The format is not quite what matches the rest of the hosts.deny file
# head /etc/hosts.deny
ALL:183.1.1.1/255.192.0.0
ALL:58.218.1.1/255.224.0.0
ALL:182.96.1.1/255.224.0.0
ALL:183.96.1.1/255.224.0.0
ALL:113.96.1.1/255.240.0.0
ALL:222.208.1.1/255.240.0.0
# tail -10 /etc/hosts.deny
ALL:218.106.254.121/255.255.255.255
ALL:219.234.80.221/255.255.255.255
ALL:220.187.241.24/255.255.255.255
ALL:220.194.202.139/255.255.255.255
ALL:222.236.44.115/255.255.255.255
ALL:223.197.52.236/255.255.255.255
ALL:202.120.50.131
ALL:202.120.50.131
ALL:202.120.50.131
ALL:202.120.50.131
It is xdelete that ruins the file ...
+ '[' xdelete = xdelete ']'
+ lock
+ i=0
+ '[' 1 ']'
+ mkdir /var/ossec/active-response/host-deny-lock
+ MSL=0
+ '[' 0 = 0 ']'
+ echo 11976
+ return
mktemp /var/ossec/ossec-hosts.XXXXXXXXXX
++ mktemp /var/ossec/ossec-hosts.XXXXXXXXXX
+ TMP_FILE = /var/ossec/ossec-hosts.WH8SSsvOj7
/var/ossec/active-response/bin/host-deny.sh: line 114: TMP_FILE: command
not found
+ '[' X = X ']'
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1
++ cat /dev/urandom
++ tr -dc a-zA-Z0-9
++ fold -w 32
++ head -1
+ TMP_FILE = /var/ossec/ossec-hosts.3K92OdZnWGq9XRCHQYOqCcmlOeFqrsF8
/var/ossec/active-response/bin/host-deny.sh: line 117: TMP_FILE: command
not found
+ '[' XLinux = XFreeBSD ']'
+ cat /etc/hosts.deny
+ grep -v 'ALL:202.120.50.131$'
/var/ossec/active-response/bin/host-deny.sh: line 123: ${TMP_FILE}:
ambiguous redirect
+ cat
OBVIOUSLY!!!
# Deleting from hosts.deny
elif [ "x${ACTION}" = "xdelete" ]; then
lock;
TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
if [ "X${TMP_FILE}" = "X" ]; then
# Cheap fake tmpfile, but should be harder then no random data
TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc
'a-zA-Z0-9' | fold -w 32 | head -1 `"
fi
==>
# Deleting from hosts.deny
elif [ "x${ACTION}" = "xdelete" ]; then
lock;
TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
if [ "X${TMP_FILE}" = "X" ]; then
# Cheap fake tmpfile, but should be harder then no random data
TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc
'a-zA-Z0-9' | fold -w 32 | head -1 `"
fi
TWO erroneous uses of VAR = val instead of VAR=val
2015-04-02 10:48 GMT+02:00 <[email protected]>:
> [email protected]
> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics>
> Google
> Groups
> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview>
> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview>
> Today's topic summary
> View all topics
> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics>
>
> - send eventlog to ossec <#14c79515d3bd466d_group_thread_0> - 2
> Updates
> - Wheezy/x86 : installation does not creates startup script
> <#14c79515d3bd466d_group_thread_1> - 2 Updates
> - collect all logs and add OpenVPN logs
> <#14c79515d3bd466d_group_thread_2> - 21 Updates
> - Please help with CDB lists.... <#14c79515d3bd466d_group_thread_3> - 1
> Update
> - OSSEC active responce replaces hosts.deny and iptables
> <#14c79515d3bd466d_group_thread_4> - 2 Updates
>
> send eventlog to ossec
> <http://groups.google.com/group/ossec-list/t/a6dc58de24dad1b8?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 02:03PM -0700
>
> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried
> to install but it was unsuccessful, I attach two files.
> ...more
> <http://groups.google.com/group/ossec-list/msg/d941047264ec12d9?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 02:14PM -0700
>
> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried
> to install but it was unsuccessful, I attach two files.
> ...more
> <http://groups.google.com/group/ossec-list/msg/492fc8dbb87b2fa4?utm_source=digest&utm_medium=email>
> Back to top <#14c79515d3bd466d_digest_top>
> Wheezy/x86 : installation does not creates startup script
> <http://groups.google.com/group/ossec-list/t/753e5c47190abbb8?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 08:53AM -0700
>
> Hi,
>
> I have a similar problem as belouw (subject on Jessie and system.d
> service)
> on Wheezy/x86-32: when I install the ossec-hids package, no init.d/ossec
> is
> copied, and, of course, the LSB ...more
> <http://groups.google.com/group/ossec-list/msg/b134538ff19e4f0f?utm_source=digest&utm_medium=email>
> Santiago Bassett <[email protected]>: Apr 01 09:49AM -0700
>
> Hi Frank,
>
> I am the installers maintainer, sorry for the inconvenience. Not sure yet
> what is causing this problem, but will work on it right away. Hopefully I
> can have new packages ready in a few ...more
> <http://groups.google.com/group/ossec-list/msg/1853abf900a0c281?utm_source=digest&utm_medium=email>
> Back to top <#14c79515d3bd466d_digest_top>
> collect all logs and add OpenVPN logs
> <http://groups.google.com/group/ossec-list/t/6aa30c94ab8e3c0a?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 04:37AM -0700
>
> hi,
>
> First I want that ossec collects all logs.
