I also had this problem some time ago. Make sure you either whitelist your IP (if it doesn't change) or disable ossec before using phpmyadmin. As it is now, some actions are detected by ossec as malicious SQLInjection attacks and thus trigger the rule 31106. The firewall-drop is triggered by the 31106 rule and thus you ssh freezes. I found (and didn't really investigate) no other way to whitelist the phpmyadmin installation.
Regards Christian Am 10.12.2013 03:54, schrieb frwa onto: > Dear Dan, > This log is showing " 2013/12/08 01:48:43 ossec-execd: INFO: > Active response command not present: >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this >> system. " That active response is not present right so then why does is > deny the host. In fact that is my local ip where I am accessing the server > locally not from eternal. I only do is that using phmyadmin to access my db > and I always get denied and my ssh is broken? Does ossec sniff it as an > attack is it? > > Regards, > Frwa. > > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto wrote: >> >> I have centos 6.5(Final) running. Lately I notice whenever I do anything >> in mysql after few minutes my ssh gets freeze. I dont know what is >> happening so looking to my /var/log/secure nothing is pointing there then I >> look into my ossec logs and I notice these lines. >> >> In my /var/ossec/log/ossec-log I see this >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck scan. >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response command not >> present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it >> on this system. >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> But in my /var/ossec/log/active-responses.log I see this >> >> Sun Dec 8 15:14:25 MYT 2013 /var/ossec/active-response/bin/host-deny.sh >> delete - 10.212.134.200 1386486234.11964 31106 >> Sun Dec 8 15:14:25 MYT 2013 >> /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200 >> 1386486234.11964 31106 >> >> What can I do about this? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
