A fellow who works for me remotely called me this morning and said he was accessing one of our servers via ssh and the connection dropped.
so I looked in the the ossec active-response.log file and saw he had been blocked. here are his lines. can someone tell me why he was blocked? Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/host-deny.sh add - 273.9.66.246 1327412771.231959 31106 Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 273.9.66.246 1327412771.231959 31106 Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/host-deny.sh delete - 273.9.66.246 1327412771.231959 31106 Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh delete - 273.9.66.246 1327412771.231959 31106 thanks in advance
