I also tried to run the same command on the agent 000 (the server) but doesn't work: no line added to hosts.deny, no active-response.log
Luciano On 25 Mar, 15:31, Daniel Cid <daniel....@gmail.com> wrote: > Hi, > > Did you check for the file /var/ossec/logs/active-responses.log on the > agent? You configured > the response to run on the agent side, not on the manager. Also, it > will timeout and remove > the block after 10 minutes (for the first entry, not yours).... > > A good way to test is to run the command agent_control: > > # /var/ossec/bin/agent_control -L > > OSSEC HIDS agent_control. Available active responses: > > Response name: host-deny600, command: host-deny.sh > Response name: host-deny600, command: host-deny.sh > Response name: firewall-drop600, command: firewall-drop.sh > Response name: win_nullroute600, command: route-null.cmd > > # /var/ossec/bin/agent_control -u 200 -b 1.2.3.4 -f firewall-drop600 > > OSSEC HIDS agent_control: Running active response 'firewall-drop600' on: 200 > > The second command will block the ip 1.2.3.4 on the agent 200 using > firewall-drop600... > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Mar 4, 2009 at 5:40 AM, cianop <luciano.branc...@feltrinelli.it> > wrote: > > > Thank you for your interest, I already posted all the configuration in > > a previuos post, anyway, following ther is the last notification > > (brute force on ftp server): > > > Received From: (maia) 192.168.0.11->/var/log/vsftpd.log > > Rule: 11451 fired (level 10) -> "FTP brute force (multiple failed > > logins)." > > Portion of the log(s): > > > Tue Mar 3 08:57:45 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > Tue Mar 3 08:57:44 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > Tue Mar 3 08:57:43 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > Tue Mar 3 08:57:42 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > Tue Mar 3 08:57:41 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > Tue Mar 3 08:57:40 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > Tue Mar 3 08:57:39 2009 [pid 7809] [tsinternetusers] FAIL LOGIN: > > Client "221.4.205.132" > > > I got email alert without problem also for level 12. I have been > > checked for log file but there isn't (active- > > responses.log). In alerts.log I finded the same email alert. I have 1 > > ossec server and 4 agent, the alert came from an agent. > > Here the active-response part of ossec.conf: > > > <command> > > <name>host-deny</name> > > <executable>host-deny.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>yes</timeout_allowed> > > </command> > > > <!-- Active Response Config --> > > <active-response> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 600 seconds. > > --> > > <command>host-deny</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > I disabled the firewall drop adding the relative tag > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <disabled>yes</disabled> > > <command>firewall-drop</command> > > <location>local</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > here the directory permission on agent and server: > > > dr-xr-x--- 3 root ossec 4096 Feb 10 14:58 active-response > > dr-xr-x--- 2 root ossec 4096 Feb 10 14:58 bin > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 etc > > drwxr-x--- 2 ossec ossec 4096 Mar 4 09:24 logs > > dr-xr-x--- 6 root ossec 4096 Feb 10 14:58 queue > > dr-xr-x--- 3 root ossec 4096 Feb 18 12:35 var > > > /var/ossec/active-response# ls -l > > total 4 > > dr-xr-x--- 2 root ossec 4096 Mar 2 11:25 bin > > > /var/ossec/active-response/bin# ls -l > > total 32 > > -rwxr-xr-x 1 root ossec 1711 Jan 6 2007 disable-account.sh > > -rwxr-xr-x 1 root ossec 3705 Jan 6 2007 firewall-drop.sh > > -rwxr-xr-x 1 root ossec 3018 Jun 11 2008 host-deny.sh > > -rwxr-xr-x 1 root ossec 1385 Jan 6 2007 ipfw.sh > > -rwxr-xr-x 1 root ossec 1617 Jan 6 2007 ipfw_mac.sh > > -rwxr-xr-x 1 root ossec 1849 Jun 6 2008 pf.sh > > -rwxr-xr-x 1 root ossec 2542 Feb 18 17:08 pix-blacklist.sh > > -rwxr-xr-x 1 root ossec 1182 May 24 2008 route-null.sh > > > I also raised the debug level to 2 in server > > > # Analysisd (server or local) > > analysisd.debug=2 > > > # Unix agentd > > agent.debug=2 > > > to have more info but nothing more in alert logs. > > > I also added my own active response based on rule id rather than > > severity level but doesn't work. > > > <command> > > <name>pix-blacklist</name> > > <executable>pix-blacklist.sh</executable> > > <expect>srcip</expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > > <active-response> > > <!-- This response is going to execute the pix-blacklist > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be logged for Pix Blacklist. > > --> > > <command>pix-blacklist</command> > > <location>local</location> > > <rules_id>31151,30114,31163,31106</rules_id> > > </active-response> > > > Last, the ossec server is an ubuntu breezy server, the agent that > > raise alert is a debian 3.1 server and both run ossec 1.6.1 > > > I hope this info can be helpfull. > > > Thank you > > > Luciano > > > On 3 Mar, 15:55, Damon Getsman <dgets...@amirehab.net> wrote: > >> I would suggest posting the version of OSsec that you're using, the rule > >> that is specifically being fired @ level 10 (I believe there is more than > >> one type of ssh brute force attack if I remember correctly), and then the > >> <active-response> portion of your ossec.conf file. Snippets of the log > >> itself may help, too. > > >> I know that you specified that you're using the 'defaults', but if you tag > >> these pieces of information along in your messages it'll make things easier > >> for someone that may know the answer of the top of their head to post a > >> response to you. I'm pretty sure most of the people on this mailing list > >> don't have the time to sit and research various responses to questions like > >> this most of the time; nobody gets paid to respond to the mailing list. :) > > >> HTH. > >> ---------- > >> Damon Getsman > >> -=-=-=- > >> ITRxhttp://www.itrx-nd.com/ > >> Programmer/IT Customer Relations/Sys Admin > >> -=-=-=- > > >> On Tue, Mar 3, 2009 at 2:23 AM, cianop > >> <luciano.branc...@feltrinelli.it>wrote: > > >> > Hey, someone can help me please, I have a lot of brute force attack > >> > notificated by OSSEC, and if the active-response doesn't work before > >> > or after they go inside. Anyone at Ossec can help me? > > >> [snip] > >> On 19 Feb, 16:18, cianop <luciano.branc...@feltrinelli.it> wrote:> Hi, I > >> had an OSSEC notification that say that a rule with level 10 was > >> > fired but I didn't see any active-response action. I mean no > >> > modification of hosts.* no logs in active-response dir or logs dir. > >> > I have the default rules installed and the two default command and > >> > related active-response (host-deny > >> > and firewall-drop) with the firewall-drop disabled. There is also no > >> > error in ossec.log > > >> [snip]
