On 02/05/2012 11:56 AM, lucas kauffman wrote:
>
> Also if an IP is blocked, how can I unblock it through ossec ? Or do I
> have to do it manually and delete the entries for hosts.deny and iptables ?
OSSEC will unblock automatically, based on the timeout parameter in
ossec.conf or you your local rules.
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
--
-- Steve
