On Wed, Oct 16, 2013 at 10:18 AM, MM <[email protected]> wrote: > Interestingly, I came back to this the next day and it was working. Now the > problem is that I'm getting double-entries in the iptables DROP list (making > it hard to remove) and it's blocking IPs in my whitelist. I can't figure > out why it's doing that and when I search the logs I can't even find a > reason for it. > > I was testing this on a live mailserver yesterday and it went nuts. It > suddenly tried to add thousands of IPs to the drop list causing the server > to hang. Not sure where to go at the moment. > > Thank you for the help so far!! >
Can you post your AR configuration? > > On Saturday, 12 October 2013 16:52:27 UTC-7, MM wrote: >> >> Greetings, >> >> I'm new to OSSEC having just installed a standalone version on one >> machine, and the 2.7.1-beta version on a dedicated VM with a bunch of agents >> connected to it. My first goal is to try and get the firewall to drop IPs >> from attackers trying to spam or brute force accounts etc. So far this >> works fine on the standalone server but I haven't seen any IP's added to the >> iptables drop list on any of the agents. I've changed the stock firewall >> rule from "local" to "all" in the server ossec.conf and restarted. >> >> The following triggers Level 10 alert but doesn't trigger the firewall >> drop on the affected agent. >> Oct 11 21:21:02 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [user] >> Oct 11 21:20:52 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [test] >> Oct 11 21:20:43 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [admin] >> Oct 11 21:20:31 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [webuser] >> Oct 11 21:20:22 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [user] >> Oct 11 21:20:04 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [test] >> Oct 11 21:19:57 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [admin] >> Oct 11 21:19:44 webserver pure-ftpd: ([email protected]) [WARNING] >> Authentication failed for user [webuser] >> >> Also noticing a lot of reports of files changing. >> /sbin/fsfreeze >> /usr/bin/pklogin_finder >> /etc/prelink.cache >> /etc/alternatives/ksh-usrbin >> /usr/bin/ssltap >> >> I'm searching the web for info but I'm not having much success determining >> if this is normal activity or something of concern. The OS for most hosts >> is CentOS 5.x >> >> Thanks. >> >> MM > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
