I guess I'm not understanding the original problem but was going off of what Christian was saying more so. Is the problem that an IP is being blocked on the agent? Or on the server? My understanding was that the IP was also blocked on the agent machine itself, requiring one to get onto the agent machine run iptables directly there to unblock the legit IP...? Is this *not* the case?
On Wed, Oct 17, 2012 at 10:00 AM, dan (ddp) <[email protected]> wrote: > On Wed, Oct 17, 2012 at 12:54 PM, Jeremy Lee <[email protected]> wrote: > > I believe agent-control is the key here: > > > > http://www.ossec.net/doc/manual/ar/ar-windows.html > > > > I created a script to remove null-routes and I may have had to copy the > > scripts to all boxes where this was to be implemented (I don't recall if > > there is a mechanism in OSSEC that will push scripts down to agents). > Then I > > used agent-control to fire off the specific scripts for removing the > > null-routes (this was probably per specific IP though). > > > > > > On Wed, Oct 17, 2012 at 9:44 AM, Jeremy Lee <[email protected]> wrote: > >> > >> I've setup some complex rules for blocking/unblocking but used null > >> routing. It's been a while so I'd have to refresh my memory completely, > but > >> I believe I utilized the OSSEC agent to issue a local 'route' command > and > >> could do it remotely (as opposed to logging into or running a specific > >> script for each agent/machine). I'd imagine the same or similar could be > >> done for iptables (or any script for that matter). > >> > > These mails do not address the problem in any way. If the blocks have > to be removed from EVERY agent that implemented them before it will > work, then OSSEC has someone gained a level of clustering I never > imagined. How you remove the blocks shouldn't matter (although I still > don't know if Zoe ever tried to remove them manually). > > >> > >> On Wed, Oct 17, 2012 at 6:09 AM, dan (ddp) <[email protected]> wrote: > >>> > >>> On Tue, Oct 16, 2012 at 2:00 PM, Zoe <[email protected]> wrote: > >>> > And the winner is ......Christian ! > >>> > Thanks ! > >>> > > >>> > >>> What's the answer? You have to unblock it from every system before it > >>> works? > >>> > >>> > > >>> > On Tuesday, October 16, 2012 7:12:55 PM UTC+2, Zoe wrote: > >>> >> > >>> >> I have 52 agents, is there possible as Christian said, that I have > to > >>> >> unblock IP on all agents before it's unblocked on just one ? > >>> >> > >>> >> Regards. > >>> >> > >>> >> Zoe > >>> >> > >>> >> On Tuesday, October 16, 2012 6:10:21 PM UTC+2, Zoe wrote: > >>> >>> > >>> >>> Other thing : when I manually run "firewall-drop add", command > >>> >>> "firewall-drop delete" is ok, before timeout. > >>> >>> But when it's ossec who run it, with AR, a manual "firewall-drop > >>> >>> delete" > >>> >>> doesn't work... > >>> >>> > >>> >>> Can you confirm me rights on /var/ossec files and directories > please > >>> >>> ? > >>> >>> > >>> >>> On Tuesday, October 16, 2012 5:56:59 PM UTC+2, Zoe wrote: > >>> >>>> > >>> >>>> Thanks for you reply Christian. > >>> >>>> ah ? > >>> >>>> "Running host-deny and/or firewall-drop just on one machine is not > >>> >>>> enough because it is not propagated to the others." > >>> >>>> I agree it doesn't unblock on all machines, but on the single > >>> >>>> machine > >>> >>>> where IP has been unblocked, I think it has to be unblocked, no ? > >>> >>>> > >>> >>>> Dan, > >>> >>>> Entire command I