I've setup some complex rules for blocking/unblocking but used null routing. It's been a while so I'd have to refresh my memory completely, but I believe I utilized the OSSEC agent to issue a local 'route' command and could do it remotely (as opposed to logging into or running a specific script for each agent/machine). I'd imagine the same or similar could be done for iptables (or any script for that matter).
On Wed, Oct 17, 2012 at 6:09 AM, dan (ddp) <[email protected]> wrote: > On Tue, Oct 16, 2012 at 2:00 PM, Zoe <[email protected]> wrote: > > And the winner is ......Christian ! > > Thanks ! > > > > What's the answer? You have to unblock it from every system before it > works? > > > > > On Tuesday, October 16, 2012 7:12:55 PM UTC+2, Zoe wrote: > >> > >> I have 52 agents, is there possible as Christian said, that I have to > >> unblock IP on all agents before it's unblocked on just one ? > >> > >> Regards. > >> > >> Zoe > >> > >> On Tuesday, October 16, 2012 6:10:21 PM UTC+2, Zoe wrote: > >>> > >>> Other thing : when I manually run "firewall-drop add", command > >>> "firewall-drop delete" is ok, before timeout. > >>> But when it's ossec who run it, with AR, a manual "firewall-drop > delete" > >>> doesn't work... > >>> > >>> Can you confirm me rights on /var/ossec files and directories please ? > >>> > >>> On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: > >>>> > >>>> Thanks for you reply Christian. > >>>> ah ? > >>>> "Running host-deny and/or firewall-drop just on one machine is not > >>>> enough because it is not propagated to the others." > >>>> I agree it doesn't unblock on all machines, but on the single machine > >>>> where IP has been unblocked, I think it has to be unblocked, no ? > >>>> > >>>> Dan, > >>>> Entire command I use is : > >>>> "/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1" > >>>> > >>>> And nothing in logs. > >>>> > >>>> Zoe > >>>> > >>>> On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer wrote: > >>>>> > >>>>> I also use active_response (OSSEC 2.6) on a Debian server and > whenever > >>>>> I want to unblock someone I delete the firewall rule directly using > iptables > >>>>> commands. That always works instantaneously. But I have only one > machine. In > >>>>> your setup using server/agent you have to unblock the IP at every > agent and > >>>>> the server separately. Running host-deny and/or firewall-drop just > on one > >>>>> machine is not enough because it is not propagated to the others. > >>>>> > >>>>> Regards > >>>>> Christian > >>>>> > >>>>> Am 16.10.2012 17:16, schrieb Zoe: > >>>>> > >>>>> Operating System : Linux openSuse > >>>>> > >>>>> I agree with you : that doesn't make any sense :) > >>>>> Re-apply firewall rules ? already done, no change. > >>>>> A copy of my ossec.conf is above, have I missed something ? > >>>>> I "firewall-drop delete" on agent, have i to do it on server ? on > >>>>> server ad agents ? from server to agents ? > >>>>> I check ossec.log on server, active-response.log on agents, nothing > >>>>> strange there. Nothing in system logs. > >>>>> Can others log files help ? > >>>>> > >>>>> > >>>>> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: > >>>>>> > >>>>>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: > >>>>>> > Thanks for explication. > >>>>>> > IP is not set anywhere else. > >>>>>> > > >>>>>> > Sorry for the lack of information : > >>>>>> > > >>>>>> > Ossec 2.6 is installed on server and agents with Suse Linux. > >>>>>> > > >>>>>> > # ossec.conf on Ossec Server > >>>>>> > <ossec_config> > >>>>>> > ... > >>>>>> > <command> > >>>>>> > <name>host-deny</name> > >>>>>> > <executable>host-deny.sh</executable> > >>>>>> > <expect>srcip</expect> > >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>>>>> > </command> > >>>>>> > > >>>>>> > <command> > >>>>>> > <name>firewall-drop</name> > >>>>>> > <executable>firewall-drop.sh</executable> > >>>>>> > <expect>srcip</expect> > >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>>>>> > </command> > >>>>>> > > >>>>>> > <command> > >>>>>> > <name>disable-account</name> > >>>>>> > <executable>disable-account.sh</executable> > >>>>>> > <expect>user</expect> > >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>>>>> > </command> > >>>>>> > > >>>>>> > <command> > >>>>>> > <name>restart-ossec</name> > >>>>>> > <executable>restart-ossec.sh</executable> > >>>>>> > <expect></expect> > >>>>>> > </command> > >>>>>> > > >>>>>> > <command> > >>>>>> > <name>route-null</name> > >>>>>> > <executable>route-null.sh</executable> > >>>>>> > <expect>srcip</expect> > >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>>>>> > </command> > >>>>>> > > >>>>>> > <active-response> > >>>>>> > <command>host-deny</command> > >>>>>> > <location>all</location> > >>>>>> > <level>10</level> > >>>>>> > <rules_id>11306</rules_id> > >>>>>> > <timeout>900</timeout> > >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> > >>>>>> > </active-response> > >>>>>> > > >>>>>> > <active-response>--> > >>>>>> > <command>firewall-drop</command> > >>>>>> > <location>all</location> > >>>>>> > <level>10</level> > >>>>>> > <rules_id>11306</rules_id> > >>>>>> > <timeout>900</timeout> > >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> > >>>>>> > </active-response> > >>>>>> > </ossec_config> > >>>>>> > ... > >>>>>> > > >>>>>> > # ossec.conf