On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: > On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: > > Anyone have any ideas on this? > > > >> All, > >> > >> Back at the end of last year, I asked about using the repeated-offenders > >> feature > >> in OH. I added the following directives to ossec.conf on the host that > >> I want this to work in: > >> > >> <command> > >> <name>host-deny</name> > >> <executable>host-deny.sh</executable> > >> <expect>srcip</expect> > >> <timeout_allowed>yes</timeout_allowed> > >> </command> > >> > >> <active-response> > >> <!-- This response is going to execute the host-deny > >> - command for every event that fires a rule with > >> - level (severity) >= 6. > >> - The IP is going to be blocked for 600 seconds. > >> --> > >> <command>host-deny</command> > >> <location>local</location> > >> <level>6</level> > >> <timeout>600</timeout> > >> </active-response> > >> > >> Despite that, it's not working. Ossec reports the following: > >> > >> OSSEC HIDS Notification. > >> 2012 Mar 07 09:08:16 > >> > >> Received From: (plymouth) 192.168.1.2->/var/log/messages > >> Rule: 40111 fired (level 10) -> "Multiple authentication failures." > >> Portion of the log(s): > >> > >> Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod > >> host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] > >> ... > >> > >> However, rather than OH invoking repeated-offenders, and blocking the > >> offender for 600 seconds, I continue to see the offender make attempts > >> on the host. > >> > >> What am I missing here? > > Can you get onto the server when the block should be in effect? > > If so, what do you see in /etc/hosts.deny and from "iptables -L"? > > At the time the blocks should be taking place, do you see anything in > /var/log/messages or /var/ossec/logs/active-responses.log? > > Are you running SELinux in enforcing mode? > > > -- > -- Steve
Steve, Thanks for your response. By grepping for the offending IP addy in /var/ossec/logs/active-responses.log, I saw that "host-deny.sh add" and "firewall-drop.sh add" were fired. Ten minutes later, host-deny.sh delete" and "firewall-drop.sh delete" were fired. So, it appears that repeated-offenders is working. I just didn't know where to look. I guess I'd like an email notification when the blocks/unblocks are fired. How/where do I enable that? Again, thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
