Hi
We recently moved all components to v3 or above. Subsequent to this we have
had an issue with active response that we have not been able to resolve -
we use ossec as part of a suite of tools to on website, and to prevent
endless background hacking attempts a nice feature was blocking an IP
across all servers when it tried to compromise one. However since the
upgrade this does not work, and indeed having 'all' set as the location
breaks active response entirely.
<location>all</location>
Changing this back to local, and active response works again (although only
per agent obviously). Our current config on the master looks like this,
and works:
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>
(I know repeat offenders needs to be on the agent rather than the master).
We have also set this on each agent:
/var/ossec/etc/internal_options.conf - logcollector.remote_commands=1
Still when when we change location to all, active response stops working
completely.
Any suggests or help gratefully received.
thanks
Rob
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
