Ok thank you for helping me to understand more of this. Just one question, where exactly is it safe to put the repeat offenders code? Which file? local_rules.xml? last time I played with local_rules and ossec.conf I got configuration errors that I couldn't recover from.
On Thursday, May 22, 2014 5:34:01 PM UTC-4, Joshua Garnett wrote: > > 1. The repeat offenders setting works really well for me, here are my > settings for the firewall-drop > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>900</timeout> > <repeated_offenders>30,60,720,1440,2880</repeated_offenders> > </active-response> > > > 2. If they are attacking you from a shared address you could lose > viewers. If the percentage is low enough you may not care. That said, for > most determined attackers, it'll be easy for them to get another ip address > to attack you from. > > 3. False positives could ruin the experience for regular users > > 4. All whitelisting does is prevent an active response from triggering. > You'll still be alerted. > > --Josh > > > On Thu, May 22, 2014 at 3:52 PM, Ossec User > <[email protected]<javascript:> > > wrote: > >> Hello, >> >> I have been getting an ongoing attack from a set range of IPs on my >> wordpress sites about every 10 minutes. This happens every day, and every >> time OSSEC just gives these IPs 503 responses for 600 seconds as default. >> On a side note, I see hardly any sort of blacklisting for these set of IPs >> by major providers/blacklisters. I would really like to increase the >> limits and have OSSEC deal with these repeat offenders more severely. Here >> are options I'm considering or have questions about: >> >> 1) Repeat Offenders Response >> I heard of the repeat offenders response I can add to ossec but so far I >> haven't been very good at getting it set up. I tried adding rules to OSSEC >> but both times I had configuration errors result. At one point the error >> was so bad I had to restore a back up of my server. Simply deleting what I >> added to these files didn't seem to do the trick. >> >> >> a) To block repeat offenders, I tried to add this to the active response >> section of ossec.conf. Without the # symbols of course. >> ##<active-response> >> ##<repeated_offenders>30,60,120</repeated_offenders> >> ##</active-response> >> >> >> b) And to block access to the readme.html file in Wordpress tried to add >> the following to local_rules.xml I found this at at hackertarget.com. >> >> <rule id="100040" level="6"> >> <if_sid>31100</if_sid> >> <match>readme.html</match> >> <description>WordPress Recon - /readme.html accessed.</description> >> </rule> >> >> >> >> >> 2) Permanent Blocking >> Other than the fact that at some point some other party other than >> offender might use the IP in question why is the response 600 seconds so >> short? What is the actual concern over permanent or semi-permanent blocks? >> >> 3) Increase default response substantially >> If permanently blocking isn't a good idea, What if I changed the default >> 600s response to 10,000s or more..... would it hurt anything? I really >> don't want to see any responses for a while from this set of IPs. In fact >> I'd love to send an FU message along with that LOL but I'm sure your >> response would be that it would put a strain on my server. >> >> 4) OTHER QUESTIONS: >> I use ManageWP to manage my wordpress sites. Even though I have >> whitelisted those IPs and my own IP address OSSEC still sends me error >> messages about too many POST requests. Some at level 8 or more. Sometimes >> these types of errors even quote my IP or even my servers own IP address. >> Is this something I should worry about? >> >> >> Please forgive my noobness and all my own questions all of this. I have >> had OSSEC installed for 2 years but only recently discovered that it wasn't >> set up correctly (I did not have NGINX logs or my wordpress logs added to >> the files. I have been reading various sections of the OSSEC documentation >> but a lot of it doesn't make sense to me. I really appreciate any advice >> you can give. Thank you! >> >> >> INFO: >> I'm using the latest version of OSSEC 2.7.1 >> On LEMP server/Ubuntu with quite a number of wordpress websites >> >> >> >> >> >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
