[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Active response: Hosts left in hosts.deny?

Subject: [Ossec-list] Active response: Hosts left in hosts.deny?
From: daniel.cid at gmail.com (Daniel Cid)
Date: Mon, 10 Apr 2006 17:10:41 -0300

Hi Kayvan,

Just complementing Ahmet's response to the first e-mail. On the
active-response, every command is executed with two arguments,
the username and the ip address. Because you probably didn't
have any username associated with that log, it was set to null.
No worries there.

Regarding the host-deny, you are right. We may have some race
conditions in there. I will add some file locks in there to make sure
we don't have this problem anymore.

Thanks,

Daniel

On 4/10/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> Hi Ahmet!
>
> I think the problem is that there are multiple invocations happening
> quickly (possibly very very close to each other) and I think we may
> be seeing a race condition.
>
> Here is a case in point. My hosts.deny contains 66.94.237.142 even
> though the ossec-hids-responses.log shows that this IP was
> added and deleted.
>
> Here are the relevant file times in /tmp (after having made your
> suggested modification)
>
> -rw-r--r--    1 root     ossec         365 Apr 10 13:00 hosts.deny.31641
> -rw-r--r--    1 root     ossec         366 Apr 10 13:03 hosts.deny.31822
> -rw-r--r--    1 root     ossec         400 Apr 10 13:13 hosts.deny.32646
> -rw-r--r--    1 root     ossec         402 Apr 10 13:22 hosts.deny.529
> -rw-r--r--    1 root     ossec         401 Apr 10 13:22 hosts.deny.533
> -rw-r--r--    1 root     ossec         401 Apr 10 13:22 hosts.deny.536
> -rw-r--r--    1 root     ossec         382 Apr 10 13:25 hosts.deny.677
>
> As you can see, there are multiple hosts.deny files with the same
> timestamp. It's easy to imagine how this could foul things up.
>
> I think a semaphore/file-locking test with some delays to try again
> would fix this problem.
>
>                         ---Kayvan
>
> On Sun, Apr 09, 2006 at 09:38:10PM +0300, Ahmet Ozturk wrote:
> > Can you edit "/var/ossec/active-response/bin/host-deny.sh" and change
> > the line 30:
> > mv /tmp/hosts.deny.$$ /etc/hosts.deny
> > as
> > cp /tmp/hosts.deny.$$ /etc/hosts.deny
> >
> > Then the temporary file created in /tmp directory (named
> > hosts.deny.pid) will not be moved. The content of this file may helps
> > us.
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

Follow-Ups:
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan

References:
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Ahmet Ozturk
- [Ossec-list] Active response: Hosts left in hosts.deny?
  - From: Kayvan A. Sylvan

Prev by Date: [Ossec-list] Active response: Hosts left in hosts.deny?
Next by Date: [Ossec-list] Projects news
Previous by thread: [Ossec-list] Active response: Hosts left in hosts.deny?
Next by thread: [Ossec-list] Active response: Hosts left in hosts.deny?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.