> I have put the logall options and
> log alertlevel is even at 0
>
>
> <global>
> <logall>yes</logall>
> </global>
>
>
>
> <alerts> ...more
> <http://groups.google.com/group/ossec-list/msg/683d8e6ac1231279?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 07:46AM -0400
>
>
> > stil I don't get all log information, i usually get logs regarding event
> 3
> > (mostly or higher).
>
> > what else do I need to do, so OSSEC will log all events?
>
> All log messages received by ...more
> <http://groups.google.com/group/ossec-list/msg/e7aab1311f61ed4?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 04:57AM -0700
>
> On Wednesday, April 1, 2015 at 1:47:03 PM UTC+2, dan (ddpbsd) wrote:
>
> > > Second question is about OpenVPN
>
> > > Can I gather openvpn events to OSSEC?
>
> > If it logs to a file you can.
> ...more
> <http://groups.google.com/group/ossec-list/msg/2c618c25314f13fe?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 08:03AM -0400
>
> > also if you want,
> > but I would like to know if there is an easy way for OSSEC to read the
> > openvpn log files
>
> Add localfile options pointing to the logfiles in the system's
> ...more
> <http://groups.google.com/group/ossec-list/msg/95843ff5c1eb0aa3?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 05:11AM -0700
>
>
> > you mean something like this and the information will be collected by
> > OSSEC agent (the openvpn is installed on a different server, managed by
> the
> > client)?
>
>
>
>
> <ossec_config> ...more
> <http://groups.google.com/group/ossec-list/msg/38d520a6f89b3e20?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 08:14AM -0400
>
> >> you mean something like this and the information will be collected by
> >> OSSEC agent (the openvpn is installed on a different server, managed by
> the
> >> client)?
>
> Something like that, yes. ...more
> <http://groups.google.com/group/ossec-list/msg/aa16bbd0e0ca3ede?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 05:15AM -0700
>
> well I will test this and let you know.
>
> thx Dan !!
>
> On Wednesday, April 1, 2015 at 2:14:17 PM UTC+2, dan (ddpbsd) wrote:
> ...more
> <http://groups.google.com/group/ossec-list/msg/d983760568c03dda?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 05:38AM -0700
>
> Hello Dan,
>
> sorry, this is the correct format:
>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/etc/openvpn/log/openvpn.log</location>
> </localfile>
>
>
>
> the ossec services ...more
> <http://groups.google.com/group/ossec-list/msg/65d067fcea695069?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 08:48AM -0400
>
> > I double checked the file and it was generating messages after I
> restarted
> > ossec
> > does ossec look only for erros and discard other information?
>
> No, it should send all log messages the agent ...more
> <http://groups.google.com/group/ossec-list/msg/849fe48320cb008c?utm_source=digest&utm_medium=email>
> Santiago Bassett <[email protected]>: Apr 01 06:13AM -0700
>
> Also it might help to run "lsof /etc/openvpn/log/openvpn.log" to confirm
> ossec-logcollector process is reading that file. As well check that the
> logs are written in syslog format.
>
> ...more
> <http://groups.google.com/group/ossec-list/msg/2746c7964e3e2573?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 06:13AM -0700
>
> Oke, this is what I found in the ossec.log
>
> ERROR: Unable to open file '/etc/openvpn/log/openvpn.log'
>
> INFO: File not available, ignoring it: '/etc/openvpn/log/openvpn.log'
>
> ...more
> <http://groups.google.com/group/ossec-list/msg/b60339bab03dec95?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 09:23AM -0400
>
> > the openvpn.log doesn't reside on the ossec server but on a client, maybe
> > the ossec server was checking local
> > or should I put this rule on client config file?
>
> As I've said a number of times ...more
> <http://groups.google.com/group/ossec-list/msg/922f79e7da13b019?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 07:11AM -0700
>
> what use is this solution then? wasn't the point of OSSEC to have a
> centralized management....
