[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Active response: Hosts left in hosts.deny?

Subject: [Ossec-list] Active response: Hosts left in hosts.deny?
From: oahmet at metu.edu.tr (Ahmet Ozturk)
Date: Sun, 09 Apr 2006 21:38:10 +0300

Hi Kayvan,

I tested host-deny and firewall-drop active responses repeatedly on my 
machine (Debian with kernel 2.6.15) and unfortunately couldn't come up 
with the problem you mentioned, everything worked well. According to 
your "ossec-hids-responses.log", ossec behaves as expected on your 
system, and calls "host-deny.sh delete" after the timeout. it may be 
some kind of permission issue. (just a guess.)

Can you edit "/var/ossec/active-response/bin/host-deny.sh" and change 
the line 30:
mv /tmp/hosts.deny.$$ /etc/hosts.deny
as
cp /tmp/hosts.deny.$$ /etc/hosts.deny

Then the temporary file created in /tmp directory (named 
hosts.deny.pid) will not be moved. The content of this file may helps 
us.

Btw, the "null" term in the argument list is just a dummy username. I 
know it's a bit confusing. However it seems there is no problem with 
the arguments on your system.

Regards,

Ahmet Ozturk.


Alinti "Kayvan A. Sylvan" <kayvan at sylvan.com>

> I am running OSSEC on several hosts now.
>
> On one of them, running Redhat Enterprise 3 (update 7), with
> kernel 2.4.21-40, I am having hosts that are being added but never
> taken off hosts.deny.
>
> For example:
>
> # grep 85.139.186.62 /tmp/ossec-hids-responses.log
> Fri Apr  7 17:00:52 EDT 2006 
> /var/ossec/active-response/bin/host-deny.sh add null 85.139.186.62
> Fri Apr  7 17:00:52 EDT 2006 
> /var/ossec/active-response/bin/firewall-drop.sh add null 85.139.186.62
> Fri Apr  7 17:11:32 EDT 2006 
> /var/ossec/active-response/bin/host-deny.sh delete null 85.139.186.62
> Fri Apr  7 17:11:32 EDT 2006 
> /var/ossec/active-response/bin/firewall-drop.sh delete null 
> 85.139.186.62
>
> However, the IP address is still in hosts.deny.
>
> I don't understand the "null" in the above argument lists, either.
>
> I'm pretty sure this is some kind of subtle bug, since it appears that the
> intent is for the IPs to be temporarily blocked and then unblocked.
>
> Can anyone help shed some light on this?
>
> 			---Kayvan
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena 
> (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 1706 bytes
Desc: PGP =?us-ascii?b?QcOnxLFrIA==?=
	=?us-ascii?b?QW5haHRhcsSx?=
Url : http://mailman.underlinux.com.br/pipermail/ossec-list/attachments/20060409/d49229ad/attachment.bin

Follow-Ups:
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan

References:
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan

Prev by Date: [Ossec-list] Active response: Hosts left in hosts.deny?
Next by Date: [Ossec-list] Active response: Hosts left in hosts.deny?
Previous by thread: [Ossec-list] Active response: Hosts left in hosts.deny?
Next by thread: [Ossec-list] Active response: Hosts left in hosts.deny?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.