Hi Dimitri,
A few things to check: -Go to /var/ossec/logs/active-responses.log on the agent side and confirm that the active response is not working. The timeout is specified to 10 minutes, so after that time the IP will be unblocked. If there is entries in there, it is because it is working... -If there is no entries in the above log file, run the active response manually and see if it works (agent side again): # /var/ossec/active-response/bin/firewall-drop.sh add <user> <ip> -Make sure there is no connection errors on ossec.log and that this agent id is correct... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 5/9/07, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hi, folks. Even though I've been using O-H for w while now, I still think I have this screwed up: I want to use the firewall active response. However, it doesn't seem to be working. My firewall is on a different box from O-H server. Here's the directive I have in my ossec.conf file: <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>defined-agent</location> <agent_id>004</agent_id> <level>6</level> <timeout>600</timeout> </active-response> Would someone be kind enough to give me a hand to make this work? Many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.