This is still wrong in 2.8.3 !!! Why is this easy fix not accepted?
2015-04-02 11:30 GMT+02:00 H.Merijn Brand <[email protected]>: > The format is not quite what matches the rest of the hosts.deny file > > # head /etc/hosts.deny > ALL:183.1.1.1/255.192.0.0 > ALL:58.218.1.1/255.224.0.0 > ALL:182.96.1.1/255.224.0.0 > ALL:183.96.1.1/255.224.0.0 > ALL:113.96.1.1/255.240.0.0 > ALL:222.208.1.1/255.240.0.0 > > # tail -10 /etc/hosts.deny > ALL:218.106.254.121/255.255.255.255 > ALL:219.234.80.221/255.255.255.255 > ALL:220.187.241.24/255.255.255.255 > ALL:220.194.202.139/255.255.255.255 > ALL:222.236.44.115/255.255.255.255 > ALL:223.197.52.236/255.255.255.255 > ALL:202.120.50.131 > ALL:202.120.50.131 > ALL:202.120.50.131 > ALL:202.120.50.131 > > It is xdelete that ruins the file ... > > + '[' xdelete = xdelete ']' > + lock > + i=0 > + '[' 1 ']' > + mkdir /var/ossec/active-response/host-deny-lock > + MSL=0 > + '[' 0 = 0 ']' > + echo 11976 > + return > mktemp /var/ossec/ossec-hosts.XXXXXXXXXX > ++ mktemp /var/ossec/ossec-hosts.XXXXXXXXXX > + TMP_FILE = /var/ossec/ossec-hosts.WH8SSsvOj7 > /var/ossec/active-response/bin/host-deny.sh: line 114: TMP_FILE: command > not found > + '[' X = X ']' > cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 > ++ cat /dev/urandom > ++ tr -dc a-zA-Z0-9 > ++ fold -w 32 > ++ head -1 > + TMP_FILE = /var/ossec/ossec-hosts.3K92OdZnWGq9XRCHQYOqCcmlOeFqrsF8 > /var/ossec/active-response/bin/host-deny.sh: line 117: TMP_FILE: command > not found > + '[' XLinux = XFreeBSD ']' > + cat /etc/hosts.deny > + grep -v 'ALL:202.120.50.131$' > /var/ossec/active-response/bin/host-deny.sh: line 123: ${TMP_FILE}: > ambiguous redirect > + cat > > > OBVIOUSLY!!! > > > # Deleting from hosts.deny > elif [ "x${ACTION}" = "xdelete" ]; then > lock; > TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` > if [ "X${TMP_FILE}" = "X" ]; then > # Cheap fake tmpfile, but should be harder then no random data > TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc > 'a-zA-Z0-9' | fold -w 32 | head -1 `" > fi > > ==> > > # Deleting from hosts.deny > elif [ "x${ACTION}" = "xdelete" ]; then > lock; > TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` > if [ "X${TMP_FILE}" = "X" ]; then > # Cheap fake tmpfile, but should be harder then no random data > TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc > 'a-zA-Z0-9' | fold -w 32 | head -1 `" > fi > > > TWO erroneous uses of VAR = val instead of VAR=val > > > 2015-04-02 10:48 GMT+02:00 <[email protected]>: > >> [email protected] >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics> >> Google >> Groups >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview> >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email/#!overview> >> Today's topic summary >> View all topics >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/topics> >> >> - send eventlog to ossec >> <#14c79778c82f5a5a_14c79515d3bd466d_group_thread_0> - 2 Updates >> - Wheezy/x86 : installation does not creates startup script >> <#14c79778c82f5a5a_14c79515d3bd466d_group_thread_1> - 2 Updates >> - collect all logs and add OpenVPN logs >> <#14c79778c82f5a5a_14c79515d3bd466d_group_thread_2> - 21 Updates >> - Please help with CDB lists.... >> <#14c79778c82f5a5a_14c79515d3bd466d_group_thread_3> - 1 Update >> - OSSEC active responce replaces hosts.deny and iptables >> <#14c79778c82f5a5a_14c79515d3bd466d_group_thread_4> - 2 Updates >> >> send eventlog to ossec >> <http://groups.google.com/group/ossec-list/t/a6dc58de24dad1b8?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 02:03PM -0700 >> >> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I >> tried >> to install but it was unsuccessful, I attach two files. >> ...more >> <http://groups.google.com/group/ossec-list/msg/d941047264ec12d9?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 02:14PM -0700 >> >> I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I >> tried >> to install but it was unsuccessful, I attach two files. >> ...more >> <http://groups.google.com/group/ossec-list/msg/492fc8dbb87b2fa4?utm_source=digest&utm_medium=email> >> Back to top <#14c79778c82f5a5a_14c79515d3bd466d_digest_top> >> Wheezy/x86 : installation does not creates startup script >> <http://groups.google.com/group/ossec-list/t/753e5c47190abbb8?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 08:53AM -0700 >> >> Hi, >> >> I have a similar problem as belouw (subject on Jessie and system.d >> service) >> on Wheezy/x86-32: when I install the ossec-hids package, no init.d/ossec >> is >> copied, and, of course, the LSB ...more >> <http://groups.google.com/group/ossec-list/msg/b134538ff19e4f0f?utm_source=digest&utm_medium=email> >> Santiago Bassett <[email protected]>: Apr 01 09:49AM -0700 >> >> Hi Frank, >> >> I am the installers maintainer, sorry for the inconvenience. Not sure yet >> what is causing this problem, but will work on it right away. Hopefully I >> can have new packages ready in a few ...more >> <http://groups.google.com/group/ossec-list/msg/1853abf900a0c281?utm_source=digest&utm_medium=email> >> Back to top <#14c79778c82f5a5a_14c79515d3bd466d_digest_top> >> collect all logs and add OpenVPN logs >> <http://groups.google.com/group/ossec-list/t/6aa30c94ab8e3c0a?