Hello Daniel and all, I am using OSSEC 2.5.1 on different Linux environments for the past year and half with OpenSIPs and Asterisk applications to ban SIP brute-forcing attackers and of course it is doing its job very well. Thank you to all people involved with the development of this software.
So, for the past 2 days I've been in a battle with having a way to check which IPs are blocked by OSSEC-Server in an agent. I know that if I look into the active-responses.log I'll see what were the actions taken in a certain agent ( add and delete from the Iptables ) and if I look on the IPTables I'll be able to see the blocked IPs as well. But in an agent that the IPtables are complex there is no way of making sure that I am looking at OSSEC inserted rules. My theory is that the server or the agent knows the association between the timeout, the blocked IP and the agent so that it can remove that active-response ( rule on the IPTable ) just after the timeout occured. Question is: where can I find that association, i.e where is the list of the blocked IPs of an agent? I already looked into this list and the IRC channel and didn't find any information regarding this which for me it's odd because it seems to me that this should be a functionality asked by a lot of people. On the same page of this problem I would like to know if it's possible to remove an IPTable rule without doing an "iptables -D" and without restarting the agent. You see, if I remove a rule "by hand", and because I am using timeouts of 24h, if the attacker tries again it'll send email_alerts but it'll not apply the active-response. So, my other question is: Is it possible to remove an active response before it's timeout where the agent is aware of that? Thank you very much for your time. Best Regards, Joel Oliveira