Got this one working... When the gateway is set to the NIC IP, requests still get through and the simulated hacker can still connect. When I changed the gateway to a non-existent IP address (i.e. 192.168.20.254, which I know doesn't exist on the subnet), then the simulated hacker does get blocked.
Could it be because there is an additional IP on the NIC, so maybe by sending it to the NIC's address, it's then going out the secondary address on that NIC? Only a sniffer could probably tell. But it does seem to be working like expected now. Greg On Aug 3, 8:28 pm, "Thomson, Gregory" <[email protected]> wrote: > I have a recently new setup - within the last week. > It is now sending the alert on the brute force FTP login attempt, which I > asked about early. > The Active Response also seems to be working to add an entry to the server > routing table with a gateway address set to the same address as the interface > on the server. > > But a few seconds after the null route was added automatically, I was still > able to login via FTP from the IP I was using with the multiple bad logins. > > So, it seems as though OSSec is doing what I'm expecting it to do, but I'm > not blocked from logging in still. > > I was thinking this could be because of having multiple IP addresses on the > NIC, but even when using IP address specifically when trying to login (the > same IP address that had the route entry added), it still lets me then login > from the source ip that I'm thinking should be blocked. > > Any ideas on why I can still login? > The route entry added is similar to: > > Network Destination | Netmask | Gateway | Interface | Metric > 10.100.100.10 | 255.255.255.255 | 192.168.20.10 | 192.168.20.10 | 1 > > where 10.100.100.10 is an internal host, going through a PIX to the Windows > IIS server on a DMZ. Windows IIS server has the OSSec agent. > 192.168.20.10 is the IIS interface and the IP address OSSec knows about. > > But even when this null route is set, I can ftp from the 10.100.100.10 server > to the 192.168.20.10 server and get successfully logged in. > > TIA for any help, > > Greg
