On Thu, Apr 2, 2015 at 5:30 AM, H.Merijn Brand <[email protected]> wrote: > > The format is not quite what matches the rest of the hosts.deny file > > # head /etc/hosts.deny > ALL:183.1.1.1/255.192.0.0 > ALL:58.218.1.1/255.224.0.0 > ALL:182.96.1.1/255.224.0.0 > ALL:183.96.1.1/255.224.0.0 > ALL:113.96.1.1/255.240.0.0 > ALL:222.208.1.1/255.240.0.0 > > # tail -10 /etc/hosts.deny > ALL:218.106.254.121/255.255.255.255 > ALL:219.234.80.221/255.255.255.255 > ALL:220.187.241.24/255.255.255.255 > ALL:220.194.202.139/255.255.255.255 > ALL:222.236.44.115/255.255.255.255 > ALL:223.197.52.236/255.255.255.255 > ALL:202.120.50.131 > ALL:202.120.50.131 > ALL:202.120.50.131 > ALL:202.120.50.131 > > It is xdelete that ruins the file ... > > + '[' xdelete = xdelete ']' > + lock > + i=0 > + '[' 1 ']' > + mkdir /var/ossec/active-response/host-deny-lock > + MSL=0 > + '[' 0 = 0 ']' > + echo 11976 > + return > mktemp /var/ossec/ossec-hosts.XXXXXXXXXX > ++ mktemp /var/ossec/ossec-hosts.XXXXXXXXXX > + TMP_FILE = /var/ossec/ossec-hosts.WH8SSsvOj7 > /var/ossec/active-response/bin/host-deny.sh: line 114: TMP_FILE: command not > found > + '[' X = X ']' > cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 > ++ cat /dev/urandom > ++ tr -dc a-zA-Z0-9 > ++ fold -w 32 > ++ head -1 > + TMP_FILE = /var/ossec/ossec-hosts.3K92OdZnWGq9XRCHQYOqCcmlOeFqrsF8 > /var/ossec/active-response/bin/host-deny.sh: line 117: TMP_FILE: command not > found > + '[' XLinux = XFreeBSD ']' > + cat /etc/hosts.deny > + grep -v 'ALL:202.120.50.131$' > /var/ossec/active-response/bin/host-deny.sh: line 123: ${TMP_FILE}: ambiguous > redirect > + cat > > > OBVIOUSLY!!! > > > # Deleting from hosts.deny > elif [ "x${ACTION}" = "xdelete" ]; then > lock; > TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` > if [ "X${TMP_FILE}" = "X" ]; then > # Cheap fake tmpfile, but should be harder then no random data > TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc > 'a-zA-Z0-9' | fold -w 32 | head -1 `" > fi > > ==> > > # Deleting from hosts.deny > elif [ "x${ACTION}" = "xdelete" ]; then > lock; > TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` > if [ "X${TMP_FILE}" = "X" ]; then > # Cheap fake tmpfile, but should be harder then no random data > TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' > | fold -w 32 | head -1 `" > fi > > > TWO erroneous uses of VAR = val instead of VAR=val >
Which were fixed on Sept 24, 2014 by a nice and handsome user. > > 2015-04-02 10:48 GMT+02:00 <[email protected]>: >> >> [email protected] Google Groups >> Today's topic summary >> View all topics >> >> send eventlog to ossec - 2 Updates >> Wheezy/x86 : installation does not creates startup script - 2 Updates >> collect all logs and add OpenVPN logs - 21 Updates >> Please help with CDB lists.... - 1 Update >> OSSEC active responce replaces hosts.deny and iptables - 2 Updates >> >> send eventlog to ossec >> [email protected]: Apr 01 02:03PM -0700 >> >> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried >> to install but it was unsuccessful, I attach two files. >> ...more >> [email protected]: Apr 01 02:14PM -0700 >> >> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried >> to install but it was unsuccessful, I attach two files. >> ...more >> Back to top >> Wheezy/x86 : installation does not creates startup script >> [email protected]: Apr 01 08:53AM -0700 >> >> Hi, >> >> I have a similar problem as belouw (subject on Jessie and system.d service) >> on Wheezy/x86-32: when I install the ossec-hids package, no init.d/ossec is >> copied, and, of course, the LSB ...more >> Santiago Bassett <[email protected]>: Apr 01 09:49AM -0700 >> >> Hi Frank, >> >> I am the installers maintainer, sorry for the inconvenience. Not sure yet >> what is causing this problem, but will work on it right away. Hopefully I >> can have new packages ready in a few ...more >> Back to top >> collect all logs and add OpenVPN logs >> [email protected]: Apr 01 04:37AM -0700 >> >> hi, >> >> First I want that ossec collects all logs. >> I have put the logall options and >> log alertlevel is even at 0 >> >> >> <global> >> <logall>yes</logall> >> </global> >> >> >> >> <alerts> ...more >> "dan (ddp)" <[email protected]>: Apr 01 07:46AM -0400 >> >> >> > stil I don't get all log information, i usually get logs regarding event 3 >> > (mostly or higher). >> >> > what else do I need to do, so OSSEC will log all events? >> >> All log messages received by ...more >> [email protected]: Apr 01 04:57AM -0700 >> >> On Wednesday, April 1, 2015 at 1:47:03 PM UTC+2, dan (ddpbsd) wrote: >> >> > > Second question is about OpenVPN >> >> > > Can I gather openvpn events to OSSEC? >> >> > If it logs to a file you can. >> ...more >> "dan (ddp)" <[email protected]>: Apr 01 08:03AM -0400 >> >> > also if you want, >> > but I would like to know if there is an easy way for OSSEC to read the >> > openvpn log files >> >> Add localfile options pointing to the logfiles in the system's >> ...more >> [email protected]: Apr 01 05:11AM -0700 >> >> >> > you mean something like this and the information will be collected by >> > OSSEC agent (the openvpn is installed on a different server, managed by the >> > client)? >> >> >> >> >> <ossec_config> ...more >> "dan (ddp)" <[email protected]>: Apr 01 08:14AM -0400 >> >> >> you mean something like this and the information