On 03/12/2012 11:53 AM, Dimitri Yioulos wrote: > On Monday 12 March 2012 12:24:47 pm Steven Stern wrote: >> On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: >>> Anyone have any ideas on this? >>> >>>> All, >>>> >>>> Back at the end of last year, I asked about using the repeated-offenders >>>> feature >>>> in OH. I added the following directives to ossec.conf on the host that >>>> I want this to work in: >>>> >>>> <command> >>>> <name>host-deny</name> >>>> <executable>host-deny.sh</executable> >>>> <expect>srcip</expect> >>>> <timeout_allowed>yes</timeout_allowed> >>>> </command> >>>> >>>> <active-response> >>>> <!-- This response is going to execute the host-deny >>>> - command for every event that fires a rule with >>>> - level (severity) >= 6. >>>> - The IP is going to be blocked for 600 seconds. >>>> --> >>>> <command>host-deny</command> >>>> <location>local</location> >>>> <level>6</level> >>>> <timeout>600</timeout> >>>> </active-response> >>>> >>>> Despite that, it's not working. Ossec reports the following: >>>> >>>> OSSEC HIDS Notification. >>>> 2012 Mar 07 09:08:16 >>>> >>>> Received From: (plymouth) 192.168.1.2->/var/log/messages >>>> Rule: 40111 fired (level 10) -> "Multiple authentication failures." >>>> Portion of the log(s): >>>> >>>> Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod >>>> host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] >>>> ... >>>> >>>> However, rather than OH invoking repeated-offenders, and blocking the >>>> offender for 600 seconds, I continue to see the offender make attempts >>>> on the host. >>>> >>>> What am I missing here? >> >> Can you get onto the server when the block should be in effect? >> >> If so, what do you see in /etc/hosts.deny and from "iptables -L"? >> >> At the time the blocks should be taking place, do you see anything in >> /var/log/messages or /var/ossec/logs/active-responses.log? >> >> Are you running SELinux in enforcing mode? >> >> >> -- >> -- Steve > > > Steve, > > Thanks for your response. By grepping for the offending IP addy > in /var/ossec/logs/active-responses.log, I saw that "host-deny.sh add" > and "firewall-drop.sh add" were fired. Ten minutes later, host-deny.sh > delete" and "firewall-drop.sh delete" were fired. So, it appears that > repeated-offenders is working. I just didn't know where to look. I guess > I'd > like an email notification when the blocks/unblocks are fired. How/where do > I > enable that?
I think this is what you want. By the way, if you're playing with rules that lock people out, be sure to whitelist your own IP first. http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/ http://www.ossec.net/wiki/Know_How:White_list -- -- Steve
