Hello, forgive me if I'm a total noob, but I have a particular scenario that I would like to implement, and I'm wondering if ossec could be used-- my first impression is that with the server/agent setup, this might be achievable... ?
Here it is: Lets say I have N hosts in a cloud. Each runs a particular set of servers open to public access. All hosts have their own firewall, and all hosts reside in a common IP range (big or small). I've been noting that the bad guys are scanning my hosts by IP, and usually within a few minutes, they hit each server in turn. I have fail2ban running, and it does a fair job of picking up on the attempts and triggering. I'm using iptables to block ip's. Sorry, I don't want to utter heresy ;), I'm trying to give ossec due diligence. What I'd like to do is, if ANY machine gets attacked, I'd like to report back to the server, and have the server set up the blocking IP and then have it command all the other agents to block that IP also. This way, the attacker might get a peek at one or two systems, but will find nothing but a wall at all the other servers. Can ossec do this easily? murf
