On 02/05/2012 11:56 AM, lucas kauffman wrote: > > Also if an IP is blocked, how can I unblock it through ossec ? Or do I > have to do it manually and delete the entries for hosts.deny and iptables ?
OSSEC will unblock automatically, based on the timeout parameter in ossec.conf or you your local rules. <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> -- -- Steve