[Ossec-list] Active response: Hosts left in hosts.deny?

[kayvan at sylvan.com (Kayvan A. Sylvan)]

Hi Ahmet!

I think the problem is that there are multiple invocations happening
quickly (possibly very very close to each other) and I think we may
be seeing a race condition.

Here is a case in point. My hosts.deny contains 66.94.237.142 even
though the ossec-hids-responses.log shows that this IP was
added and deleted.

Here are the relevant file times in /tmp (after having made your
suggested modification)

-rw-r--r--    1 root     ossec         365 Apr 10 13:00 hosts.deny.31641
-rw-r--r--    1 root     ossec         366 Apr 10 13:03 hosts.deny.31822
-rw-r--r--    1 root     ossec         400 Apr 10 13:13 hosts.deny.32646
-rw-r--r--    1 root     ossec         402 Apr 10 13:22 hosts.deny.529
-rw-r--r--    1 root     ossec         401 Apr 10 13:22 hosts.deny.533
-rw-r--r--    1 root     ossec         401 Apr 10 13:22 hosts.deny.536
-rw-r--r--    1 root     ossec         382 Apr 10 13:25 hosts.deny.677

As you can see, there are multiple hosts.deny files with the same
timestamp. It's easy to imagine how this could foul things up.

I think a semaphore/file-locking test with some delays to try again
would fix this problem.

			---Kayvan

On Sun, Apr 09, 2006 at 09:38:10PM +0300, Ahmet Ozturk wrote:
> Can you edit "/var/ossec/active-response/bin/host-deny.sh" and change 
> the line 30:
> mv /tmp/hosts.deny.$$ /etc/hosts.deny
> as
> cp /tmp/hosts.deny.$$ /etc/hosts.deny
> 
> Then the temporary file created in /tmp directory (named 
> hosts.deny.pid) will not be moved. The content of this file may helps 
> us.

-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)