use is : > >>> >>>> "/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1" > >>> >>>> > >>> >>>> And nothing in logs. > >>> >>>> > >>> >>>> Zoe > >>> >>>> > >>> >>>> On Tuesday, October 16, 2012 5:44:34 PM UTC+2, Christian Beer > wrote: > >>> >>>>> > >>> >>>>> I also use active_response (OSSEC 2.6) on a Debian server and > >>> >>>>> whenever > >>> >>>>> I want to unblock someone I delete the firewall rule directly > using > >>> >>>>> iptables > >>> >>>>> commands. That always works instantaneously. But I have only one > >>> >>>>> machine. In > >>> >>>>> your setup using server/agent you have to unblock the IP at every > >>> >>>>> agent and > >>> >>>>> the server separately. Running host-deny and/or firewall-drop > just > >>> >>>>> on one > >>> >>>>> machine is not enough because it is not propagated to the others. > >>> >>>>> > >>> >>>>> Regards > >>> >>>>> Christian > >>> >>>>> > >>> >>>>> Am 16.10.2012 17:16, schrieb Zoe: > >>> >>>>> > >>> >>>>> Operating System : Linux openSuse > >>> >>>>> > >>> >>>>> I agree with you : that doesn't make any sense :) > >>> >>>>> Re-apply firewall rules ? already done, no change. > >>> >>>>> A copy of my ossec.conf is above, have I missed something ? > >>> >>>>> I "firewall-drop delete" on agent, have i to do it on server ? on > >>> >>>>> server ad agents ? from server to agents ? > >>> >>>>> I check ossec.log on server, active-response.log on agents, > nothing > >>> >>>>> strange there. Nothing in system logs. > >>> >>>>> Can others log files help ? > >>> >>>>> > >>> >>>>> > >>> >>>>> On Tuesday, October 16, 2012 4:56:14 PM UTC+2, dan (ddpbsd) > wrote: > >>> >>>>>> > >>> >>>>>> On Tue, Oct 16, 2012 at 10:49 AM, Zoe <[email protected]> > wrote: > >>> >>>>>> > Thanks for explication. > >>> >>>>>> > IP is not set anywhere else. > >>> >>>>>> > > >>> >>>>>> > Sorry for the lack of information : > >>> >>>>>> > > >>> >>>>>> > Ossec 2.6 is installed on server and agents with Suse Linux. > >>> >>>>>> > > >>> >>>>>> > # ossec.conf on Ossec Server > >>> >>>>>> > <ossec_config> > >>> >>>>>> > ... > >>> >>>>>> > <command> > >>> >>>>>> > <name>host-deny</name> > >>> >>>>>> > <executable>host-deny.sh</executable> > >>> >>>>>> > <expect>srcip</expect> > >>> >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>> >>>>>> > </command> > >>> >>>>>> > > >>> >>>>>> > <command> > >>> >>>>>> > <name>firewall-drop</name> > >>> >>>>>> > <executable>firewall-drop.sh</executable> > >>> >>>>>> > <expect>srcip</expect> > >>> >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>> >>>>>> > </command> > >>> >>>>>> > > >>> >>>>>> > <command> > >>> >>>>>> > <name>disable-account</name> > >>> >>>>>> > <executable>disable-account.sh</executable> > >>> >>>>>> > <expect>user</expect> > >>> >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>> >>>>>> > </command> > >>> >>>>>> > > >>> >>>>>> > <command> > >>> >>>>>> > <name>restart-ossec</name> > >>> >>>>>> > <executable>restart-ossec.sh</executable> > >>> >>>>>> > <expect></expect> > >>> >>>>>> > </command> > >>> >>>>>> > > >>> >>>>>> > <command> > >>> >>>>>> > <name>route-null</name> > >>> >>>>>> > <executable>route-null.sh</executable> > >>> >>>>>> > <expect>srcip</expect> > >>> >>>>>> > <timeout_allowed>yes</timeout_allowed> > >>> >>>>>> > </command> > >>> >>>>>> > > >>> >>>>>> > <active-response> > >>> >>>>>> > <command>host-deny</command> > >>> >>>>>> > <location>all</location> > >>> >>>>>> > <level>10</level> > >>> >>>>>> > <