Ok will do thank you so much! On Thursday, May 22, 2014 7:53:01 PM UTC-4, Joshua Garnett wrote: > > It goes in your ossec.conf file within the root ossec_config tag. I've > run into ordering issues with the rules files before, not sure if that > happens with ossec.conf also, but to be safe, place it after specifying the > command. > > <ossec_config> > > <!-- bunch of other stuff --> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>900</timeout> > <repeated_offenders>30,60,720,1440,2880</repeated_offenders> > </active-response> > > <!-- some more stuff --> > > </ossec_config> > > > If things break, send an e-mail with the error and a copy of your > ossec.conf file > > > --Josh > > > On Thu, May 22, 2014 at 5:57 PM, Ossec User > <[email protected]<javascript:> > > wrote: > >> Ok thank you for helping me to understand more of this. Just one >> question, where exactly is it safe to put the repeat offenders code? Which >> file? local_rules.xml? last time I played with local_rules and ossec.conf >> I got configuration errors that I couldn't recover from. >> >> >> On Thursday, May 22, 2014 5:34:01 PM UTC-4, Joshua Garnett wrote: >> >>> 1. The repeat offenders setting works really well for me, here are my >>> settings for the firewall-drop >>> >>> <active-response> >>> <command>firewall-drop</command> >>> <location>all</location> >>> <level>6</level> >>> <timeout>900</timeout> >>> <repeated_offenders>30,60,720,1440,2880</repeated_offenders> >>> </active-response> >>> >>> >>> 2. If they are attacking you from a shared address you could lose >>> viewers. If the percentage is low enough you may not care. That said, for >>> most determined attackers, it'll be easy for them to get another ip address >>> to attack you from. >>> >>> 3. False positives could ruin the experience for regular users >>> >>> 4. All whitelisting does is prevent an active response from triggering. >>> You'll still be alerted. >>> >>> --Josh >>> >>> >>> On Thu, May 22, 2014 at 3:52 PM, Ossec User >>> <[email protected]>wrote: >>> >>>> Hello, >>>> >>>> I have been getting an ongoing attack from a set range of IPs on my >>>> wordpress sites about every 10 minutes. This happens every day, and every >>>> time OSSEC just gives these IPs 503 responses for 600 seconds as default. >>>> On a side note, I see hardly any sort of blacklisting for these set of IPs >>>> by major providers/blacklisters. I would really like to increase the >>>> limits and have OSSEC deal with these repeat offenders more severely. >>>> Here >>>> are options I'm considering or have questions about: >>>> >>>> 1) Repeat Offenders Response >>>> I heard of the repeat offenders response I can add to ossec but so far >>>> I haven't been very good at getting it set up. I tried adding rules to >>>> OSSEC but both times I had configuration errors result. At one point the >>>> error was so bad I had to restore a back up of my server. Simply deleting >>>> what I added to these files didn't seem to do the trick. >>>> >>>> >>>> a) To block repeat offenders, I tried to add this to the active >>>> response section of ossec.conf. Without the # symbols of course. >>>> ##<active-response> >>>> ##<repeated_offenders>30,60,120</repeated_offenders> >>>> ##</active-response> >>>> >>>> >>>> b) And to block access to the readme.html file in Wordpress tried to >>>> add the following to local_rules.xml I found this at at >>>> hackertarget.com. >>>> >>>> <rule id="100040" level="6"> >>>> <if_sid>31100</if_sid> >>>> <match>readme.html</match> >>>> <description>WordPress Recon - /readme.html accessed.</description> >>>> </rule> >>>> >>>> >>>> >>>> >>>> 2) Permanent Blocking >>>> Other than the fact that at some point some other party other than >>>> offender might use the IP in question why is the response 600 seconds so >>>> short? What is the actual concern over permanent or semi-permanent blocks? >>>> >>>> 3) Increase default response substantially >>>> If permanently blocking isn't a good idea, What if I changed the >>>> default 600s response to 10,000s or more..... would it hurt anything? I >>>> really don't want to see any responses for a while from this set of IPs. >>>> In >>>> fact I'd love to send an FU message along with that LOL but I'm sure your >>>> response would be that it would put a strain on my server. >>>> >>>> 4) OTHER QUESTIONS: >>>> I use ManageWP to manage my wordpress sites. Even though I have >>>> whitelisted those IPs and my own IP address OSSEC still sends me error >>>> messages about too many POST requests. Some at level 8 or more. Sometimes >>>> these types of errors even quote my IP or even my servers own IP address. >>>> Is this something I should worry about? >>>> >>>> >>>> Please forgive my noobness and all my own questions all of this. I have >>>> had OSSEC installed for 2 years but only recently discovered that it >>>> wasn't >>>> set up correctly (I did not have NGINX logs or my wordpress logs added to >>>> the files. I have been reading various sections of the OSSEC documentation >>>> but a lot of it doesn't make sense to me. I really appreciate any advice >>>> you can give. Thank you! >>>> >>>> >>>> INFO: >>>> I'm using the latest version of OSSEC 2.7.1 >>>> On LEMP server/Ubuntu with quite a number of wordpress websites >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
