If what you are saying is true, then blocking my own host IP is normal behavior for OSSEC? Just want to know if there is any concern or if this is some type of hacker trick to hide what is really happening from the server itself. I don't remember where I found it.
On Friday, May 23, 2014 2:27:51 AM UTC-4, OssecNewb wrote: > > Hello, > > My server has been scanned and/or attacked a lot on the iptables lately. > OSSEC interprets these as a level 2 "unknown error somewhere in the > system." Until I figured out what it meant I was very confused. Seems the > iptables decoder does not work on my server. If you have a decoder for this > I can add it would be much appreciated: > > SAMPLE ERROR > May 23 06:18:22 webserver kernel: iptables denied: IN=eth0 OUT= > MAC=fe:fd:ad:ff:ed:12:84:78:ac:57:aa:c1:08:00 SRC=93.174.93.51 > DST=[MY.HOST.IP] LEN=40 TOS=0x08 PREC=0x20 TTL=244 ID=54321 PROTO=TCP > SPT=39305 DPT=22644 WINDOW=65535 RES=0x00 SYN URGP=0 > > > What confuses me even more however is that OSSEC is dropping/denying my > own host server IP as can be seen in the active-responses.log. Is this > normal? I didn't think I needed to actually whitelist the server host IP. I > thought previously that the internal IP address which was installed there > automatically was sufficient. On a side note, this doesn't appear to affect > my websites or any other function at all. So I'm not sure what is happening. > > SAMPLE FROM ACTIVE-RESPONSES LOG > Fri May 23 01:43:34 EDT 2014 > /var/ossec/active-response/bin/firewall-drop.sh delete - [MY.HOST.IP] > 1400823155.116483 20101 > Fri May 23 02:07:26 EDT 2014 /var/ossec/active-response/bin/host-deny.sh > add - [MY.HOST.IP] 1400825246.123855 20101 > > > Please advise. Thank you. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
