I have nothing in hosts.deny but i see something weird in the logs tail -f /var/ossec/logs/active-responses.log
Thu Jul 12 19:54:47 EDT 2012 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1342136225.17069214 5706 Thu Jul 12 19:54:48 EDT 2012 Unable to run (iptables returning != 2): 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1342136225.17069214 5706 Thu Jul 12 19:54:50 EDT 2012 Unable to run (iptables returning != 2): 3 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1342136225.17069214 5706 Thu Jul 12 19:54:53 EDT 2012 Unable to run (iptables returning != 2): 4 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1342136225.17069214 5706 Thu Jul 12 19:54:57 EDT 2012 Unable to run (iptables returning != 2): 5 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1342136225.17069214 5706 Thu Jul 12 19:55:02 EDT 2012 Unable to run (iptables returning != 2): 6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1342136225.17069214 5706 Thanks On Thu, Jul 12, 2012 at 9:27 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Jul 11, 2012 at 9:59 PM, cosmaschi cristian > <cristicosmas...@gmail.com> wrote: > > my las Active responce log is from Mon Jun 4 21:23:43 EDT 2012 ups:| > thas > > bad > > > > attached are ossec.conf and asterisk rules > > > > Thanks > > > > > So you have a very basic active response configuration. I think the > host-deny entry will be triggered and the firewall-drop one will not. > Try commenting out the host-deny entry, or check your hosts.deny file > to see if that's getting the entries instead of iptables. > > > > > > > > > On Wed, Jul 11, 2012 at 9:48 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> > >> > >> On Jul 11, 2012 9:43 PM, "cosmaschi cristian" < > cristicosmas...@gmail.com> > >> wrote: > >> > > >> > i see that the rules are being processed , but when i check ip tables > >> > to se if the host was blocked ... nothing... > >> > > >> > its used to work util 2 days ago... > >> > > >> > >> What changed? What is your configuration? How did you check iptables? > >> Anything in the active response log? Why didn't you include that info? > >> > >> > > >> > Results: > >> > Total alerts found: 424 > >> > > >> > > >> > > >> > Alert list > >> > 2012 Jul 11 20:56:00 Rule Id: 6212 level: 10 > >> > Location: (Hp22) 209.217.109.82->/var/log/messages > >> > Src IP: 0:55:41 hp22 asterisk[11715]: NOTICE[11747]: chan_sip.c:24170 > in > >> > handle_request_register: Registration from '< > sip:1...@hp22.xxx.com:5060>' > >> > failed for '99.251.108.141:5060' - No matching peer found > >> > Login session failed (invalid extension). ** Alert > 1342054561.21049945: > >> > - syslog,asterisk, > >> > > >> > >> It looks like you're using the broken web ui. Stop that. Either fix it > or > >> don't use it, and definitely give me an un-messed up alert. > >> > >> > > >> > > >> > On Wed, Jul 11, 2012 at 9:33 PM, dan (ddp) <ddp...@gmail.com> wrote: > >> >> > >> >> > >> >> On Jul 11, 2012 9:31 PM, "cosmaschi cristian" > >> >> <cristicosmas...@gmail.com> wrote: > >> >> > > >> >> > Hello , > >> >> > > >> >> > Im trying to debug on ossec , following > >> >> > http://www.ossec.net/doc/faq/unexpected.html > >> >> > > >> >> > example If you have logs similar to the following in > >> >> > /var/ossec/queue/ossec/queue: > >> >> > > >> >> > when i run > >> >> > > >> >> > tail -f /var/ossec/queue/ossec/queue > >> >> > > >> >> > > >> >> > >> >> That page does not tell you to do that. It probably wants you to tail > >> >> the logfile: > >> >> `tail -f /var/ossec/logs/ossec.log` > >> >> > >> >> > i get > >> >> > > >> >> > tail: cannot open `/var/ossec/queue/ossec/queue' for reading: No > such > >> >> > device or address > >> >> > tail: no files remaining > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> > > >> > > > > > >
