And the winner is ......Christian ! Thanks !
On Tuesday, October 16, 2012 7:12:55 PM UTC+2, Zoe wrote: > > I have 52 agents, is there possible as Christian said, that I have to > unblock IP on all agents before it's unblocked on just one ? > > Regards. > > Zoe > > On Tuesday, October 16, 2012 6:10:21 PM UTC+2, Zoe wrote: >> >> Other thing : when I manually run "firewall-drop add", command >> "firewall-drop delete" is ok, before timeout. >> But when it's ossec who run it, with AR, a manual "firewall-drop delete" >> doesn't work... >> >> Can you confirm me rights on /var/ossec files and directories please ? >> >> On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: >>> >>> Thanks for you reply Christian. >>> ah ? >>> "Running host-deny and/or firewall-drop just on one machine is not >>> enough because it is not propagated to the others." >>> I agree it doesn't unblock on all machines, but on the single machine >>> where IP has been unblocked, I think it has to be unblocked, no ? >>> >>> Dan, >>> Entire command I use is : >>> "/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1" >>> >>> And nothing in logs. >>> >>> Zoe >>> >>> On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer wrote: >>>> >>>> I also use active_response (OSSEC 2.6) on a Debian server and >>>> whenever I want to unblock someone I delete the firewall rule directly >>>> using iptables commands. That always works instantaneously. But I have >>>> only >>>> one machine. In your setup using server/agent you have to unblock the IP >>>> at >>>> every agent and the server separately. Running host-deny and/or >>>> firewall-drop just on one machine is not enough because it is not >>>> propagated to the others. >>>> >>>> Regards >>>> Christian >>>> >>>> Am 16.10.2012 17:16, schrieb Zoe: >>>> >>>> Operating System : Linux openSuse >>>> >>>> I agree with you : that doesn't make any sense :) >>>> Re-apply firewall rules ? already done, no change. >>>> A copy of my ossec.conf is above, have I missed something ? >>>> I "firewall-drop delete" on agent, have i to do it on server ? on >>>> server ad agents ? from server to agents ? >>>> I check ossec.log on server, active-response.log on agents, nothing >>>> strange there. Nothing in system logs. >>>> Can others log files help ? >>>> >>>> >>>> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: >>>>> >>>>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: >>>>> > Thanks for explication. >>>>> > IP is not set anywhere else. >>>>> > >>>>> > Sorry for the lack of information : >>>>> > >>>>> > Ossec 2.6 is installed on server and agents with Suse Linux. >>>>> > >>>>> > # ossec.conf on Ossec Server >>>>> > <ossec_config> >>>>> > ... >>>>> > <command> >>>>> > <name>host-deny</name> >>>>> > <executable>host-deny.sh</executable> >>>>> > <expect>srcip</expect> >>>>> > <timeout_allowed>yes</timeout_allowed> >>>>> > </command> >>>>> > >>>>> > <command> >>>>> > <name>firewall-drop</name> >>>>> > <executable>firewall-drop.sh</executable> >>>>> > <expect>srcip</expect> >>>>> > <timeout_allowed>yes</timeout_allowed> >>>>> > </command> >>>>> > >>>>> > <command> >>>>> > <name>disable-account</name> >>>>> > <executable>disable-account.sh</executable> >>>>> > <expect>user</expect> >>>>> > <timeout_allowed>yes</timeout_allowed> >>>>> > </command> >>>>> > >>>>> > <command> >>>>> > <name>restart-ossec</name> >>>>> > <executable>restart-ossec.sh</executable> >>>>> > <expect></expect> >>>>> > </command> >>>>> > >>>>> > <command> >>>>> > <name>route-null</name> >>>>> > <executable>route-null.sh</executable> >>>>> > <expect>srcip</expect> >>>>> > <timeout_allowed>yes</timeout_allowed> >>>>> > </command> >>>>> > >>>>> > <active-response> >>>>> > <command>host-deny</command> >>>>> > <location>all</location> >>>>> > <level>10</level> >>>>> > <rules_id>11306</rules_id> >>>>> > <timeout>900</timeout> >>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>>> > </active-response> >>>>> > >>>>> > <active-response>--> >>>>> > <command>firewall-drop</command> >>>>> > <location>all</location> >>>>> > <level>10</level> >>>>> > <rules_id>11306</rules_id> >>>>> > <timeout>900</timeout> >>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>>> > </active-response> >>>>> > </ossec_config> >>>>> > ... >>>>> > >>>>> > # ossec.conf on Ossec agent >>>>> > <ossec_config> >>>>> > <client> >>>>> > <server-ip>1.1.1.2</server-ip> >>>>> > </client> >>>>> > <active-response> >>>>> > >>>>> <repeated_offenders>15,30,60,120</repeated_offenders> >>>>> > </active-response> >>>>> > </ossec_config> >>>>> > >>>>> > Is