On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora <[email protected]> wrote: > Yes. In the active-response I do see various entries of adding IP's to > host-deny.sh > > /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X > 1465234313.25970854 5720. > > However I am not sure on what caused OSSEC to flush all the iptables rules. > We installed it yesterday and in all the machines it flushed the iptables > rules. >
Did it flush during installation, or after at some point? I've just installed from the master repo and it didn't flush the firewall rules. I don't have any active responses setup on these machines though. > > > On Tuesday, June 14, 2016 at 6:39:55 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <[email protected]> wrote: >> > I'm using the latest version of OSSEC ( 2.8 ) and yes active response is >> > enabled. >> > >> >> The latest version is 2.8.3. >> >> > So currently OSSEC clients are actively blocking attacks but due to some >> > reason they have also flushed all the iptables rules from memory ( like >> > iptables -F ) >> > >> >> Are there any entries in the activeresponse log file that might shed a >> clue? >> >> > On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora <[email protected]> wrote: >> >> > Hi >> >> > >> >> > We installed OSSEC in our production machines yesterday and today we >> >> > saw >> >> > that all the iptables rules in all the machines were flushed. >> >> > Something >> >> > similar to iptables -F >> >> > >> >> > Any idea on what can cause this ? I am aware that OSSEC >> >> > active-response >> >> > can >> >> > add or remove entries from iptables but have never knew about >> >> > flushing >> >> > entire iptables rules. >> >> > >> >> > Any help will be appreciated.! >> >> > >> >> >> >> Which version of OSSEC? Is active response enabled? >> >> >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
