On Fri, May 23, 2014 at 1:03 PM, OssecNewb <[email protected]> wrote: > Ok, thanks for your input. I am going to add fail2ban to the roster and > whitelist my hostIP. Hopefully that will cover all my bases. >
You can add the system's IP to OSSEC's whitelist as well. I would encourage you to actually investigate the issue though. > > On Friday, May 23, 2014 11:42:23 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, May 23, 2014 at 11:38 AM, OssecNewb >> <[email protected]> wrote: >> > If what you are saying is true, then blocking my own host IP is normal >> > behavior for OSSEC? Just want to know if there is any concern or if this >> > is >> > some type of hacker trick to hide what is really happening from the >> > server >> > itself. I don't remember where I found it. >> > >> >> I don't have access to your logs, so I cannot determine anything >> beyond baseless speculation. It could be a bug in a decoder/rule. It >> could be something nefarious. It could be a misconfiguration. There's >> no way to tell at this point. >> >> > >> > On Friday, May 23, 2014 2:27:51 AM UTC-4, OssecNewb wrote: >> >> >> >> Hello, >> >> >> >> My server has been scanned and/or attacked a lot on the iptables >> >> lately. >> >> OSSEC interprets these as a level 2 "unknown error somewhere in the >> >> system." >> >> Until I figured out what it meant I was very confused. Seems the >> >> iptables >> >> decoder does not work on my server. If you have a decoder for this I >> >> can add >> >> it would be much appreciated: >> >> >> >> SAMPLE ERROR >> >> May 23 06:18:22 webserver kernel: iptables denied: IN=eth0 OUT= >> >> MAC=fe:fd:ad:ff:ed:12:84:78:ac:57:aa:c1:08:00 SRC=93.174.93.51 >> >> DST=[MY.HOST.IP] LEN=40 TOS=0x08 PREC=0x20 TTL=244 ID=54321 PROTO=TCP >> >> SPT=39305 DPT=22644 WINDOW=65535 RES=0x00 SYN URGP=0 >> >> >> >> >> >> What confuses me even more however is that OSSEC is dropping/denying my >> >> own host server IP as can be seen in the active-responses.log. Is this >> >> normal? I didn't think I needed to actually whitelist the server host >> >> IP. I >> >> thought previously that the internal IP address which was installed >> >> there >> >> automatically was sufficient. On a side note, this doesn't appear to >> >> affect >> >> my websites or any other function at all. So I'm not sure what is >> >> happening. >> >> >> >> SAMPLE FROM ACTIVE-RESPONSES LOG >> >> Fri May 23 01:43:34 EDT 2014 >> >> /var/ossec/active-response/bin/firewall-drop.sh delete - [MY.HOST.IP] >> >> 1400823155.116483 20101 >> >> Fri May 23 02:07:26 EDT 2014 >> >> /var/ossec/active-response/bin/host-deny.sh >> >> add - [MY.HOST.IP] 1400825246.123855 20101 >> >> >> >> >> >> Please advise. Thank you. >> >> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
