On Tue, Oct 16, 2012 at 2:00 PM, Zoe <[email protected]> wrote: > And the winner is ......Christian ! > Thanks ! >
What's the answer? You have to unblock it from every system before it works? > > On Tuesday, October 16, 2012 7:12:55 PM UTC+2, Zoe wrote: >> >> I have 52 agents, is there possible as Christian said, that I have to >> unblock IP on all agents before it's unblocked on just one ? >> >> Regards. >> >> Zoe >> >> On Tuesday, October 16, 2012 6:10:21 PM UTC+2, Zoe wrote: >>> >>> Other thing : when I manually run "firewall-drop add", command >>> "firewall-drop delete" is ok, before timeout. >>> But when it's ossec who run it, with AR, a manual "firewall-drop delete" >>> doesn't work... >>> >>> Can you confirm me rights on /var/ossec files and directories please ? >>> >>> On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: >>>> >>>> Thanks for you reply Christian. >>>> ah ? >>>> "Running host-deny and/or firewall-drop just on one machine is not >>>> enough because it is not propagated to the others." >>>> I agree it doesn't unblock on all machines, but on the single machine >>>> where IP has been unblocked, I think it has to be unblocked, no ? >>>> >>>> Dan, >>>> Entire command I use is : >>>> "/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1" >>>> >>>> And nothing in logs. >>>> >>>> Zoe >>>> >>>> On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer wrote: >>>>> >>>>> I also use active_response (OSSEC 2.6) on a Debian server and whenever >>>>> I want to unblock someone I delete the firewall rule directly using >>>>> iptables >>>>> commands. That always works instantaneously. But I have only one machine. >>>>> In >>>>> your setup using server/agent you have to unblock the IP at every agent >>>>> and >>>>> the server separately. Running host-deny and/or firewall-drop just on one >>>>> machine is not enough because it is not propagated to the others. >>>>> >>>>> Regards >>>>> Christian >>>>> >>>>> Am 16.10.2012 17:16, schrieb Zoe: >>>>> >>>>> Operating System : Linux openSuse >>>>> >>>>> I agree with you : that doesn't make any sense :) >>>>> Re-apply firewall rules ? already done, no change. >>>>> A copy of my ossec.conf is above, have I missed something ? >>>>> I "firewall-drop delete" on agent, have i to do it on server ? on >>>>> server ad agents ? from server to agents ? >>>>> I check ossec.log on server, active-response.log on agents, nothing >>>>> strange there. Nothing in system logs. >>>>> Can others log files help ? >>>>> >>>>> >>>>> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: >>>>>> >>>>>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: >>>>>> > Thanks for explication. >>>>>> > IP is not set anywhere else. >>>>>> > >>>>>> > Sorry for the lack of information : >>>>>> > >>>>>> > Ossec 2.6 is installed on server and agents with Suse Linux. >>>>>> > >>>>>> > # ossec.conf on Ossec Server >>>>>> > <ossec_config> >>>>>> > ... >>>>>> > <command> >>>>>> > <name>host-deny</name> >>>>>> > <executable>host-deny.sh</executable> >>>>>> > <expect>srcip</expect> >>>>>> > <timeout_allowed>yes</timeout_allowed> >>>>>> > </command> >>>>>> > >>>>>> > <command> >>>>>> > <name>firewall-drop</name> >>>>>> > <executable>firewall-drop.sh</executable> >>>>>> > <expect>srcip</expect> >>>>>> > <timeout_allowed>yes</timeout_allowed> >>>>>> > </command> >>>>>> > >>>>>> > <command> >>>>>> > <name>disable-account</name> >>>>>> > <executable>disable-account.sh</executable> >>>>>> > <expect>user</expect> >>>>>> > <timeout_allowed>yes</timeout_allowed> >>>>>> > </command> >>>>>> > >>>>>> > <command> >>>>>> > <name>restart-ossec</name> >>>>>> > <executable>restart-ossec.sh</executable> >>>>>> > <expect></expect> >>>>>> > </command> >>>>>> > >>>>>> > <command> >>>>>> > <name>route-null</name> >>>>>> > <executable>route-null.sh</executable> >>>>>> > <expect>srcip</expect> >>>>>> > <timeout_allowed>yes</timeout_allowed> >>>>>> > </command> >>>>>> > >>>>>> > <active-response> >>>>>> > <command>host-deny</command> >>>>>> > <location>all</location> >>>>>> > <level>10</level> >>>>>> > <rules_id>11306</rules_id> >>>>>> > <timeout>900</timeout> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>>>> > </active-response> >>>>>> > >>>>>> > <active-response>--> >>>>>> > <command>firewall-drop</command> >>>>>> > <location>all</location> >>>>>> > <level>10</level> >>>>>> > <rules_id>11306</rules_id> >>>>>> > <timeout>900</timeout> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>>>> > </active-response> >>>>>> > </ossec_config> >>>>>> > ... >>>>>> > >>>>>> > # ossec.conf on Ossec agent >>>>>> > <ossec_config> >>>>>> > <client> >>>>>> > <server-ip>1.1.1.2</server-ip> >>>>>> > </client> >>>>>> > <active-response> >>>>>> > >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >>>>>> > </active-response> >>>>>> > </ossec_config> >>>>>> > >>>>>> > Is there any other information that can help ? >>>>>> > >>>>>> >>>>>> Operating system? >>>>>> >>>>>> > Thanks in advance for your help. >>>>>> > >>>>>> > Note : when ossec execute "firewall-drop delete" and "host-deny >>>>>> > delete" >>>>>> > after timeout, it's ok : IP is now allowed. >>>>>> > But when I execute these commands manually, firewall and hosts.deny >>>>>> > are >>>>>> > modified, but IP remains blocked... >>>>>> > >>>>>> >>>>>> That doesn't make any sense. Are you positive you haven't missed >>>>>> something? All the scripts do is remove the IP from the firewall or >>>>>> hosts.deny. Perhaps the firewall rules have to be re-applied or >>>>>> something? >>>>>> >>>>>> Other than that, I have no clue. I've never seen this problem, and >>>>>> don't know why your system would be blocking something without any >>>>>> reason to block it (ossec doesn't directly do any blocking). You'd >>>>>> think there'd be a log somewhere though... >>>>>> >>>>>> > Zoe >>>>>> > >>>>>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: >>>>>> >> >>>>>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >>>>>> >> > Thanks for reply. >>>>>> >> > >>>>>> >> > No, IP is not blocked anywhere else. >>>>>> >> > IP is not in firewall, neither in hosts.deny. But is still >>>>>> >> > blocked until >>>>>> >> > timeout expired. >>>>>> >> > After 900s (timeout), IP is allowed, but not before. Evend if >>>>>> >> > deleted >>>>>> >> > from >>>>>> >> > firewall and hosts.deny. >>>>>> >> > >>>>>> >> > The question : how is defined timeout ? Where or how can i remove >>>>>> >> > it >>>>>> >> > after >>>>>> >> > active-response is applied ? >>>>>> >> > >>>>>> >> >>>>>> >> Remove it from where-ever you set it. The supplied AR scripts don't >>>>>> >> do >>>>>> >> anything fancy. Generally if you remove the IP from the firewall >>>>>> >> block >>>>>> >> and from the hosts.deny block it'll be allowed. If you remove the >>>>>> >> block from every place you have OSSEC set the block, it won't be >>>>>> >> blocked (by OSSEC) anymore. It's that simple. >>>>>> >> Since you haven't provided any useful information, that's all I can >>>>>> >> help with. My guess would be you aren't using your tools correctly, >>>>>> >> but that's just a guess. >>>>>> >> >>>>>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) >>>>>> >> > wrote: >>>>>> >> >> >>>>>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: >>>>>> >> >> > Hi guys, >>>>>> >> >> > >>>>>> >> >> > I set up ossec since few months now, but I have some problems >>>>>> >> >> > with >>>>>> >> >> > active-responses. >>>>>> >> >> > >>>>>> >> >> > Active-responses work well, no problem with it. >>>>>> >> >> > When an alert is detected, a lot of failed authentication from >>>>>> >> >> > the >>>>>> >> >> > same >>>>>> >> >> > IP >>>>>> >> >> > for example, IP is blacklisted in the firewall, and all >>>>>> >> >> > connections >>>>>> >> >> > are >>>>>> >> >> > dropped. >>>>>> >> >> > I use a timeout of 900s and repeated_offenders. >>>>>> >> >> > >>>>>> >> >> > But, in some cases, it arrived that a legitimate IP was >>>>>> >> >> > blacklisted : >>>>>> >> >> > wrong >>>>>> >> >> > password or other. It was blacklisted for 900s. >>>>>> >> >> > >>>>>> >> >> > I want to manually unblock the IP, so I execute the command : >>>>>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 >>>>>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete >>>>>> >> >> > 1.1.1.1 >>>>>> >> >> > >>>>>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP >>>>>> >> >> > and is >>>>>> >> >> > also >>>>>> >> >> > deleted from hosts.deny. >>>>>> >> >> > >>>>>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, until >>>>>> >> >> > timeout >>>>>> >> >> > of >>>>>> >> >> > 900s >>>>>> >> >> > expired. >>>>>> >> >> > >>>>>> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? >>>>>> >> >> > before >>>>>> >> >> > timeout >>>>>> >> >> > expiration ? >>>>>> >> >> > Did active-response modify anything else, apart of adding a >>>>>> >> >> > drop rule >>>>>> >> >> > in >>>>>> >> >> > firewall and an IP in hosts.deny in my case ?? >>>>>> >> >> > >>>>>> >> >> >>>>>> >> >> How would we know? >>>>>> >> >> >>>>>> >> >> > I already try a reboot of agent, it doesn't help. >>>>>> >> >> > >>>>>> >> >> > I'm using ossec2.6. >>>>>> >> >> > >>>>>> >> >> > Thanks for any help. >>>>>> >> >> > >>>>>> >> >> > Zoe >>>>>> >> >> >>>>>> >> >> If you remove the IP from the hosts.deny and the firewall block, >>>>>> >> >> it >>>>>> >> >> should be allowed. Unless you've blocked the IP somewhere else. >>>>> >>>>> >
