Le 2012-01-24 à 11:20, jeff jennings a écrit : > A fellow who works for me remotely called me this morning and said he was > accessing one of our servers via ssh and the connection dropped. > > so I looked in the the ossec active-response.log file and saw he had been > blocked. > > here are his lines. > > can someone tell me why he was blocked?
Certainly because a rules as been fired and deliver a "srcIp" field. You should have a look to log/ossec.log first > > Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/host-deny.sh add > - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:39:26 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh > add - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/host-deny.sh > delete - 273.9.66.246 1327412771.231959 31106 > Tue Jan 24 10:49:56 EST 2012 /var/ossec/active-response/bin/firewall-drop.sh > delete - 273.9.66.246 1327412771.231959 31106 > > thanks in advance >
