1. The repeat offenders setting works really well for me, here are my
settings for the firewall-drop
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>900</timeout>
<repeated_offenders>30,60,720,1440,2880</repeated_offenders>
</active-response>
2. If they are attacking you from a shared address you could lose viewers.
If the percentage is low enough you may not care. That said, for most
determined attackers, it'll be easy for them to get another ip address to
attack you from.
3. False positives could ruin the experience for regular users
4. All whitelisting does is prevent an active response from triggering.
You'll still be alerted.
--Josh
On Thu, May 22, 2014 at 3:52 PM, Ossec User <[email protected]>wrote:
> Hello,
>
> I have been getting an ongoing attack from a set range of IPs on my
> wordpress sites about every 10 minutes. This happens every day, and every
> time OSSEC just gives these IPs 503 responses for 600 seconds as default.
> On a side note, I see hardly any sort of blacklisting for these set of IPs
> by major providers/blacklisters. I would really like to increase the
> limits and have OSSEC deal with these repeat offenders more severely. Here
> are options I'm considering or have questions about:
>
> 1) Repeat Offenders Response
> I heard of the repeat offenders response I can add to ossec but so far I
> haven't been very good at getting it set up. I tried adding rules to OSSEC
> but both times I had configuration errors result. At one point the error
> was so bad I had to restore a back up of my server. Simply deleting what I
> added to these files didn't seem to do the trick.
>
>
> a) To block repeat offenders, I tried to add this to the active response
> section of ossec.conf. Without the # symbols of course.
> ##<active-response>
> ##<repeated_offenders>30,60,120</repeated_offenders>
> ##</active-response>
>
>
> b) And to block access to the readme.html file in Wordpress tried to add
> the following to local_rules.xml I found this at at hackertarget.com.
>
> <rule id="100040" level="6">
> <if_sid>31100</if_sid>
> <match>readme.html</match>
> <description>WordPress Recon - /readme.html accessed.</description>
> </rule>
>
>
>
>
> 2) Permanent Blocking
> Other than the fact that at some point some other party other than
> offender might use the IP in question why is the response 600 seconds so
> short? What is the actual concern over permanent or semi-permanent blocks?
>
> 3) Increase default response substantially
> If permanently blocking isn't a good idea, What if I changed the default
> 600s response to 10,000s or more..... would it hurt anything? I really
> don't want to see any responses for a while from this set of IPs. In fact
> I'd love to send an FU message along with that LOL but I'm sure your
> response would be that it would put a strain on my server.
>
> 4) OTHER QUESTIONS:
> I use ManageWP to manage my wordpress sites. Even though I have
> whitelisted those IPs and my own IP address OSSEC still sends me error
> messages about too many POST requests. Some at level 8 or more. Sometimes
> these types of errors even quote my IP or even my servers own IP address.
> Is this something I should worry about?
>
>
> Please forgive my noobness and all my own questions all of this. I have
> had OSSEC installed for 2 years but only recently discovered that it wasn't
> set up correctly (I did not have NGINX logs or my wordpress logs added to
> the files. I have been reading various sections of the OSSEC documentation
> but a lot of it doesn't make sense to me. I really appreciate any advice
> you can give. Thank you!
>
>
> INFO:
> I'm using the latest version of OSSEC 2.7.1
> On LEMP server/Ubuntu with quite a number of wordpress websites
>
>
>
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