there any other information that can help ? >>>>> > >>>>> >>>>> Operating system? >>>>> >>>>> > Thanks in advance for your help. >>>>> > >>>>> > Note : when ossec execute "firewall-drop delete" and "host-deny >>>>> delete" >>>>> > after timeout, it's ok : IP is now allowed. >>>>> > But when I execute these commands manually, firewall and hosts.deny >>>>> are >>>>> > modified, but IP remains blocked... >>>>> > >>>>> >>>>> That doesn't make any sense. Are you positive you haven't missed >>>>> something? All the scripts do is remove the IP from the firewall or >>>>> hosts.deny. Perhaps the firewall rules have to be re-applied or >>>>> something? >>>>> >>>>> Other than that, I have no clue. I've never seen this problem, and >>>>> don't know why your system would be blocking something without any >>>>> reason to block it (ossec doesn't directly do any blocking). You'd >>>>> think there'd be a log somewhere though... >>>>> >>>>> > Zoe >>>>> > >>>>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: >>>>> >> >>>>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >>>>> >> > Thanks for reply. >>>>> >> > >>>>> >> > No, IP is not blocked anywhere else. >>>>> >> > IP is not in firewall, neither in hosts.deny. But is still >>>>> blocked until >>>>> >> > timeout expired. >>>>> >> > After 900s (timeout), IP is allowed, but not before. Evend if >>>>> deleted >>>>> >> > from >>>>> >> > firewall and hosts.deny. >>>>> >> > >>>>> >> > The question : how is defined timeout ? Where or how can i remove >>>>> it >>>>> >> > after >>>>> >> > active-response is applied ? >>>>> >> > >>>>> >> >>>>> >> Remove it from where-ever you set it. The supplied AR scripts don't >>>>> do >>>>> >> anything fancy. Generally if you remove the IP from the firewall >>>>> block >>>>> >> and from the hosts.deny block it'll be allowed. If you remove the >>>>> >> block from every place you have OSSEC set the block, it won't be >>>>> >> blocked (by OSSEC) anymore. It's that simple. >>>>> >> Since you haven't provided any useful information, that's all I can >>>>> >> help with. My guess would be you aren't using your tools correctly, >>>>> >> but that's just a guess. >>>>> >> >>>>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) >>>>> wrote: >>>>> >> >> >>>>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >>>>> >> >> > Hi guys, >>>>> >> >> > >>>>> >> >> > I set up ossec since few months now, but I have some problems >>>>> with >>>>> >> >> > active-responses. >>>>> >> >> > >>>>> >> >> > Active-responses work well, no problem with it. >>>>> >> >> > When an alert is detected, a lot of failed authentication from >>>>> the >>>>> >> >> > same >>>>> >> >> > IP >>>>> >> >> > for example, IP is blacklisted in the firewall, and all >>>>> connections >>>>> >> >> > are >>>>> >> >> > dropped. >>>>> >> >> > I use a timeout of 900s and repeated_offenders. >>>>> >> >> > >>>>> >> >> > But, in some cases, it arrived that a legitimate IP was >>>>> blacklisted : >>>>> >> >> > wrong >>>>> >> >> > password or other. It was blacklisted for 900s. >>>>> >> >> > >>>>> >> >> > I want to manually unblock the IP, so I execute the command : >>>>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >>>>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete >>>>> 1.1.1.1 >>>>> >> >> > >>>>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP >>>>> and is >>>>> >> >> > also >>>>> >> >> > deleted from hosts.deny. >>>>> >> >> > >>>>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, until >>>>> timeout >>>>> >> >> > of >>>>> >> >> > 900s >>>>> >> >> > expired. >>>>> >> >> > >>>>> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? >>>>> before >>>>> >> >> > timeout >>>>> >> >> > expiration ? >>>>> >> >> > Did active-response modify anything else, apart of adding a >>>>> drop rule >>>>> >> >> > in >>>>> >> >> > firewall and an IP in hosts.deny in my case ?? >>>>> >> >> > >>>>> >> >> >>>>> >> >> How would we know? >>>>> >> >> >>>>> >> >> > I already try a reboot of agent, it doesn't help. >>>>> >> >> > >>>>> >> >> > I'm using ossec2.6. >>>>> >> >> > >>>>> >> >> > Thanks for any help. >>>>> >> >> > >>>>> >> >> > Zoe >>>>> >> >> >>>>> >> >> If you remove the IP from the hosts.deny and the firewall block, >>>>> it >>>>> >> >> should be allowed. Unless you've blocked the IP somewhere else. >>>>> >>>> >>>>
