On Thu, May 22, 2014 at 7:53 PM, Joshua Garnett <[email protected]> wrote: > It goes in your ossec.conf file within the root ossec_config tag. I've run > into ordering issues with the rules files before, not sure if that happens > with ossec.conf also, but to be safe, place it after specifying the command. > > <ossec_config> > > <!-- bunch of other stuff --> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>900</timeout> > <repeated_offenders>30,60,720,1440,2880</repeated_offenders>
I don't use it, so I could be wrong. But I thought the repeat offenders thing had to go in the agent's ossec.conf. > </active-response> > > <!-- some more stuff --> > > </ossec_config> > > > If things break, send an e-mail with the error and a copy of your ossec.conf > file > > > --Josh > > > On Thu, May 22, 2014 at 5:57 PM, Ossec User <[email protected]> > wrote: >> >> Ok thank you for helping me to understand more of this. Just one question, >> where exactly is it safe to put the repeat offenders code? Which file? >> local_rules.xml? last time I played with local_rules and ossec.conf I got >> configuration errors that I couldn't recover from. >> >> >> On Thursday, May 22, 2014 5:34:01 PM UTC-4, Joshua Garnett wrote: >>> >>> 1. The repeat offenders setting works really well for me, here are my >>> settings for the firewall-drop >>> >>> <active-response> >>> <command>firewall-drop</command> >>> <location>all</location> >>> <level>6</level> >>> <timeout>900</timeout> >>> <repeated_offenders>30,60,720,1440,2880</repeated_offenders> >>> </active-response> >>> >>> >>> 2. If they are attacking you from a shared address you could lose >>> viewers. If the percentage is low enough you may not care. That said, for >>> most determined attackers, it'll be easy for them to get another ip address >>> to attack you from. >>> >>> 3. False positives could ruin the experience for regular users >>> >>> 4. All whitelisting does is prevent an active response from triggering. >>> You'll still be alerted. >>> >>> --Josh >>> >>> >>> On Thu, May 22, 2014 at 3:52 PM, Ossec User <[email protected]> >>> wrote: >>>> >>>> Hello, >>>> >>>> I have been getting an ongoing attack from a set range of IPs on my >>>> wordpress sites about every 10 minutes. This happens every day, and every >>>> time OSSEC just gives these IPs 503 responses for 600 seconds as default. >>>> On >>>> a side note, I see hardly any sort of blacklisting for these set of IPs by >>>> major providers/blacklisters. I would really like to increase the limits >>>> and have OSSEC deal with these repeat offenders more severely. Here are >>>> options I'm considering or have questions about: >>>> >>>> 1) Repeat Offenders Response >>>> I heard of the repeat offenders response I can add to ossec but so far I >>>> haven't been very good at getting it set up. I tried adding rules to OSSEC >>>> but both times I had configuration errors result. At one point the error >>>> was >>>> so bad I had to restore a back up of my server. Simply deleting what I >>>> added to these files didn't seem to do the trick. >>>> >>>> >>>> a) To block repeat offenders, I tried to add this to the active response >>>> section of ossec.conf. Without the # symbols of course. >>>> ##<active-response> >>>> ##<repeated_offenders>30,60,120</repeated_offenders> >>>> ##</active-response> >>>> >>>> >>>> b) And to block access to the readme.html file in Wordpress tried to add >>>> the following to local_rules.xml I found this at at hackertarget.com. >>>> >>>> <rule id="100040" level="6"> >>>> <if_sid>31100</if_sid> >>>> <match>readme.html</match> >>>> <description>WordPress Recon - /readme.html accessed.</description> >>>> </rule> >>>> >>>> >>>> >>>> >>>> 2) Permanent Blocking >>>> Other than the fact that at some point some other party other than >>>> offender might use the IP in question why is the response 600 seconds so >>>> short? What is the actual concern over permanent or semi-permanent blocks? >>>> >>>> 3) Increase default response substantially >>>> If permanently blocking isn't a good idea, What if I changed the >>>> default 600s response to 10,000s or more..... would it hurt anything? I >>>> really don't want to see any responses for a while from this set of IPs. In >>>> fact I'd love to send an FU message along with that LOL but I'm sure your >>>> response would be that it would put a strain on my server. >>>> >>>> 4) OTHER QUESTIONS: >>>> I use ManageWP to manage my wordpress sites. Even though I have >>>> whitelisted those IPs and my own IP address OSSEC still sends me error >>>> messages about too many POST requests. Some at level 8 or more. Sometimes >>>> these types of errors even quote my IP or even my servers own IP address. >>>> Is >>>> this something I should worry about? >>>> >>>> >>>> Please forgive my noobness and all my own questions all of this. I have >>>> had OSSEC installed for 2 years but only recently discovered that it wasn't >>>> set up correctly (I did not have NGINX logs or my wordpress logs added to >>>> the files. I have been reading various sections of the OSSEC documentation >>>> but a lot of it doesn't make sense to me. I really appreciate any advice >>>> you >>>> can give. Thank you! >>>> >>>> >>>> INFO: >>>> I'm using the latest version of OSSEC 2.7.1 >>>> On LEMP server/Ubuntu with quite a number of wordpress websites >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
