. > >> > >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: > >> >> > >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: > >> >> > Hi guys, > >> >> > > >> >> > I set up ossec since few months now, but I have some problems with > >> >> > active-responses. > >> >> > > >> >> > Active-responses work well, no problem with it. > >> >> > When an alert is detected, a lot of failed authentication from the > >> >> > same > >> >> > IP > >> >> > for example, IP is blacklisted in the firewall, and all > connections > >> >> > are > >> >> > dropped. > >> >> > I use a timeout of 900s and repeated_offenders. > >> >> > > >> >> > But, in some cases, it arrived that a legitimate IP was > blacklisted : > >> >> > wrong > >> >> > password or other. It was blacklisted for 900s. > >> >> > > >> >> > I want to manually unblock the IP, so I execute the command : > >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 > >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 > >> >> > > >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and > is > >> >> > also > >> >> > deleted from hosts.deny. > >> >> > > >> >> > But 1.1.1.1 is still not allowing to connect to agent, until > timeout > >> >> > of > >> >> > 900s > >> >> > expired. > >> >> > > >> >> > My question : is there a way to manually unblock 1.1.1.1 ? before > >> >> > timeout > >> >> > expiration ? > >> >> > Did active-response modify anything else, apart of adding a drop > rule > >> >> > in > >> >> > firewall and an IP in hosts.deny in my case ?? > >> >> > > >> >> > >> >> How would we know? > >> >> > >> >> > I already try a reboot of agent, it doesn't help. > >> >> > > >> >> > I'm using ossec2.6. > >> >> > > >> >> > Thanks for any help. > >> >> > > >> >> > Zoe > >> >> > >> >> If you remove the IP from the hosts.deny and the firewall block, it > >> >> should be allowed. Unless you've blocked the IP somewhere else. >
