I believe agent-control is the key here: http://www.ossec.net/doc/manual/ar/ar-windows.html
I created a script to remove null-routes and I may have had to copy the scripts to all boxes where this was to be implemented (I don't recall if there is a mechanism in OSSEC that will push scripts down to agents). Then I used agent-control to fire off the specific scripts for removing the null-routes (this was probably per specific IP though). On Wed, Oct 17, 2012 at 9:44 AM, Jeremy Lee <[email protected]> wrote: > I've setup some complex rules for blocking/unblocking but used null > routing. It's been a while so I'd have to refresh my memory completely, but > I believe I utilized the OSSEC agent to issue a local 'route' command and > could do it remotely (as opposed to logging into or running a specific > script for each agent/machine). I'd imagine the same or similar could be > done for iptables (or any script for that matter). > > > On Wed, Oct 17, 2012 at 6:09 AM, dan (ddp) <[email protected]> wrote: > >> On Tue, Oct 16, 2012 at 2:00 PM, Zoe <[email protected]> wrote: >> > And the winner is ......Christian ! >> > Thanks ! >> > >> >> What's the answer? You have to unblock it from every system before it >> works? >> >> > >> > On Tuesday, October 16, 2012 7:12:55 PM UTC+2, Zoe wrote: >> >> >> >> I have 52 agents, is there possible as Christian said, that I have to >> >> unblock IP on all agents before it's unblocked on just one ? >> >> >> >> Regards. >> >> >> >> Zoe >> >> >> >> On Tuesday, October 16, 2012 6:10:21 PM UTC+2, Zoe wrote: >> >>> >> >>> Other thing : when I manually run "firewall-drop add", command >> >>> "firewall-drop delete" is ok, before timeout. >> >>> But when it's ossec who run it, with AR, a manual "firewall-drop >> delete" >> >>> doesn't work... >> >>> >> >>> Can you confirm me rights on /var/ossec files and directories please ? >> >>> >> >>> On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: >> >>>> >> >>>> Thanks for you reply Christian. >> >>>> ah ? >> >>>> "Running host-deny and/or firewall-drop just on one machine is not >> >>>> enough because it is not propagated to the others." >> >>>> I agree it doesn't unblock on all machines, but on the single machine >> >>>> where IP has been unblocked, I think it has to be unblocked, no ? >> >>>> >> >>>> Dan, >> >>>> Entire command I use is : >> >>>> "/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1" >> >>>> >> >>>> And nothing in logs. >> >>>> >> >>>> Zoe >> >>>> >> >>>> On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer wrote: >> >>>>> >> >>>>> I also use active_response (OSSEC 2.6) on a Debian server and >> whenever >> >>>>> I want to unblock someone I delete the firewall rule directly using >> iptables >> >>>>> commands. That always works instantaneously. But I have only one >> machine. In >> >>>>> your setup using server/agent you have to unblock the IP at every >> agent and >> >>>>> the server separately. Running host-deny and/or firewall-drop just >> on one >> >>>>> machine is not enough because it is not propagated to the others. >> >>>>> >> >>>>> Regards >> >>>>> Christian >> >>>>> >> >>>>> Am 16.10.2012 17:16, schrieb Zoe: >> >>>>> >> >>>>> Operating System : Linux openSuse >> >>>>> >> >>>>> I agree with you : that doesn't make any sense :) >> >>>>> Re-apply firewall rules ? already done, no change. >> >>>>> A copy of my ossec.conf is above, have I missed something ? >> >>>>> I "firewall-drop delete" on agent, have i to do it on server ? on >> >>>>> server ad agents ? from server to agents ? >> >>>>> I check ossec.log on server, active-response.log on agents, nothing >> >>>>> strange there. Nothing in system logs. >> >>>>> Can others log files help ? >> >>>>> >> >>>>> >> >>>>> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) wrote: >> >>>>>> >> >>>>>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> wrote: >> >>>>>> > Thanks for explication. >> >>>>>> > IP is not set anywhere else. >> >>>>>> > >> >>>>>> > Sorry for the lack of information : >> >>>>>> > >> >>>>>> > Ossec 2.6 is installed on server and agents with Suse Linux. >> >>>>>> > >> >>>>>> > # ossec.conf on Ossec Server >> >>>>>> > <ossec_config> >> >>>>>> > ... >> >>>>>> > <command> >> >>>>>> > <name>host-deny</name> >> >>>>>> > <executable>host-deny.sh</executable> >> >>>>>> > <expect>srcip</expect> >> >>>>>> > <timeout_allowed>yes</timeout_allowed> >> >>>>>> > </command> >> >>>>>> > >> >>>>>> > <command> >> >>>>>> > <name>firewall-drop</name> >> >>>>>> > <executable>firewall-drop.sh</executable> >> >>>>>> > <expect>srcip</expect> >> >>>>>> > <timeout_allowed>yes</timeout_allowed> >> >>>>>> > </command> >> >>>>>> > >> >>>>>> > <command> >> >>>>>> > <name>disable-account</name> >> >>>>>> > <executable>disable-account.sh</executable> >> >>>>>> > <expect>user</expect> >> >>>>>> > <timeout_allowed>yes</timeout_allowed> >> >>>>>> > </command> >> >>>>>> > >> >>>>>> > <command> >> >>>>>> > <name>restart-ossec</name> >> >>>>>> > <executable>restart-ossec.sh</executable> >> >>>>>> > <expect></expect> >> >>>>>> > </command> >> >>>>>> > >> >>>>>> > <command> >> >>>>>> > <name>route-null</name> >> >>>>>> > <executable>route-null.sh</executable> >> >>>>>> > <expect>srcip</expect> >> >>>>>> > <timeout_allowed>yes</timeout_allowed> >> >>>>>> > </command> >> >>>>>> > >> >>>>>> > <active-response> >> >>>>>> > <command>host-deny</command> >> >>>>>> > <location>all</location> >> >>>>>> > <level>10</level> >> >>>>>> > <rules_id>11306</rules_id> >> >>>>>> > <timeout>900</timeout> >> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >> >>>>>> > </active-response> >> >>>>>> > >> >>>>>> > <active-response>--> >> >>>>>> > <command>firewall-drop</command> >> >>>>>> > <location>all</location> >> >>>>>> > <level>10</level> >> >>>>>> > <rules_id>11306</rules_id> >> >>>>>> > <timeout>900</timeout> >> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >> >>>>>> > </active-response> >> >>>>>> > </ossec_config> >> >>>>>> > ... >> >>>>>> > >> >>>>>> > # ossec.conf on Ossec agent >> >>>>>> > <ossec_config> >> >>>>>> > <client> >> >>>>>> > <server-ip>1.1.1.2</server-ip> >> >>>>>> > </client> >> >>>>>> > <active-response> >> >>>>>> > >> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> >> >>>>>> > </active-response> >> >>>>>> > </ossec_config> >> >>>>>> > >> >>>>>> > Is there any other information that can help ? >> >>>>>> > >> >>>>>> >> >>>>>> Operating system? >> >>>>>> >> >>>>>> > Thanks in advance for your help. >> >>>>>> > >> >>>>>> > Note : when ossec execute "firewall-drop delete" and "host-deny >> >>>>>> > delete" >> >>>>>> > after timeout, it's ok : IP is now allowed. >> >>>>>> > But when I execute these commands manually, firewall and >> hosts.deny >> >>>>>> > are >> >>>>>> > modified, but IP remains blocked... >> >>>>>> > >> >>>>>> >> >>>>>> That doesn't make any sense. Are you positive you haven't missed >> >>>>>> something? All the scripts do is remove the IP from the firewall or >> >>>>>> hosts.deny. Perhaps the firewall rules have to be re-applied or >> >>>>>> something? >> >>>>>> >> >>>>>> Other than that, I have no clue. I've never seen this problem, and >> >>>>>> don't know why your system would be blocking something without any >> >>>>>> reason to block it (ossec doesn't directly do any blocking). You'd >> >>>>>> think there'd be a log somewhere though... >> >>>>>> >> >>>>>> > Zoe >> >>>>>> > >> >>>>>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) >> wrote: >> >>>>>> >> >> >>>>>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> wrote: >> >>>>>> >> > Thanks for