On Tue, Oct 16, 2012 at 9:12 AM, Zoe <[email protected]> wrote: > Hi guys, > > I set up ossec since few months now, but I have some problems with > active-responses. > > Active-responses work well, no problem with it. > When an alert is detected, a lot of failed authentication from the same IP > for example, IP is blacklisted in the firewall, and all connections are > dropped. > I use a timeout of 900s and repeated_offenders. > > But, in some cases, it arrived that a legitimate IP was blacklisted : wrong > password or other. It was blacklisted for 900s. > > I want to manually unblock the IP, so I execute the command : > # /var/ossec/active-response/bin/host-deny.sh delete 1.1.1.1 > # /var/ossec/active-response/bin/firewall-drop.sh delete 1.1.1.1 >
Just a note for the archives, the above commands are incorrect. There should be 3 arguments, not just 2. They give errors if you run them like this. I'm assuming Zoe used the correct commands, and not the ones posted. > It's ok : 1.1.1.1 is deleted from firewall's IP blacklisted IP and is also > deleted from hosts.deny. > > But 1.1.1.1 is still not allowing to connect to agent, until timeout of 900s > expired. > > My question : is there a way to manually unblock 1.1.1.1 ? before timeout > expiration ? > Did active-response modify anything else, apart of adding a drop rule in > firewall and an IP in hosts.deny in my case ?? > > I already try a reboot of agent, it doesn't help. > > I'm using ossec2.6. > > Thanks for any help. > > Zoe
