Re: [ossec-list] OSSEC flushed all the iptables rules

Wed, 15 Jun 2016 08:35:52 -0700
Are you sure it was OSSEC? I just had a look at https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh The only iptables commands it does are the following four, and I can't see how they would flush an entire table/chain. 

iptables -I INPUT -s ${IP} -j DROP
iptables -I FORWARD -s ${IP} -j DROP
iptables -D INPUT -s ${IP} -j DROP
iptables -D FORWARD -s ${IP} -j DROP


Do you have any other scripts running to manage your iptables that may 
conflict with the ossec active response script?





On 6/15/2016 2:44 AM, Zeal Vora wrote:

We had deployed OSSEC Client across all our servers in the evening and 
next day morning we find that all iptables rules were flushed. It were 
for around 50+ machines. OSSEC client were running. We then had stop 
OSSEC client for investigation and load iptables rules again.


On Tuesday, June 14, 2016 at 9:30:41 PM UTC+5:30, Antonio Querubin wrote:

    On Tue, 14 Jun 2016, Zeal Vora wrote:

    > We installed OSSEC in our production machines yesterday and
    today we saw
    > that all the iptables rules in all the machines were flushed.
    Something
    > similar to iptables -F
    >
    > Any idea on what can cause this ? I am aware that OSSEC
    active-response can
    > add or remove entries from iptables but have never knew about
    flushing
    > entire iptables rules.
    >
    > Any help will be appreciated.!

    Normally, if an ossec client is stopped, it will remove all active
    response entries added to the firewall rules and /etc/hosts.deny
    from the
    time ossec was started before exiting.  Is this what you're seeing
    or are
    the entire iptables rules completely gone?

    Antonio Querubin
    e-mail: [email protected] <javascript:>
    xmpp: [email protected] <javascript:>

--

---

You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to [email protected] 
<mailto:[email protected]>.

For more options, visit https://groups.google.com/d/optout.


--


--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.























					Reply via email to