Dear Dan,
Even if I am logged with other email is the same scenario I
get locked. Its more got to do with phpmyadmin. Could it be that I am doing
big select statement causing this behavior? Is it possible to pause the
active response for temporary ? How can I further investigate the cause?
Regards,
Frwa.
On Tuesday, December 10, 2013 10:11:49 PM UTC+8, dan (ddpbsd) wrote:
>
> On Tue, Dec 10, 2013 at 9:08 AM, frwa onto <[email protected]<javascript:>>
> wrote:
> > Dear Christian,
> > Thank you for sharing your experience too.
> Hopefully
> > some one can exactly confirm what is the main cause of this behavior? I
> am
> > not sure if I off the active response should help?
> >
>
> If the IP address being blocked in the active response log is your IP
> address, then that is what is causing you to lose your ssh connection.
>
> > Regards,
> > Frwa.
> >
> >
> > On Tuesday, December 10, 2013 1:29:53 PM UTC+8, Christian Beer wrote:
> >>
> >> I also had this problem some time ago. Make sure you either whitelist
> >> your IP (if it doesn't change) or disable ossec before using
> phpmyadmin.
> >> As it is now, some actions are detected by ossec as malicious
> >> SQLInjection attacks and thus trigger the rule 31106. The firewall-drop
> >> is triggered by the 31106 rule and thus you ssh freezes. I found (and
> >> didn't really investigate) no other way to whitelist the phpmyadmin
> >> installation.
> >>
> >> Regards
> >> Christian
> >>
> >> Am 10.12.2013 03:54, schrieb frwa onto:
> >> > Dear Dan,
> >> > This log is showing " 2013/12/08 01:48:43 ossec-execd:
> >> > INFO:
> >> > Active response command not present:
> >> >> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on
> >> >> this
> >> >> system. " That active response is not present right so then why does
> is
> >> > deny the host. In fact that is my local ip where I am accessing the
> >> > server
> >> > locally not from eternal. I only do is that using phmyadmin to access
> my
> >> > db
> >> > and I always get denied and my ssh is broken? Does ossec sniff it as
> an
> >> > attack is it?
> >> >
> >> > Regards,
> >> > Frwa.
> >> >
> >> > On Sunday, December 8, 2013 3:24:39 PM UTC+8, frwa onto wrote:
> >> >>
> >> >> I have centos 6.5(Final) running. Lately I notice whenever I do
> >> >> anything
> >> >> in mysql after few minutes my ssh gets freeze. I dont know what is
> >> >> happening so looking to my /var/log/secure nothing is pointing there
> >> >> then I
> >> >> look into my ossec logs and I notice these lines.
> >> >>
> >> >> In my /var/ossec/log/ossec-log I see this
> >> >>
> >> >> 2013/12/07 20:50:27 ossec-syscheckd: INFO: Ending syscheck scan.
> >> >> 2013/12/08 01:48:43 ossec-execd: INFO: Active response command not
> >> >> present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not
> using
> >> >> it
> >> >> on this system.
> >> >> 2013/12/08 14:20:27 ossec-rootcheck: INFO: Starting rootcheck scan.
> >> >> 2013/12/08 14:31:27 ossec-rootcheck: INFO: Ending rootcheck scan.
> >> >>
> >> >> But in my /var/ossec/log/active-responses.log I see this
> >> >>
> >> >> Sun Dec 8 15:14:25 MYT 2013
> >> >> /var/ossec/active-response/bin/host-deny.sh
> >> >> delete - 10.212.134.200 1386486234.11964 31106
> >> >> Sun Dec 8 15:14:25 MYT 2013
> >> >> /var/ossec/active-response/bin/firewall-drop.sh delete -
> 10.212.134.200
> >> >> 1386486234.11964 31106
> >> >>
> >> >> What can I do about this?
> >> >>
> >> >
> >>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
