I have 52 agents, is there possible as Christian said, that I have to unblock IP on all agents before it's unblocked on just one ?
Regards. Zoe On Tuesday, October 16, 2012 6:10:21 PM UTC+2, Zoe wrote: > > Other thing : when I manually run "firewall-drop add", command > "firewall-drop delete" is ok, before timeout. > But when it's ossec who run it, with AR, a manual "firewall-drop delete" > doesn't work... > > Can you confirm me rights on /var/ossec files and directories please ? > > On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: >> >> Thanks for you reply Christian. >> ah ? >> "Running host-deny and/or firewall-drop just on one machine is not enough >> because it is not propagated to the others." >> I agree it doesn't unblock on all machines, but on the single machine >> where IP has been unblocked, I think it has to be unblocked, no ? >> >> Dan, >> Entire command I use is : >> "/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1" >> >> And nothing in logs. >> >> Zoe >> >> On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer wrote: >>> >>> I also use active_response (OSSEC 2.6) on a Debian server and whenever >>> I want to unblock someone I delete the firewall rule directly using >>> iptables commands. That always works instantaneously. But I have only one >>> machine. In your setup using server/agent you have to unblock the IP at >>> every agent and the server separately. Running host-deny and/or >>> firewall-drop just on one machine is not enough because it is not >>> propagated to the others. >>> >>> Regards >>> Christian >>> >>> Am 16.10.2012 17:16, schrieb Zoe: >>> >>> Operating System : Linux openSuse >>> >>> I agree with you : that doesn't make any sense :) >>> Re-apply firewall rules ? already done, no change. >>> A copy of my ossec.conf is above, have I missed something ? >>> I "firewall-drop delete" on agent, have i to do it on server ? on server >>> ad agents ? from server to agents ? >>> I check ossec.log on server, active-response.log on agents, nothing >>> strange there. Nothing in system logs. >>> Can others log files help ? >>> >>> >>> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: >>>> >>>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: >>>> > Thanks for explication. >>>> > IP is not set anywhere else. >>>> > >>>> > Sorry for the lack of information : >>>> > >>>> > Ossec 2.6 is installed on server and agents with Suse Linux. >>>> > >>>> > # ossec.conf on Ossec Server >>>> > <ossec_config> >>>> > ... >>>> > <command> >>>> > <name>host-deny</name> >>>> > <executable>host-deny.sh</executable> >>>> > <expect>srcip</expect> >>>> > <timeout_allowed>yes</timeout_allowed> >>>> > </command> >>>> > >>>> > <command> >>>> > <name>firewall-drop</name> >>>> > <executable>firewall-drop.sh</executable> >>>> > <expect>srcip</expect> >>>> > <timeout_allowed>yes</timeout_allowed> >>>> > </command> >>>> > >>>> > <command> >>>> > <name>disable-account</name> >>>> > <executable>disable-account.sh</executable> >>>> > <expect>user</expect> >>>> > <timeout_allowed>yes</timeout_allowed> >>>> > </command> >>>> > >>>> > <command> >>>> > <name>restart-ossec</name> >>>> > <executable>restart-ossec.sh</executable> >>>> > <expect></expect> >>>> > </command> >>>> > >>>> > <command> >>>> > <name>route-null</name> >>>> > <executable>route-null.sh</executable> >>>> > <expect>srcip</expect> >>>> > <timeout_allowed>yes</timeout_allowed> >>>> > </command> >>>> > >>>> > <active-response> >>>> > <command>host-deny</command> >>>> > <location>all</location> >>>> > <level>10</level> >>>> > <rules_id>11306</rules_id> >>>> > <timeout>900</timeout> >>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>> > </active-response> >>>> > >>>> > <active-response>--> >>>> > <command>firewall-drop</command> >>>> > <location>all</location> >>>> > <level>10</level> >>>> > <rules_id>11306</rules_id> >>>> > <timeout>900</timeout> >>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>> > </active-response> >>>> > </ossec_config> >>>> > ... >>>> > >>>> > # ossec.conf on Ossec agent >>>> > <ossec_config> >>>> > <client> >>>> > <server-ip>1.1.1.2</server-ip> >>>> > </client> >>>> > <active-response> >>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>> > </active-response> >>>> > </ossec_config> >>>> > >>>> > Is