Is there any deep dive on active response or a collection of use cases as to
how people are using it?
Just seems to be such a cool capability of OSSEC that is under utilized.
Sent from my T-Mobile 4G LTE Device
-------- Original message --------
From: Daniel Folch <daniel.fo...@wazuh.com>
Date: 9/23/20 7:21 AM (GMT-05:00)
To: ossec-list <ossec-list@googlegroups.com>
Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING
WARNING: This email originated from outside of Sensato. Do not click links or
open attachments unless you verify by phone with the sender.
Hello,
First, let us start with the active response configuration of the manager and
agent, the configuration you shared should be used on the manager side, and for
the agent you just need to set it like this:
<active-response>
<disabled>no</disabled>
<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
As a side note, the rule 5720 is triggered when the rule 5716 activates 8 times
in a short period of time, so having both of them in the active response is not
necessary.
Hydra tests the passwords in the list sequentially and it is really fast so if
your list only contains few passwords it may be possible for hydra to test the
correct password from the list before active response can shut down the
connection form the IP, this should not happen in a real brute force attack as
the list of passwords would be long enough for active response to act in time.
A possibility to minimize this phenomenom would be to reduce the number of
attempts needed before shutting down.
Just to verify could you share the length of the list you are using for this
test, and if possible could you try running Hydra like this to verify that
active response is working as intended:
hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh
This will try to test all combinations of lowercase characters, uppercase
characters, and numbers with a length between 1 and 5, so it should not be able
to find your password before active response triggers.
Regards,
Daniel Folch
On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, conm...@gmail.com wrote:
Hi everybody
I have seen an article about configuring active-response to block SSH
bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/
I have configured the direction and added some ssh related rules hoping that it
will prevent the attack, but it doesn't work.
I configured the following in ossec.conf:
<command>
<name> firewall-drop </name>
<executable> firewall-drop.sh </executable>
<expect> srcip </expect>
<timeout_allowed> yes </timeout_allowed>
</command>
<active-response>
<command> firewall-drop </command>
<location> local </location>
<rules_id> 5712,5716,5720 </rules_id>
<timeout> 1800 </timeout>
</active-response>
I still find the password to login after bruteforce, I use the following
command to attack:
hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh
Is there any way the active-response can prevent this
thanks everyone
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com<https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/BL0PR11MB3282C70D6E364F764A4AF106FE380%40BL0PR11MB3282.namprd11.prod.outlook.com.
