Other thing : when I manually run "firewall-drop add", command "firewall-drop delete" is ok, before timeout. But when it's ossec who run it, with AR, a manual "firewall-drop delete" doesn't work...
Can you confirm me rights on /var/ossec files and directories please ? On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: > > Thanks for you reply Christian. > ah ? > "Running host-deny and/or firewall-drop just on one machine is not enough > because it is not propagated to the others." > I agree it doesn't unblock on all machines, but on the single machine > where IP has been unblocked, I think it has to be unblocked, no ? > > Dan, > Entire command I use is : "/var/ossec/active-response/bin/firewall-drop.sh > delete - 1.1.1.1" > > And nothing in logs. > > Zoe > > On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer wrote: >> >> I also use active_response (OSSEC 2.6) on a Debian server and whenever >> I want to unblock someone I delete the firewall rule directly using >> iptables commands. That always works instantaneously. But I have only one >> machine. In your setup using server/agent you have to unblock the IP at >> every agent and the server separately. Running host-deny and/or >> firewall-drop just on one machine is not enough because it is not >> propagated to the others. >> >> Regards >> Christian >> >> Am 16.10.2012 17:16, schrieb Zoe: >> >> Operating System : Linux openSuse >> >> I agree with you : that doesn't make any sense :) >> Re-apply firewall rules ? already done, no change. >> A copy of my ossec.conf is above, have I missed something ? >> I "firewall-drop delete" on agent, have i to do it on server ? on server >> ad agents ? from server to agents ? >> I check ossec.log on server, active-response.log on agents, nothing >> strange there. Nothing in system logs. >> Can others log files help ? >> >> >> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: >>> >>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: >>> > Thanks for explication. >>> > IP is not set anywhere else. >>> > >>> > Sorry for the lack of information : >>> > >>> > Ossec 2.6 is installed on server and agents with Suse Linux. >>> > >>> > # ossec.conf on Ossec Server >>> > <ossec_config> >>> > ... >>> > <command> >>> > <name>host-deny</name> >>> > <executable>host-deny.sh</executable> >>> > <expect>srcip</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <command> >>> > <name>firewall-drop</name> >>> > <executable>firewall-drop.sh</executable> >>> > <expect>srcip</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <command> >>> > <name>disable-account</name> >>> > <executable>disable-account.sh</executable> >>> > <expect>user</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <command> >>> > <name>restart-ossec</name> >>> > <executable>restart-ossec.sh</executable> >>> > <expect></expect> >>> > </command> >>> > >>> > <command> >>> > <name>route-null</name> >>> > <executable>route-null.sh</executable> >>> > <expect>srcip</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <active-response> >>> > <command>host-deny</command> >>> > <location>all</location> >>> > <level>10</level> >>> > <rules_id>11306</rules_id> >>> > <timeout>900</timeout> >>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>> > </active-response> >>> > >>> > <active-response>--> >>> > <command>firewall-drop</command> >>> > <location>all</location> >>> > <level>10</level> >>> > <rules_id>11306</rules_id> >>> > <timeout>900</timeout> >>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>> > </active-response> >>> > </ossec_config> >>> > ... >>> > >>> > # ossec.conf on Ossec agent >>> > <ossec_config> >>> > <client> >>> > <server-ip>1.1.1.2</server-ip> >>> > </client> >>> > <active-response> >>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>> > </active-response> >>> > </ossec_config> >>> > >>> > Is there any other information that can help ? >>> > >>> >>> Operating system? >>> >>> > Thanks in advance for your help. >>> > >>> > Note : when ossec execute "firewall-drop delete" and "host-deny >>> delete" >>> > after timeout, it's ok : IP is now allowed. >>> > But when I execute these commands manually, firewall and hosts.deny >>> are >>> > modified, but IP remains blocked... >>> > >>> >>> That doesn't make any sense. Are you positive you haven't missed >>> something? All the scripts do is remove the IP from the firewall or >>> hosts.deny. Perhaps the firewall rules have to be re-applied or >>> something? >>> >>> Other than that, I have no clue. I've never seen this problem, and >>> don't know why your system would be blocking something without any >>> reason to block it (ossec doesn't directly do any blocking). You'd >>> think there'd be a log somewhere though... >>> >>> > Zoe >>> > >>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: >>> >> >>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >>> >> > Thanks for reply. >>> >> > >>> >> > No, IP is not blocked anywhere else. >>> >> > IP is not in firewall, neither in hosts.deny. But is still blocked >>> until >>> >> > timeout expired. >>> >> > After 900s (timeout), IP is allowed, but not before. Evend if >>> deleted >>> >> > from >>> >> > firewall and hosts.deny. >>> >> > >>> >> > The question : how is defined timeout ? Where or how can i remove >>> it >>> >> > after >>> >> > active-response is applied ? >>> >> > >>> >> >>> >> Remove it from where-ever you set it. The supplied AR scripts don't >>> do >>> >> anything fancy. Generally if you remove the IP from the firewall >>> block >>> >> and from the hosts.deny block it'll be allowed. If you remove the >>> >> block from every place you have OSSEC set the block, it won't be >>> >> blocked (by OSSEC) anymore. It's that simple. >>> >> Since you haven't provided any useful information, that's all I can >>> >> help with. My guess would be you aren't using your tools correctly, >>> >> but that's just a guess. >>> >> >>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: >>> >> >> >>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >>> >> >> > Hi guys, >>> >> >> > >>> >> >> > I set up ossec since few months now, but I have some problems >>> with >>> >> >> > active-responses. >>> >> >> > >>> >> >> > Active-responses work well, no problem with it. >>> >> >> > When an alert is detected, a lot of failed authentication from >>> the >>> >> >> > same >>> >> >> > IP >>> >> >> > for example, IP is blacklisted in the firewall, and all >>> connections >>> >> >> > are >>> >> >> > dropped. >>> >> >> > I use a timeout of 900s and repeated_offenders. >>> >> >> > >>> >> >> > But, in some cases, it arrived that a legitimate IP was >>> blacklisted : >>> >> >> > wrong >>> >> >> > password or other. It was blacklisted for 900s. >>> >> >> > >>> >> >> > I want to manually unblock the IP, so I execute the command : >>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 >>> >> >> > >>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP >>> and is >>> >> >> > also >>> >> >> > deleted from hosts.deny. >>> >> >> > >>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, until >>> timeout >>> >> >> > of >>> >> >> > 900s >>> >> >> > expired. >>> >> >> > >>> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? >>> before >>> >> >> > timeout >>> >> >> > expiration ? >>> >> >> > Did active-response modify anything else, apart of adding a drop >>> rule >>> >> >> > in >>> >> >> > firewall and an IP in hosts.deny in my case ?? >>> >> >> > >>> >> >> >>> >> >> How would we know? >>> >> >> >>> >> >> > I already try a reboot of agent, it doesn't help. >>> >> >> > >>> >> >> > I'm using ossec2.6. >>> >> >> > >>> >> >> > Thanks for any help. >>> >> >> > >>> >> >> > Zoe >>> >> >> >>> >> >> If you remove the IP from the hosts.deny and the firewall block, >>> it >>> >> >> should be allowed. Unless you've blocked the IP somewhere else. >>> >> >>