will be collected by >> >> OSSEC agent (the openvpn is installed on a different server, managed by >> >> the >> >> client)? >> >> Something like that, yes. ...more >> [email protected]: Apr 01 05:15AM -0700 >> >> well I will test this and let you know. >> >> thx Dan !! >> >> On Wednesday, April 1, 2015 at 2:14:17 PM UTC+2, dan (ddpbsd) wrote: >> ...more >> [email protected]: Apr 01 05:38AM -0700 >> >> Hello Dan, >> >> sorry, this is the correct format: >> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/etc/openvpn/log/openvpn.log</location> >> </localfile> >> >> >> >> the ossec services ...more >> "dan (ddp)" <[email protected]>: Apr 01 08:48AM -0400 >> >> > I double checked the file and it was generating messages after I restarted >> > ossec >> > does ossec look only for erros and discard other information? >> >> No, it should send all log messages the agent ...more >> Santiago Bassett <[email protected]>: Apr 01 06:13AM -0700 >> >> Also it might help to run "lsof /etc/openvpn/log/openvpn.log" to confirm >> ossec-logcollector process is reading that file. As well check that the >> logs are written in syslog format. >> >> ...more >> [email protected]: Apr 01 06:13AM -0700 >> >> Oke, this is what I found in the ossec.log >> >> ERROR: Unable to open file '/etc/openvpn/log/openvpn.log' >> >> INFO: File not available, ignoring it: '/etc/openvpn/log/openvpn.log' >> >> ...more >> "dan (ddp)" <[email protected]>: Apr 01 09:23AM -0400 >> >> > the openvpn.log doesn't reside on the ossec server but on a client, maybe >> > the ossec server was checking local >> > or should I put this rule on client config file? >> >> As I've said a number of times ...more >> [email protected]: Apr 01 07:11AM -0700 >> >> what use is this solution then? wasn't the point of OSSEC to have a >> centralized management.... >> in my case we don't have so much servers running, but for enterprise >> environment this is not ...more >> Santiago Bassett <[email protected]>: Apr 01 07:51AM -0700 >> >> OSSEC supports centralized configuration management: >> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html >> >> Thousands of Open Source solutions are used daily in ...more >> Inaki Rodriguez <[email protected]>: Apr 01 04:35PM +0200 >> >> Hi! >> >> Sorry but I have deployed OSSEC on more than 400 servers, with the >> config centralized. Probably the problem is not OSSEC (maybe a RTFM >> related problem). You can specify the log files on your ...more >> [email protected]: Apr 01 08:16AM -0700 >> >> Hello Santiago, >> Just because a lot of people use a certain product, doesn't mean it's a >> good product. >> The main reason people use open source is because its free. >> anyway, I see great potential ...more >> [email protected]: Apr 01 08:51AM -0700 >> >> Thx Inaki, >> >> I doing my best to get it working, it's just taking a lot of time and >> frustrating >> and it is working, but just need to fine tune a couple of things... >> >> On Wednesday, April 1, 2015 ...more >> [email protected]: Apr 01 08:53AM -0700 >> >> can you get ossec to get all information from a certain log file and report >> it? >> have you tried using this command: /var/ossec/bin/util.sh addfile >> this is also handy, but how to revert it back ...more >> Inaki Rodriguez <[email protected]>: Apr 01 05:45PM +0200 >> >> My contribution: >> >> <!-- Wed Apr 1 11:18:26 2015 91.126.130.4:63972 TLS: Username/Password >> authentication succeeded for username 'USERNAME' --> >> <decoder name="openvpn-success"> >> ...more >> "dan (ddp)" <[email protected]>: Apr 01 12:38PM -0400 >> >> > what use is this solution then? wasn't the point of OSSEC to have a >> > centralized management.... >> >> It does, in the agent.conf. But you seemed to be having enough issues >> with basic configuration ...more >> "dan (ddp)" <[email protected]>: Apr 01 12:40PM -0400 >> >> > ossec? >> > so not just alerts, but all the information in a log (this log file >> > generates very few) >> >> Add a localfile option to read that log file. That will read all of >> the information and ...more >> Back to top >> Please help with CDB lists.... >> Brent Morris <[email protected]>: Apr 01 08:32AM -0700 >> >> I found it... >> >> the issue was that I prepended a / ossec.conf <list> >> >> bad >> <list>*/*lists/filename</list> >> >> good! >> <list>lists/filename</list> >> >> >> Thanks for your help! >> >> On Tuesday, March 31, ...more >> Back to top >> OSSEC active responce replaces hosts.deny and iptables >> "H.Merijn Brand" <[email protected]>: Apr 01 06:55AM -0700 >> >> Op maandag 9 maart 2015 16:15:41 UTC+1 schreef dan (ddpbsd): >> >> > I don't see anything in host-deny.sh that should be replacing the >> > file. Try running it manually (maybe with /bin/sh -x) to see if ...more >> "dan (ddp)" <[email protected]>: Apr 01 10:22AM -0400 >> >> > like >> >> > # sh -x /var/ossec/active-response/bin/host-deny.sh 202.120.50.131 >> >> > ? >> >> Looking at the script, it seems you need: >> host-deny.sh add - 10.10.10.10 >> >> >> ...more >> Back to top >> You received this digest because you're subscribed to updates for this >> group. You can change your settings on the group membership page. >> To unsubscribe from this group and stop receiving emails from it send an >> email to [email protected]. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