there any other information that can help ? >>>> > >>>> >>>> Operating system? >>>> >>>> > Thanks in advance for your help. >>>> > >>>> > Note : when ossec execute "firewall-drop delete" and "host-deny >>>> delete" >>>> > after timeout, it's ok : IP is now allowed. >>>> > But when I execute these commands manually, firewall and hosts.deny >>>> are >>>> > modified, but IP remains blocked... >>>> > >>>> >>>> That doesn't make any sense. Are you positive you haven't missed >>>> something? All the scripts do is remove the IP from the firewall or >>>> hosts.deny. Perhaps the firewall rules have to be re-applied or >>>> something? >>>> >>>> Other than that, I have no clue. I've never seen this problem, and >>>> don't know why your system would be blocking something without any >>>> reason to block it (ossec doesn't directly do any blocking). You'd >>>> think there'd be a log somewhere though... >>>> >>>> > Zoe >>>> > >>>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: >>>> >> >>>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >>>> >> > Thanks for reply. >>>> >> > >>>> >> > No, IP is not blocked anywhere else. >>>> >> > IP is not in firewall, neither in hosts.deny. But is still blocked >>>> until >>>> >> > timeout expired. >>>> >> > After 900s (timeout), IP is allowed, but not before. Evend if >>>> deleted >>>> >> > from >>>> >> > firewall and hosts.deny. >>>> >> > >>>> >> > The question : how is defined timeout ? Where or how can i remove >>>> it >>>> >> > after >>>> >> > active-response is applied ? >>>> >> > >>>> >> >>>> >> Remove it from where-ever you set it. The supplied AR scripts don't >>>> do >>>> >> anything fancy. Generally if you remove the IP from the firewall >>>> block >>>> >> and from the hosts.deny block it'll be allowed. If you remove the >>>> >> block from every place you have OSSEC set the block, it won't be >>>> >> blocked (by OSSEC) anymore. It's that simple. >>>> >> Since you haven't provided any useful information, that's all I can >>>> >> help with. My guess would be you aren't using your tools correctly, >>>> >> but that's just a guess. >>>> >> >>>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) wrote: >>>> >> >> >>>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >>>> >> >> > Hi guys, >>>> >> >> > >>>> >> >> > I set up ossec since few months now, but I have some problems >>>> with >>>> >> >> > active-responses. >>>> >> >> > >>>> >> >> > Active-responses work well, no problem with it. >>>> >> >> > When an alert is detected, a lot of failed authentication from >>>> the >>>> >> >> > same >>>> >> >> > IP >>>> >> >> > for example, IP is blacklisted in the firewall, and all >>>> connections >>>> >> >> > are >>>> >> >> > dropped. >>>> >> >> > I use a timeout of 900s and repeated_offenders. >>>> >> >> > >>>> >> >> > But, in some cases, it arrived that a legitimate IP was >>>> blacklisted : >>>> >> >> > wrong >>>> >> >> > password or other. It was blacklisted for 900s. >>>> >> >> > >>>> >> >> > I want to manually unblock the IP, so I execute the command : >>>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >>>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete >>>> 1.1.1.1 >>>> >> >> > >>>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP >>>> and is >>>> >> >> > also >>>> >> >> > deleted from hosts.deny. >>>> >> >> > >>>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, until >>>> timeout >>>> >> >> > of >>>> >> >> > 900s >>>> >> >> > expired. >>>> >> >> > >>>> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? >>>> before >>>> >> >> > timeout >>>> >> >> > expiration ? >>>> >> >> > Did active-response modify anything else, apart of adding a >>>> drop rule >>>> >> >> > in >>>> >> >> > firewall and an IP in hosts.deny in my case ?? >>>> >> >> > >>>> >> >> >>>> >> >> How would we know? >>>> >> >> >>>> >> >> > I already try a reboot of agent, it doesn't help. >>>> >> >> > >>>> >> >> > I'm using ossec2.6. >>>> >> >> > >>>> >> >> > Thanks for any help. >>>> >> >> > >>>> >> >> > Zoe >>>> >> >> >>>> >> >> If you remove the IP from the hosts.deny and the firewall block, >>>> it >>>> >> >> should be allowed. Unless you've blocked the IP somewhere else. >>>> >>> >>>
