Hello, My server has been scanned and/or attacked a lot on the iptables lately. OSSEC interprets these as a level 2 "unknown error somewhere in the system." Until I figured out what it meant I was very confused. Seems the iptables decoder does not work on my server. If you have a decoder for this I can add it would be much appreciated:
SAMPLE ERROR May 23 06:18:22 webserver kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:84:78:ac:57:aa:c1:08:00 SRC=93.174.93.51 DST=[MY.HOST.IP] LEN=40 TOS=0x08 PREC=0x20 TTL=244 ID=54321 PROTO=TCP SPT=39305 DPT=22644 WINDOW=65535 RES=0x00 SYN URGP=0 What confuses me even more however is that OSSEC is dropping/denying my own host server IP as can be seen in the active-responses.log. Is this normal? I didn't think I needed to actually whitelist the server host IP. I thought previously that the internal IP address which was installed there automatically was sufficient. On a side note, this doesn't appear to affect my websites or any other function at all. So I'm not sure what is happening. SAMPLE FROM ACTIVE-RESPONSES LOG Fri May 23 01:43:34 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh delete - [MY.HOST.IP] 1400823155.116483 20101 Fri May 23 02:07:26 EDT 2014 /var/ossec/active-response/bin/host-deny.sh add - [MY.HOST.IP] 1400825246.123855 20101 Please advise. Thank you. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