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 04:37AM -0700 >> >> hi, >> >> First I want that ossec collects all logs. >> I have put the logall options and >> log alertlevel is even at 0 >> >> >> <global> >> <logall>yes</logall> >> </global> >> >> >> >> <alerts> ...more >> <http://groups.google.com/group/ossec-list/msg/683d8e6ac1231279?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 07:46AM -0400 >> >> >> > stil I don't get all log information, i usually get logs regarding >> event 3 >> > (mostly or higher). >> >> > what else do I need to do, so OSSEC will log all events? >> >> All log messages received by ...more >> <http://groups.google.com/group/ossec-list/msg/e7aab1311f61ed4?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 04:57AM -0700 >> >> On Wednesday, April 1, 2015 at 1:47:03 PM UTC+2, dan (ddpbsd) wrote: >> >> > > Second question is about OpenVPN >> >> > > Can I gather openvpn events to OSSEC? >> >> > If it logs to a file you can. >> ...more >> <http://groups.google.com/group/ossec-list/msg/2c618c25314f13fe?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 08:03AM -0400 >> >> > also if you want, >> > but I would like to know if there is an easy way for OSSEC to read the >> > openvpn log files >> >> Add localfile options pointing to the logfiles in the system's >> ...more >> <http://groups.google.com/group/ossec-list/msg/95843ff5c1eb0aa3?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 05:11AM -0700 >> >> >> > you mean something like this and the information will be collected by >> > OSSEC agent (the openvpn is installed on a different server, managed by >> the >> > client)? >> >> >> >> >> <ossec_config> ...more >> <http://groups.google.com/group/ossec-list/msg/38d520a6f89b3e20?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 08:14AM -0400 >> >> >> you mean something like this and the information will be collected by >> >> OSSEC agent (the openvpn is installed on a different server, managed >> by the >> >> client)? >> >> Something like that, yes. ...more >> <http://groups.google.com/group/ossec-list/msg/aa16bbd0e0ca3ede?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 05:15AM -0700 >> >> well I will test this and let you know. >> >> thx Dan !! >> >> On Wednesday, April 1, 2015 at 2:14:17 PM UTC+2, dan (ddpbsd) wrote: >> ...more >> <http://groups.google.com/group/ossec-list/msg/d983760568c03dda?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 05:38AM -0700 >> >> Hello Dan, >> >> sorry, this is the correct format: >> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/etc/openvpn/log/openvpn.log</location> >> </localfile> >> >> >> >> the ossec services ...more >> <http://groups.google.com/group/ossec-list/msg/65d067fcea695069?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 08:48AM -0400 >> >> > I double checked the file and it was generating messages after I >> restarted >> > ossec >> > does ossec look only for erros and discard other information? >> >> No, it should send all log messages the agent ...more >> <http://groups.google.com/group/ossec-list/msg/849fe48320cb008c?utm_source=digest&utm_medium=email> >> Santiago Bassett <[email protected]>: Apr 01 06:13AM -0700 >> >> Also it might help to run "lsof /etc/openvpn/log/openvpn.log" to confirm >> ossec-logcollector process is reading that file. As well check that the >> logs are written in syslog format. >> >> ...more >> <http://groups.google.com/group/ossec-list/msg/2746c7964e3e2573?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 06:13AM -0700 >> >> Oke, this is what I found in the ossec.log >> >> ERROR: Unable to open file '/etc/openvpn/log/openvpn.log' >> >> INFO: File not available, ignoring it: '/etc/openvpn/log/openvpn.log' >> >> ...more >> <http://groups.google.com/group/ossec-list/msg/b60339bab03dec95?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 09:23AM -0400 >> >> > the openvpn.log doesn't reside on the ossec server but on a client, >> maybe >> > the ossec server was checking local >> > or should I put this rule on client config file? >> >> As I've said a number of times ...more >> <http://groups.google.com/group/ossec-list/msg/922f79e7da13b019?