Ok, thanks for your input. I am going to add fail2ban to the roster and whitelist my hostIP. Hopefully that will cover all my bases.
On Friday, May 23, 2014 11:42:23 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, May 23, 2014 at 11:38 AM, OssecNewb > <[email protected] <javascript:>> wrote: > > If what you are saying is true, then blocking my own host IP is normal > > behavior for OSSEC? Just want to know if there is any concern or if this > is > > some type of hacker trick to hide what is really happening from the > server > > itself. I don't remember where I found it. > > > > I don't have access to your logs, so I cannot determine anything > beyond baseless speculation. It could be a bug in a decoder/rule. It > could be something nefarious. It could be a misconfiguration. There's > no way to tell at this point. > > > > > On Friday, May 23, 2014 2:27:51 AM UTC-4, OssecNewb wrote: > >> > >> Hello, > >> > >> My server has been scanned and/or attacked a lot on the iptables > lately. > >> OSSEC interprets these as a level 2 "unknown error somewhere in the > system." > >> Until I figured out what it meant I was very confused. Seems the > iptables > >> decoder does not work on my server. If you have a decoder for this I > can add > >> it would be much appreciated: > >> > >> SAMPLE ERROR > >> May 23 06:18:22 webserver kernel: iptables denied: IN=eth0 OUT= > >> MAC=fe:fd:ad:ff:ed:12:84:78:ac:57:aa:c1:08:00 SRC=93.174.93.51 > >> DST=[MY.HOST.IP] LEN=40 TOS=0x08 PREC=0x20 TTL=244 ID=54321 PROTO=TCP > >> SPT=39305 DPT=22644 WINDOW=65535 RES=0x00 SYN URGP=0 > >> > >> > >> What confuses me even more however is that OSSEC is dropping/denying my > >> own host server IP as can be seen in the active-responses.log. Is this > >> normal? I didn't think I needed to actually whitelist the server host > IP. I > >> thought previously that the internal IP address which was installed > there > >> automatically was sufficient. On a side note, this doesn't appear to > affect > >> my websites or any other function at all. So I'm not sure what is > happening. > >> > >> SAMPLE FROM ACTIVE-RESPONSES LOG > >> Fri May 23 01:43:34 EDT 2014 > >> /var/ossec/active-response/bin/firewall-drop.sh delete - [MY.HOST.IP] > >> 1400823155.116483 20101 > >> Fri May 23 02:07:26 EDT 2014 > /var/ossec/active-response/bin/host-deny.sh > >> add - [MY.HOST.IP] 1400825246.123855 20101 > >> > >> > >> Please advise. Thank you. > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