reply. >> >>>>>> >> > >> >>>>>> >> > No, IP is not blocked anywhere else. >> >>>>>> >> > IP is not in firewall, neither in hosts.deny. But is still >> >>>>>> >> > blocked until >> >>>>>> >> > timeout expired. >> >>>>>> >> > After 900s (timeout), IP is allowed, but not before. Evend if >> >>>>>> >> > deleted >> >>>>>> >> > from >> >>>>>> >> > firewall and hosts.deny. >> >>>>>> >> > >> >>>>>> >> > The question : how is defined timeout ? Where or how can i >> remove >> >>>>>> >> > it >> >>>>>> >> > after >> >>>>>> >> > active-response is applied ? >> >>>>>> >> > >> >>>>>> >> >> >>>>>> >> Remove it from where-ever you set it. The supplied AR scripts >> don't >> >>>>>> >> do >> >>>>>> >> anything fancy. Generally if you remove the IP from the firewall >> >>>>>> >> block >> >>>>>> >> and from the hosts.deny block it'll be allowed. If you remove >> the >> >>>>>> >> block from every place you have OSSEC set the block, it won't be >> >>>>>> >> blocked (by OSSEC) anymore. It's that simple. >> >>>>>> >> Since you haven't provided any useful information, that's all I >> can >> >>>>>> >> help with. My guess would be you aren't using your tools >> correctly, >> >>>>>> >> but that's just a guess. >> >>>>>> >> >> >>>>>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) >> >>>>>> >> > wrote: >> >>>>>> >> >> >> >>>>>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> >> wrote: >> >>>>>> >> >> > Hi guys, >> >>>>>> >> >> > >> >>>>>> >> >> > I set up ossec since few months now, but I have some >> problems >> >>>>>> >> >> > with >> >>>>>> >> >> > active-responses. >> >>>>>> >> >> > >> >>>>>> >> >> > Active-responses work well, no problem with it. >> >>>>>> >> >> > When an alert is detected, a lot of failed authentication >> from >> >>>>>> >> >> > the >> >>>>>> >> >> > same >> >>>>>> >> >> > IP >> >>>>>> >> >> > for example, IP is blacklisted in the firewall, and all >> >>>>>> >> >> > connections >> >>>>>> >> >> > are >> >>>>>> >> >> > dropped. >> >>>>>> >> >> > I use a timeout of 900s and repeated_offenders. >> >>>>>> >> >> > >> >>>>>> >> >> > But, in some cases, it arrived that a legitimate IP was >> >>>>>> >> >> > blacklisted : >> >>>>>> >> >> > wrong >> >>>>>> >> >> > password or other. It was blacklisted for 900s. >> >>>>>> >> >> > >> >>>>>> >> >> > I want to manually unblock the IP, so I execute the >> command : >> >>>>>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete >> 1.1.1.1 >> >>>>>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete >> >>>>>> >> >> > 1.1.1.1 >> >>>>>> >> >> > >> >>>>>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP >> blacklisted IP >> >>>>>> >> >> > and is >> >>>>>> >> >> > also >> >>>>>> >> >> > deleted from hosts.deny. >> >>>>>> >> >> > >> >>>>>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, >> until >> >>>>>> >> >> > timeout >> >>>>>> >> >> > of >> >>>>>> >> >> > 900s >> >>>>>> >> >> > expired. >> >>>>>> >> >> > >> >>>>>> >> >> > My question : is there a way to manually unblock 1.1.1.1 ? >> >>>>>> >> >> > before >> >>>>>> >> >> > timeout >> >>>>>> >> >> > expiration ? >> >>>>>> >> >> > Did active-response modify anything else, apart of adding a >> >>>>>> >> >> > drop rule >> >>>>>> >> >> > in >> >>>>>> >> >> > firewall and an IP in hosts.deny in my case ?? >> >>>>>> >> >> > >> >>>>>> >> >> >> >>>>>> >> >> How would we know? >> >>>>>> >> >> >> >>>>>> >> >> > I already try a reboot of agent, it doesn't help. >> >>>>>> >> >> > >> >>>>>> >> >> > I'm using ossec2.6. >> >>>>>> >> >> > >> >>>>>> >> >> > Thanks for any help. >> >>>>>> >> >> > >> >>>>>> >> >> > Zoe >> >>>>>> >> >> >> >>>>>> >> >> If you remove the IP from the hosts.deny and the firewall >> block, >> >>>>>> >> >> it >> >>>>>> >> >> should be allowed. Unless you've blocked the IP somewhere >> else. >> >>>>> >> >>>>> >> > >> > >