on Ossec agent > >>>>>> > <ossec_config> > >>>>>> > <client> > >>>>>> > <server-ip>1.1.1.2</server-ip> > >>>>>> > </client> > >>>>>> > <active-response> > >>>>>> > > >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> > >>>>>> > </active-response> > >>>>>> > </ossec_config> > >>>>>> > > >>>>>> > Is there any other information that can help ? > >>>>>> > > >>>>>> > >>>>>> Operating system? > >>>>>> > >>>>>> > Thanks in advance for your help. > >>>>>> > > >>>>>> > Note : when ossec execute "firewall-drop delete" and "host-deny > >>>>>> > delete" > >>>>>> > after timeout, it's ok : IP is now allowed. > >>>>>> > But when I execute these commands manually, firewall and > hosts.deny > >>>>>> > are > >>>>>> > modified, but IP remains blocked... > >>>>>> > > >>>>>> > >>>>>> That doesn't make any sense. Are you positive you haven't missed > >>>>>> something? All the scripts do is remove the IP from the firewall or > >>>>>> hosts.deny. Perhaps the firewall rules have to be re-applied or > >>>>>> something? > >>>>>> > >>>>>> Other than that, I have no clue. I've never seen this problem, and > >>>>>> don't know why your system would be blocking something without any > >>>>>> reason to block it (ossec doesn't directly do any blocking). You'd > >>>>>> think there'd be a log somewhere though... > >>>>>> > >>>>>> > Zoe > >>>>>> > > >>>>>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) wrote: > >>>>>> >> > >>>>>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: > >>>>>> >> > Thanks for reply. > >>>>>> >> > > >>>>>> >> > No, IP is not blocked anywhere else. > >>>>>> >> > IP is not in firewall, neither in hosts.deny. But is still > >>>>>> >> > blocked until > >>>>>> >> > timeout expired. > >>>>>> >> > After 900s (timeout), IP is allowed, but not before. Evend if > >>>>>> >> > deleted > >>>>>> >> > from > >>>>>> >> > firewall and hosts.deny. > >>>>>> >> > > >>>>>> >> > The question : how is defined timeout ? Where or how can i > remove > >>>>>> >> > it > >>>>>> >> > after > >>>>>> >> > active-response is applied ? > >>>>>> >> > > >>>>>> >> > >>>>>> >> Remove it from where-ever you set it. The supplied AR scripts > don't > >>>>>> >> do > >>>>>> >> anything fancy. Generally if you remove the IP from the firewall > >>>>>> >> block > >>>>>> >> and from the hosts.deny block it'll be allowed. If you remove the > >>>>>> >> block from every place you have OSSEC set the block, it won't be > >>>>>> >> blocked (by OSSEC) anymore. It's that simple. > >>>>>> >> Since you haven't provided any useful information, that's all I > can > >>>>>> >> help with. My guess would be you aren't using your tools > correctly, > >>>>>> >> but that's just a guess. > >>>>>> >> > >>>>>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) > >>>>>> >> > wrote: > >>>>>> >> >> > >>>>>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> > wrote: > >>>>>> >> >> > Hi guys, > >>>>>> >> >> > > >>>>>> >> >> > I set up ossec since few months now, but I have some > problems > >>>>>> >> >> > with > >>>>>> >> >> > active-responses. > >>>>>> >> >> > > >>>>>> >> >> > Active-responses work well, no problem with it. > >>>>>> >> >> > When an alert is detected, a lot of failed authentication > from > >>>>>> >> >> > the > >>>>>> >> >> > same > >>>>>> >> >> > IP > >>>>>> >> >> > for example, IP is blacklisted in the firewall, and all > >>>>>> >> >> > connections > >>>>>> >> >> > are > >>>>>> >> >> > dropped. > >>>>>> >> >> > I use a timeout of 900s and repeated_offenders. > >>>>>> >> >> > > >>>>>> >> >> > But, in some cases, it arrived that a legitimate IP was > >>>>>> >> >> > blacklisted : > >>>>>> >> >> > wrong > >>>>>> >> >> > password or other. It was blacklisted for 900s. > >>>>>> >> >> > > >>>>>> >> >> > I want to manually unblock the IP, so I execute the command > : > >>>>>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete > 1.1.1.1 > >>>>>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete > >>>>>> >> >> > 1.1.1.1 > >>>>>> >> >> > > >>>>>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted > IP > >>>>>> >> >> > and is > >>>>>> >> >> > also > >>>>>> >> >> > deleted from hosts.deny. > >>>>>> >> >> > > >>>>>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, until > >>>>>> >> >> > timeout > >>>>>> >> >> > of > >>>>>> >> >> > 900s > >>>>>> >> >> > expired. > >>>>>> >> >> > > >>>>>> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? > >>>>>> >> >> > before > >>>>>> >> >> > timeout > >>>>>> >> >> > expiration ? > >>>>>> >> >> > Did active-response modify anything else, apart of adding a > >>>>>> >> >> > drop rule > >>>>>> >> >> > in > >>>>>> >> >> > firewall and an IP in hosts.deny in my case ?? > >>>>>> >> >> > > >>>>>> >> >> > >>>>>> >> >> How would we know? > >>>>>> >> >> > >>>>>> >> >> > I already try a reboot of agent, it doesn't help. > >>>>>> >> >> > > >>>>>> >> >> > I'm using ossec2.6. > >>>>>> >> >> > > >>>>>> >> >> > Thanks for any help. > >>>>>> >> >> > > >>>>>> >> >> > Zoe > >>>>>> >> >> > >>>>>> >> >> If you remove the IP from the hosts.deny and the firewall > block, > >>>>>> >> >> it > >>>>>> >> >> should be allowed. Unless you've blocked the IP somewhere > else. > >>>>> > >>>>> > > >
