It goes in your ossec.conf file within the root ossec_config tag. I've run
into ordering issues with the rules files before, not sure if that happens
with ossec.conf also, but to be safe, place it after specifying the command.
<ossec_config>
<!-- bunch of other stuff -->
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>900</timeout>
<repeated_offenders>30,60,720,1440,2880</repeated_offenders>
</active-response>
<!-- some more stuff -->
</ossec_config>
If things break, send an e-mail with the error and a copy of your
ossec.conf file
--Josh
On Thu, May 22, 2014 at 5:57 PM, Ossec User <[email protected]>wrote:
> Ok thank you for helping me to understand more of this. Just one question,
> where exactly is it safe to put the repeat offenders code? Which file?
> local_rules.xml? last time I played with local_rules and ossec.conf I got
> configuration errors that I couldn't recover from.
>
>
> On Thursday, May 22, 2014 5:34:01 PM UTC-4, Joshua Garnett wrote:
>
>> 1. The repeat offenders setting works really well for me, here are my
>> settings for the firewall-drop
>>
>> <active-response>
>> <command>firewall-drop</command>
>> <location>all</location>
>> <level>6</level>
>> <timeout>900</timeout>
>> <repeated_offenders>30,60,720,1440,2880</repeated_offenders>
>> </active-response>
>>
>>
>> 2. If they are attacking you from a shared address you could lose
>> viewers. If the percentage is low enough you may not care. That said, for
>> most determined attackers, it'll be easy for them to get another ip address
>> to attack you from.
>>
>> 3. False positives could ruin the experience for regular users
>>
>> 4. All whitelisting does is prevent an active response from triggering.
>> You'll still be alerted.
>>
>> --Josh
>>
>>
>> On Thu, May 22, 2014 at 3:52 PM, Ossec User
>> <[email protected]>wrote:
>>
>>> Hello,
>>>
>>> I have been getting an ongoing attack from a set range of IPs on my
>>> wordpress sites about every 10 minutes. This happens every day, and every
>>> time OSSEC just gives these IPs 503 responses for 600 seconds as default.
>>> On a side note, I see hardly any sort of blacklisting for these set of IPs
>>> by major providers/blacklisters. I would really like to increase the
>>> limits and have OSSEC deal with these repeat offenders more severely. Here
>>> are options I'm considering or have questions about:
>>>
>>> 1) Repeat Offenders Response
>>> I heard of the repeat offenders response I can add to ossec but so far I
>>> haven't been very good at getting it set up. I tried adding rules to OSSEC
>>> but both times I had configuration errors result. At one point the error
>>> was so bad I had to restore a back up of my server. Simply deleting what I
>>> added to these files didn't seem to do the trick.
>>>
>>>
>>> a) To block repeat offenders, I tried to add this to the active response
>>> section of ossec.conf. Without the # symbols of course.
>>> ##<active-response>
>>> ##<repeated_offenders>30,60,120</repeated_offenders>
>>> ##</active-response>
>>>
>>>
>>> b) And to block access to the readme.html file in Wordpress tried to add
>>> the following to local_rules.xml I found this at at hackertarget.com.
>>>
>>> <rule id="100040" level="6">
>>> <if_sid>31100</if_sid>
>>> <match>readme.html</match>
>>> <description>WordPress Recon - /readme.html accessed.</description>
>>> </rule>
>>>
>>>
>>>
>>>
>>> 2) Permanent Blocking
>>> Other than the fact that at some point some other party other than
>>> offender might use the IP in question why is the response 600 seconds so
>>> short? What is the actual concern over permanent or semi-permanent blocks?
>>>
>>> 3) Increase default response substantially
>>> If permanently blocking isn't a good idea, What if I changed the
>>> default 600s response to 10,000s or more..... would it hurt anything? I
>>> really don't want to see any responses for a while from this set of IPs. In
>>> fact I'd love to send an FU message along with that LOL but I'm sure your
>>> response would be that it would put a strain on my server.
>>>
>>> 4) OTHER QUESTIONS:
>>> I use ManageWP to manage my wordpress sites. Even though I have
>>> whitelisted those IPs and my own IP address OSSEC still sends me error
>>> messages about too many POST requests. Some at level 8 or more. Sometimes
>>> these types of errors even quote my IP or even my servers own IP address.
>>> Is this something I should worry about?
>>>
>>>
>>> Please forgive my noobness and all my own questions all of this. I have
>>> had OSSEC installed for 2 years but only recently discovered that it wasn't
>>> set up correctly (I did not have NGINX logs or my wordpress logs added to
>>> the files. I have been reading various sections of the OSSEC documentation
>>> but a lot of it doesn't make sense to me. I really appreciate any advice
>>> you can give. Thank you!
>>>
>>>
>>> INFO:
>>> I'm using the latest version of OSSEC 2.7.1
>>> On LEMP server/Ubuntu with quite a number of wordpress websites
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