> in my case we don't have so much servers running, but for enterprise
> environment this is not ...more
> <http://groups.google.com/group/ossec-list/msg/47fc7f31cd794dbd?utm_source=digest&utm_medium=email>
> Santiago Bassett <[email protected]>: Apr 01 07:51AM -0700
>
> OSSEC supports centralized configuration management:
>
> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html
>
> Thousands of Open Source solutions are used daily in ...more
> <http://groups.google.com/group/ossec-list/msg/a8488e39f0dff74c?utm_source=digest&utm_medium=email>
> Inaki Rodriguez <[email protected]>: Apr 01 04:35PM +0200
>
> Hi!
>
> Sorry but I have deployed OSSEC on more than 400 servers, with the
> config centralized. Probably the problem is not OSSEC (maybe a RTFM
> related problem). You can specify the log files on your ...more
> <http://groups.google.com/group/ossec-list/msg/d03ed682b597bc18?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 08:16AM -0700
>
> Hello Santiago,
> Just because a lot of people use a certain product, doesn't mean it's a
> good product.
> The main reason people use open source is because its free.
> anyway, I see great potential ...more
> <http://groups.google.com/group/ossec-list/msg/4755e0c13c17ee4e?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 08:51AM -0700
>
> Thx Inaki,
>
> I doing my best to get it working, it's just taking a lot of time and
> frustrating
> and it is working, but just need to fine tune a couple of things...
>
> On Wednesday, April 1, 2015 ...more
> <http://groups.google.com/group/ossec-list/msg/5229bd4876c65dac?utm_source=digest&utm_medium=email>
> [email protected]: Apr 01 08:53AM -0700
>
> can you get ossec to get all information from a certain log file and
> report
> it?
> have you tried using this command: /var/ossec/bin/util.sh addfile
> this is also handy, but how to revert it back ...more
> <http://groups.google.com/group/ossec-list/msg/c2b90460edacce36?utm_source=digest&utm_medium=email>
> Inaki Rodriguez <[email protected]>: Apr 01 05:45PM +0200
>
> My contribution:
>
> <!-- Wed Apr 1 11:18:26 2015 91.126.130.4:63972 TLS: Username/Password
> authentication succeeded for username 'USERNAME' -->
> <decoder name="openvpn-success">
> ...more
> <http://groups.google.com/group/ossec-list/msg/e99a28bc825d2147?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 12:38PM -0400
>
> > what use is this solution then? wasn't the point of OSSEC to have a
> > centralized management....
>
> It does, in the agent.conf. But you seemed to be having enough issues
> with basic configuration ...more
> <http://groups.google.com/group/ossec-list/msg/38152ffcb0e8a581?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 12:40PM -0400
>
> > ossec?
> > so not just alerts, but all the information in a log (this log file
> > generates very few)
>
> Add a localfile option to read that log file. That will read all of
> the information and ...more
> <http://groups.google.com/group/ossec-list/msg/86922c54e96411aa?utm_source=digest&utm_medium=email>
> Back to top <#14c79515d3bd466d_digest_top>
> Please help with CDB lists....
> <http://groups.google.com/group/ossec-list/t/cddab8a79509b86c?utm_source=digest&utm_medium=email>
> Brent Morris <[email protected]>: Apr 01 08:32AM -0700
>
> I found it...
>
> the issue was that I prepended a / ossec.conf <list>
>
> bad
> <list>*/*lists/filename</list>
>
> good!
> <list>lists/filename</list>
>
>
> Thanks for your help!
>
> On Tuesday, March 31, ...more
> <http://groups.google.com/group/ossec-list/msg/ec21e92248d47646?utm_source=digest&utm_medium=email>
> Back to top <#14c79515d3bd466d_digest_top>
> OSSEC active responce replaces hosts.deny and iptables
> <http://groups.google.com/group/ossec-list/t/9a1433a3d7e7931f?utm_source=digest&utm_medium=email>
> "H.Merijn Brand" <[email protected]>: Apr 01 06:55AM -0700
>
> Op maandag 9 maart 2015 16:15:41 UTC+1 schreef dan (ddpbsd):
>
> > I don't see anything in host-deny.sh that should be replacing the
> > file. Try running it manually (maybe with /bin/sh -x) to see if ...more
> <http://groups.google.com/group/ossec-list/msg/855f7723746b9e30?utm_source=digest&utm_medium=email>
> "dan (ddp)" <[email protected]>: Apr 01 10:22AM -0400
>
> > like
>
> > # sh -x /var/ossec/active-response/bin/host-deny.sh 202.120.50.131
>
> > ?
>
> Looking at the script, it seems you need:
> host-deny.sh add - 10.10.10.10
>
>
> ...more
> <http://groups.google.com/group/ossec-list/msg/4140d133cf4fa66e?utm_source=digest&utm_medium=email>
> Back to top <#14c79515d3bd466d_digest_top>
> You received this digest because you're subscribed to updates for this
> group. You can change your settings on the group membership page
> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/join>
> .
> To unsubscribe from this group and stop receiving emails from it send an
> email to [email protected].
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
