On Tue, Jun 14, 2016 at 9:42 AM, dan (ddp) <[email protected]> wrote: > On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora <[email protected]> wrote: >> Yes. In the active-response I do see various entries of adding IP's to >> host-deny.sh >> >> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X >> 1465234313.25970854 5720. >>
Also, host-deny.sh only deals with the hosts.deny file, so that entry should be unrelated. The script that deals with the firewall is firewall-drop.sh, I believe. >> However I am not sure on what caused OSSEC to flush all the iptables rules. >> We installed it yesterday and in all the machines it flushed the iptables >> rules. >> > > Did it flush during installation, or after at some point? I've just > installed from the master repo and it didn't flush the firewall rules. > I don't have any active responses setup on these machines though. > > >> >> >> On Tuesday, June 14, 2016 at 6:39:55 PM UTC+5:30, dan (ddpbsd) wrote: >>> >>> On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <[email protected]> wrote: >>> > I'm using the latest version of OSSEC ( 2.8 ) and yes active response is >>> > enabled. >>> > >>> >>> The latest version is 2.8.3. >>> >>> > So currently OSSEC clients are actively blocking attacks but due to some >>> > reason they have also flushed all the iptables rules from memory ( like >>> > iptables -F ) >>> > >>> >>> Are there any entries in the activeresponse log file that might shed a >>> clue? >>> >>> > On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan (ddpbsd) wrote: >>> >> >>> >> On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora <[email protected]> wrote: >>> >> > Hi >>> >> > >>> >> > We installed OSSEC in our production machines yesterday and today we >>> >> > saw >>> >> > that all the iptables rules in all the machines were flushed. >>> >> > Something >>> >> > similar to iptables -F >>> >> > >>> >> > Any idea on what can cause this ? I am aware that OSSEC >>> >> > active-response >>> >> > can >>> >> > add or remove entries from iptables but have never knew about >>> >> > flushing >>> >> > entire iptables rules. >>> >> > >>> >> > Any help will be appreciated.! >>> >> > >>> >> >>> >> Which version of OSSEC? Is active response enabled? >>> >> >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
