Indeed. I went through the machine logs and there are 2 entries ( many of them with different IP ):-
/var/ossec/active-response/bin/firewall-drop.sh add - X.X.X.X 1465898743.25694869 5706 /var/ossec/active-response/bin/host-deny.sh delete X.X.X.X * Is there any way to figure out on what exactly happened ? I checked the active-responses.log in that client but cannot find any relevant entries. On Tuesday, June 14, 2016 at 7:14:28 PM UTC+5:30, dan (ddpbsd) wrote: > > On Tue, Jun 14, 2016 at 9:42 AM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora <[email protected] > <javascript:>> wrote: > >> Yes. In the active-response I do see various entries of adding IP's to > >> host-deny.sh > >> > >> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X > >> 1465234313.25970854 5720. > >> > > Also, host-deny.sh only deals with the hosts.deny file, so that entry > should be unrelated. > The script that deals with the firewall is firewall-drop.sh, I believe. > > >> However I am not sure on what caused OSSEC to flush all the iptables > rules. > >> We installed it yesterday and in all the machines it flushed the > iptables > >> rules. > >> > > > > Did it flush during installation, or after at some point? I've just > > installed from the master repo and it didn't flush the firewall rules. > > I don't have any active responses setup on these machines though. > > > > > >> > >> > >> On Tuesday, June 14, 2016 at 6:39:55 PM UTC+5:30, dan (ddpbsd) wrote: > >>> > >>> On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <[email protected]> > wrote: > >>> > I'm using the latest version of OSSEC ( 2.8 ) and yes active > response is > >>> > enabled. > >>> > > >>> > >>> The latest version is 2.8.3. > >>> > >>> > So currently OSSEC clients are actively blocking attacks but due to > some > >>> > reason they have also flushed all the iptables rules from memory ( > like > >>> > iptables -F ) > >>> > > >>> > >>> Are there any entries in the activeresponse log file that might shed a > >>> clue? > >>> > >>> > On Tuesday, June 14, 2016 at 6:24:52 PM UTC+5:30, dan (ddpbsd) > wrote: > >>> >> > >>> >> On Tue, Jun 14, 2016 at 8:17 AM, Zeal Vora <[email protected]> > wrote: > >>> >> > Hi > >>> >> > > >>> >> > We installed OSSEC in our production machines yesterday and today > we > >>> >> > saw > >>> >> > that all the iptables rules in all the machines were flushed. > >>> >> > Something > >>> >> > similar to iptables -F > >>> >> > > >>> >> > Any idea on what can cause this ? I am aware that OSSEC > >>> >> > active-response > >>> >> > can > >>> >> > add or remove entries from iptables but have never knew about > >>> >> > flushing > >>> >> > entire iptables rules. > >>> >> > > >>> >> > Any help will be appreciated.! > >>> >> > > >>> >> > >>> >> Which version of OSSEC? Is active response enabled? > >>> >> > >>> >> > > >>> >> > -- > >>> >> > > >>> >> > --- > >>> >> > You received this message because you are subscribed to the > Google > >>> >> > Groups > >>> >> > "ossec-list" group. > >>> >> > To unsubscribe from this group and stop receiving emails from it, > >>> >> > send > >>> >> > an > >>> >> > email to [email protected]. > >>> >> > For more options, visit https://groups.google.com/d/optout. > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
