On Mon, Jan 23, 2012 at 1:05 PM, Damien Hull <dh...@section9.us> wrote:
> I have ossec 2.6 running on Ubuntu 10.04 LTS. This is a web server
> running LAMP....
>
> There are several websites on this server. Every now and then OSSEC
> will block an IP address for accessing a website. This is not an
> attack of any kind. I've had it happen to me. I'll access a website on
> the server and bam, blocked.
>
> I have it configured to unblock the IP after 10 minutes. I figured
> after 10 minutes a hacker will get tired and move on. I don't want
> this to happen with users of my server.
>
> Is there a way to configure OSSEC so this doesn't happen? I've never
> taken the time to tweak OSSEC....
>
> NOTE
> The latest alert was for Moodle. I'm guessing a user clicked on
> something and OSSEC didn't like it...
I did some digging and found out a few interesting things
Rule 31101
1. This is what caused the above block
2. This shouldn't have because this is a level 4 alert
3. Host deny and IP tables are configured to block at level 10
<command>host-deny</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>
I also notice that I get email for alerts below 7. I should only be
getting the for alerts 7 or higher. It seems like OSSEC is not
following my config options.
Is there a way to fix this problem?
