On Tue, Oct 16, 2012 at 11:16 AM, Zoe <[email protected]> wrote: > Operating System : Linux openSuse > > I agree with you : that doesn't make any sense :) > Re-apply firewall rules ? already done, no change. > A copy of my ossec.conf is above, have I missed something ?
Not that I'm aware of. > I "firewall-drop delete" on agent, have i to do it on server ? on server ad > agents ? from server to agents ? Only on the systems blocking the IP. And "firewall-drop delete" is not the complete command, so hopefully you aren't getting that wrong in production. > I check ossec.log on server, active-response.log on agents, nothing strange > there. Nothing in system logs. > Can others log files help ? > Whatever is blocking the IP should log something, right? Turn on logging for anything that doesn't currently log stuff like that I guess. > > On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: >> >> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: >> > Thanks for explication. >> > IP is not set anywhere else. >> > >> > Sorry for the lack of information : >> > >> > Ossec 2.6 is installed on server and agents with Suse Linux. >> > >> > # ossec.conf on Ossec Server >> > <ossec_config> >> > ... >> > <command> >> > <name>host-deny</name> >> > <executable>host-deny.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <command> >> > <name>firewall-drop</name> >> > <executable>firewall-drop.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <command> >> > <name>disable-account</name> >> > <executable>disable-account.sh</executable> >> > <expect>user</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <command> >> > <name>restart-ossec</name> >> > <executable>restart-ossec.sh</executable> >> > <expect></expect> >> > </command> >> > >> > <command> >> > <name>route-null</name> >> > <executable>route-null.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <active-response> >> > <command>host-deny</command> >> > <location>all</location> >> > <level>10</level> >> > <rules_id>11306</rules_id> >> > <timeout>900</timeout> >> > <repeated_offenders>15,30,60,120</repeated_offenders> >> > </active-response> >> > >> > <active-response>--> >> > <command>firewall-drop</command> >> > <location>all</location> >> > <level>10</level> >> > <rules_id>11306</rules_id> >> > <timeout>900</timeout> >> > <repeated_offenders>15,30,60,120</repeated_offenders> >> > </active-response> >> > </ossec_config> >> > ... >> > >> > # ossec.conf on Ossec agent >> > <ossec_config> >> > <client> >> > <server-ip>1.1.1.2</server-ip> >> > </client> >> > <active-response> >> > <repeated_offenders>15,30,60,120</repeated_offenders> >> > </active-response> >> > </ossec_config> >> > >> > Is there any other information that can help ? >> > >> >> Operating system? >> >> > Thanks in advance for your help. >> > >> > Note : when ossec execute "firewall-drop delete" and "host-deny delete" >> > after timeout, it's ok : IP is now allowed. >> > But when I execute these commands manually, firewall and hosts.deny are >> > modified, but IP remains blocked... >> > >> >> That doesn't make any sense. Are you positive you haven't missed >> something? All the scripts do is remove the IP from the firewall or >> hosts.deny. Perhaps the firewall rules have to be re-applied or >> something? >> >> Other than that, I have no clue. I've never seen this problem, and >> don't know why your system would be blocking something without any >> reason to block it (ossec doesn't directly do any blocking). You'd >> think there'd be a log somewhere though... >> >> > Zoe >> > >> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: >> >> >> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >> >> > Thanks for reply. >> >> > >> >> > No, IP is not blocked anywhere else. >> >> > IP is not in firewall, neither in hosts.deny. But is still blocked >> >> > until >> >> > timeout expired. >> >> > After 900s (timeout), IP is allowed, but not before. Evend if deleted >> >> > from >> >> > firewall and hosts.deny. >> >> > >> >> > The question : how is defined timeout ? Where or how can i remove it >> >> > after >> >> > active-response is applied ? >> >> > >> >> >> >> Remove it from where-ever you set it. The supplied AR scripts don't do >> >> anything fancy. Generally if you remove the IP from the firewall block >> >> and from the hosts.deny block it'll be allowed. If you remove the >> >> block from every place you have OSSEC set the block, it won't be >> >> blocked (by OSSEC) anymore. It's that simple. >> >> Since you haven't provided any useful information, that's all I can >> >> help with. My guess would be you aren't using your tools correctly, >> >> but that's just a guess. >> >> >> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: >> >> >> >> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >> >> >> > Hi guys, >> >> >> > >> >> >> > I set up ossec since few months now, but I have some problems with >> >> >> > active-responses. >> >> >> > >> >> >> > Active-responses work well, no problem with it. >> >> >> > When an alert is detected, a lot of failed authentication from the >> >> >> > same >> >> >> > IP >> >> >> > for example, IP is blacklisted in the firewall, and all >> >> >> > connections >> >> >> > are >> >> >> > dropped. >> >> >> > I use a timeout of 900s and repeated_offenders. >> >> >> > >> >> >> > But, in some cases, it arrived that a legitimate IP was >> >> >> > blacklisted : >> >> >> > wrong >> >> >> > password or other. It was blacklisted for 900s. >> >> >> > >> >> >> > I want to manually unblock the IP, so I execute the command : >> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 >> >> >> > >> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and >> >> >> > is >> >> >> > also >> >> >> > deleted from hosts.deny. >> >> >> > >> >> >> > But 1.1.1.1 is still not allowing to connect to agent, until >> >> >> > timeout >> >> >> > of >> >> >> > 900s >> >> >> > expired. >> >> >> > >> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? before >> >> >> > timeout >> >> >> > expiration ? >> >> >> > Did active-response modify anything else, apart of adding a drop >> >> >> > rule >> >> >> > in >> >> >> > firewall and an IP in hosts.deny in my case ?? >> >> >> > >> >> >> >> >> >> How would we know? >> >> >> >> >> >> > I already try a reboot of agent, it doesn't help. >> >> >> > >> >> >> > I'm using ossec2.6. >> >> >> > >> >> >> > Thanks for any help. >> >> >> > >> >> >> > Zoe >> >> >> >> >> >> If you remove the IP from the hosts.deny and the firewall block, it >> >> >> should be allowed. Unless you've blocked the IP somewhere else.