rules_id>11306</rules_id> > >>> >>>>>> > <timeout>900</timeout> > >>> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> > >>> >>>>>> > </active-response> > >>> >>>>>> > > >>> >>>>>> > <active-response>--> > >>> >>>>>> > <command>firewall-drop</command> > >>> >>>>>> > <location>all</location> > >>> >>>>>> > <level>10</level> > >>> >>>>>> > <rules_id>11306</rules_id> > >>> >>>>>> > <timeout>900</timeout> > >>> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> > >>> >>>>>> > </active-response> > >>> >>>>>> > </ossec_config> > >>> >>>>>> > ... > >>> >>>>>> > > >>> >>>>>> > # ossec.conf on Ossec agent > >>> >>>>>> > <ossec_config> > >>> >>>>>> > <client> > >>> >>>>>> > <server-ip>1.1.1.2</server-ip> > >>> >>>>>> > </client> > >>> >>>>>> > <active-response> > >>> >>>>>> > > >>> >>>>>> > <repeated_offenders>15,30,60,120</repeated_offenders> > >>> >>>>>> > </active-response> > >>> >>>>>> > </ossec_config> > >>> >>>>>> > > >>> >>>>>> > Is there any other information that can help ? > >>> >>>>>> > > >>> >>>>>> > >>> >>>>>> Operating system? > >>> >>>>>> > >>> >>>>>> > Thanks in advance for your help. > >>> >>>>>> > > >>> >>>>>> > Note : when ossec execute "firewall-drop delete" and > "host-deny > >>> >>>>>> > delete" > >>> >>>>>> > after timeout, it's ok : IP is now allowed. > >>> >>>>>> > But when I execute these commands manually, firewall and > >>> >>>>>> > hosts.deny > >>> >>>>>> > are > >>> >>>>>> > modified, but IP remains blocked... > >>> >>>>>> > > >>> >>>>>> > >>> >>>>>> That doesn't make any sense. Are you positive you haven't missed > >>> >>>>>> something? All the scripts do is remove the IP from the firewall > >>> >>>>>> or > >>> >>>>>> hosts.deny. Perhaps the firewall rules have to be re-applied or > >>> >>>>>> something? > >>> >>>>>> > >>> >>>>>> Other than that, I have no clue. I've never seen this problem, > and > >>> >>>>>> don't know why your system would be blocking something without > any > >>> >>>>>> reason to block it (ossec doesn't directly do any blocking). > You'd > >>> >>>>>> think there'd be a log somewhere though... > >>> >>>>>> > >>> >>>>>> > Zoe > >>> >>>>>> > > >>> >>>>>> > On Tuesday, October 16, 2012 4:09:17 PM UTC+2, dan (ddpbsd) > >>> >>>>>> > wrote: > >>> >>>>>> >> > >>> >>>>>> >> On Tue, Oct 16, 2012 at 9:40 AM, Zoe <[email protected]> > wrote: > >>> >>>>>> >> > Thanks for reply. > >>> >>>>>> >> > > >>> >>>>>> >> > No, IP is not blocked anywhere else. > >>> >>>>>> >> > IP is not in firewall, neither in hosts.deny. But is still > >>> >>>>>> >> > blocked until > >>> >>>>>> >> > timeout expired. > >>> >>>>>> >> > After 900s (timeout), IP is allowed, but not before. Evend > if > >>> >>>>>> >> > deleted > >>> >>>>>> >> > from > >>> >>>>>> >> > firewall and hosts.deny. > >>> >>>>>> >> > > >>> >>>>>> >> > The question : how is defined timeout ? Where or how can i > >>> >>>>>> >> > remove > >>> >>>>>> >> > it > >>> >>>>>> >> > after > >>> >>>>>> >> > active-response is applied ? > >>> >>>>>> >> > > >>> >>>>>> >> > >>> >>>>>> >> Remove it from where-ever you set it. The supplied AR scripts > >>> >>>>>> >> don't > >>> >>>>>> >> do > >>> >>>>>> >> anything fancy. Generally if you remove the IP from the > >>> >>>>>> >> firewall > >>> >>>>>> >> block > >>> >>>>>> >> and from the hosts.deny block it'll be allowed. If you remove > >>> >>>>>> >> the > >>> >>>>>> >> block from every place you have OSSEC set the block, it won't > >>> >>>>>> >> be > >>> >>>>>> >> blocked (by OSSEC) anymore. It's that simple. > >>> >>>>>> >> Since you haven't provided any useful information, that's > all I > >>> >>>>>> >> can > >>> >>>>>> >> help with. My guess would be you aren't using your tools > >>> >>>>>> >> correctly, > >>> >>>>>> >> but that's just a guess. > >>> >>>>>> >> > >>> >>>>>> >> > On Tuesday, October 16, 2012 3:28:20 PM UTC+2, dan (ddpbsd) > >>> >>>>>> >> > wrote: > >>> >>>>>> >> >> > >>> >>>>>> >> >> On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> > >>> >>>>>> >> >> wrote: > >>> >>>>>> >> >> > Hi guys, > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > I set up ossec since few months now, but I have some > >>> >>>>>> >> >> > problems > >>> >>>>>> >> >> > with > >>> >>>>>> >> >> > active-responses. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > Active-responses work well, no problem with it. > >>> >>>>>> >> >> > When an alert is detected, a lot of failed > authentication > >>> >>>>>> >> >> > from > >>> >>>>>> >> >> > the > >>> >>>>>> >> >> > same > >>> >>>>>> >> >> > IP > >>> >>>>>> >> >> > for example, IP is blacklisted in the firewall, and all > >>> >>>>>> >> >> > connections > >>> >>>>>> >> >> > are > >>> >>>>>> >> >> > dropped. > >>> >>>>>> >> >> > I use a timeout of 900s and repeated_offenders. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > But, in some cases, it arrived that a legitimate IP was > >>> >>>>>> >> >> > blacklisted : > >>> >>>>>> >> >> > wrong > >>> >>>>>> >> >> > password or other. It was blacklisted for 900s. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > I want to manually unblock the IP, so I execute the > >>> >>>>>> >> >> > command : > >>> >>>>>> >> >> > # /var/ossec/active-response/bin/host-deny.sh delete > >>> >>>>>> >> >> > 1.1.1.1 > >>> >>>>>> >> >> > # /var/ossec/active-response/bin/firewall-drop.sh delete > >>> >>>>>> >> >> > 1.1.1.1 > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > It's ok : 1.1.1.1 is deleted from firewall's IP > >>> >>>>>> >> >> > blacklisted IP > >>> >>>>>> >> >> > and is > >>> >>>>>> >> >> > also > >>> >>>>>> >> >> > deleted from hosts.deny. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > But 1.1.1.1 is still not allowing to connect to agent, > >>> >>>>>> >> >> > until > >>> >>>>>> >> >> > timeout > >>> >>>>>> >> >> > of > >>> >>>>>> >> >> > 900s > >>> >>>>>> >> >> > expired. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > My question : is there a way to manually unblock > 1.1.1.1 ? > >>> >>>>>> >> >> > before > >>> >>>>>> >> >> > timeout > >>> >>>>>> >> >> > expiration ? > >>> >>>>>> >> >> > Did active-response modify anything else, apart of > adding > >>> >>>>>> >> >> > a > >>> >>>>>> >> >> > drop rule > >>> >>>>>> >> >> > in > >>> >>>>>> >> >> > firewall and an IP in hosts.deny in my case ?? > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > >>> >>>>>> >> >> How would we know? > >>> >>>>>> >> >> > >>> >>>>>> >> >> > I already try a reboot of agent, it doesn't help. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > I'm using ossec2.6. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > Thanks for any help. > >>> >>>>>> >> >> > > >>> >>>>>> >> >> > Zoe > >>> >>>>>> >> >> > >>> >>>>>> >> >> If you remove the IP from the hosts.deny and the firewall > >>> >>>>>> >> >> block, > >>> >>>>>> >> >> it > >>> >>>>>> >> >> should be allowed. Unless you've blocked the IP somewhere > >>> >>>>>> >> >> else. > >>> >>>>> > >>> >>>>> > >>> > > >> > >> > > >