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 07:11AM -0700 >> >> what use is this solution then? wasn't the point of OSSEC to have a >> centralized management.... >> in my case we don't have so much servers running, but for enterprise >> environment this is not ...more >> <http://groups.google.com/group/ossec-list/msg/47fc7f31cd794dbd?utm_source=digest&utm_medium=email> >> Santiago Bassett <[email protected]>: Apr 01 07:51AM -0700 >> >> OSSEC supports centralized configuration management: >> >> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html >> >> Thousands of Open Source solutions are used daily in ...more >> <http://groups.google.com/group/ossec-list/msg/a8488e39f0dff74c?utm_source=digest&utm_medium=email> >> Inaki Rodriguez <[email protected]>: Apr 01 04:35PM +0200 >> >> Hi! >> >> Sorry but I have deployed OSSEC on more than 400 servers, with the >> config centralized. Probably the problem is not OSSEC (maybe a RTFM >> related problem). You can specify the log files on your ...more >> <http://groups.google.com/group/ossec-list/msg/d03ed682b597bc18?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 08:16AM -0700 >> >> Hello Santiago, >> Just because a lot of people use a certain product, doesn't mean it's a >> good product. >> The main reason people use open source is because its free. >> anyway, I see great potential ...more >> <http://groups.google.com/group/ossec-list/msg/4755e0c13c17ee4e?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 08:51AM -0700 >> >> Thx Inaki, >> >> I doing my best to get it working, it's just taking a lot of time and >> frustrating >> and it is working, but just need to fine tune a couple of things... >> >> On Wednesday, April 1, 2015 ...more >> <http://groups.google.com/group/ossec-list/msg/5229bd4876c65dac?utm_source=digest&utm_medium=email> >> [email protected]: Apr 01 08:53AM -0700 >> >> can you get ossec to get all information from a certain log file and >> report >> it? >> have you tried using this command: /var/ossec/bin/util.sh addfile >> this is also handy, but how to revert it back ...more >> <http://groups.google.com/group/ossec-list/msg/c2b90460edacce36?utm_source=digest&utm_medium=email> >> Inaki Rodriguez <[email protected]>: Apr 01 05:45PM +0200 >> >> My contribution: >> >> <!-- Wed Apr 1 11:18:26 2015 91.126.130.4:63972 TLS: Username/Password >> authentication succeeded for username 'USERNAME' --> >> <decoder name="openvpn-success"> >> ...more >> <http://groups.google.com/group/ossec-list/msg/e99a28bc825d2147?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 12:38PM -0400 >> >> > what use is this solution then? wasn't the point of OSSEC to have a >> > centralized management.... >> >> It does, in the agent.conf. But you seemed to be having enough issues >> with basic configuration ...more >> <http://groups.google.com/group/ossec-list/msg/38152ffcb0e8a581?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 12:40PM -0400 >> >> > ossec? >> > so not just alerts, but all the information in a log (this log file >> > generates very few) >> >> Add a localfile option to read that log file. That will read all of >> the information and ...more >> <http://groups.google.com/group/ossec-list/msg/86922c54e96411aa?utm_source=digest&utm_medium=email> >> Back to top <#14c79778c82f5a5a_14c79515d3bd466d_digest_top> >> Please help with CDB lists.... >> <http://groups.google.com/group/ossec-list/t/cddab8a79509b86c?utm_source=digest&utm_medium=email> >> Brent Morris <[email protected]>: Apr 01 08:32AM -0700 >> >> I found it... >> >> the issue was that I prepended a / ossec.conf <list> >> >> bad >> <list>*/*lists/filename</list> >> >> good! >> <list>lists/filename</list> >> >> >> Thanks for your help! >> >> On Tuesday, March 31, ...more >> <http://groups.google.com/group/ossec-list/msg/ec21e92248d47646?utm_source=digest&utm_medium=email> >> Back to top <#14c79778c82f5a5a_14c79515d3bd466d_digest_top> >> OSSEC active responce replaces hosts.deny and iptables >> <http://groups.google.com/group/ossec-list/t/9a1433a3d7e7931f?utm_source=digest&utm_medium=email> >> "H.Merijn Brand" <[email protected]>: Apr 01 06:55AM -0700 >> >> Op maandag 9 maart 2015 16:15:41 UTC+1 schreef dan (ddpbsd): >> >> > I don't see anything in host-deny.sh that should be replacing the >> > file. Try running it manually (maybe with /bin/sh -x) to see if ...more >> <http://groups.google.com/group/ossec-list/msg/855f7723746b9e30?utm_source=digest&utm_medium=email> >> "dan (ddp)" <[email protected]>: Apr 01 10:22AM -0400 >> >> > like >> >> > # sh -x /var/ossec/active-response/bin/host-deny.sh 202.120.50.131 >> >> > ? >> >> Looking at the script, it seems you need: >> host-deny.sh add - 10.10.10.10 >> >> >> ...more >> <http://groups.google.com/group/ossec-list/msg/4140d133cf4fa66e?utm_source=digest&utm_medium=email> >> Back to top <#14c79778c82f5a5a_14c79515d3bd466d_digest_top> >> You received this digest because you're subscribed to updates for this >> group. You can change your settings on the group membership page >> <https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!forum/ossec-list/join> >> . >> To unsubscribe from this group and stop receiving emails from it send an >> email to [email protected]. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
