[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active response - firewall

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Active response - firewall
From: Dimitri Yioulos <dyioulos@xxxxxxxxxxxxx>
Date: Tue, 8 Aug 2006 17:59:36 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit

On Tuesday August 08 2006 5:17 pm, Lars Scheithauer wrote:
> Eya, Dimitri!
>
> This eMail from the list should give you the idea on how to do it.
>
> Regards,
> Lars
>
>
> Hi Kayvan,
>
> In order to make active-response work on agents, you should
> configure the
> "server" with active-response I think.
> Then you may specify the active-reponse location (i.e.,local,
> analysis-server,
> defined-agent or all)
>
> I'm adding related parts of my configuration file to give idea:
>
> /var/ossec/etc/ossec.conf on server:
> ----
>     <command>
>       <name>host-deny</name>
>       <executable>host-deny.sh</executable>
>       <expect>srcip</expect>
>       <timeout_allowed>yes</timeout_allowed>
>     </command>
>
>     <command>
>       <name>firewall-drop</name>
>       <executable>firewall-drop.sh</executable>
>       <expect>srcip</expect>
>       <timeout_allowed>yes</timeout_allowed>
>     </command>
>
>    <command>
>       <name>disable-account</name>
>       <executable>disable-account.sh</executable>
>       <expect>user</expect>
>       <timeout_allowed>yes</timeout_allowed>
>     </command>
>
>
>     <!-- Active Response Config -->
>     <active-response>
>       <!-- This response is going to execute the host-deny
>          - command for every event that fires a rule with
>          - level (severity) >= 6.
>          - The IP is going to be blocked for  600 seconds.
>         -->
>       <command>host-deny</command>
>       <location>local</location>
>       <level>6</level>
>       <timeout>600</timeout>
>     </active-response>
>
>     <active-response>
>       <!-- Firewall Drop response. Block the IP for
>          - 600 seconds on the firewall (iptables,
>          - ipfilter, etc).
>         -->
>       <command>firewall-drop</command>
>       <location>local</location>
>       <level>6</level>
>       <timeout>600</timeout>
>     </active-response>
>
> ----
>
> I have no configuration for active-response on agent,
> however, I answered "Yes" to the active-response questions on
> both server and agent installation.
>
> You can find detailed informaion about active-response
> configuration at http://www.ossec.net/en/manual.html -> 7.1.2
> Responses Configuration.
>
> Best Regards,
>
> Ahmet Ozturk.
>
> Kayvan A. Sylvan wrote:
> > I have one outward-facing host, let's call it ssh-host, with an
> > ssh port accessible to the WAN.
> >
> > I have another host inside my firewall, called engserver.
> >
> > I installed OSSEC on engserver as a "server" install, but
> > without active response.
> >
> > I installed the "client" install on ssh-host, answering "Yes" to
> > the active response questions. ssh-host is an OSSEC agent of
> > engserver and I see email alerts, so I know things are working
> > correctly.
> >
> > However, looking at /var/ossec/active-response/ on ssh-host, it
> > seems that
> > the active response stuff is not activated. I *know* this host
> > gets a lot of scans and brute force attempts to login.
> >
> > Does anyone know what's going on? The /var/ossec/etc/ossec.conf
> > on ssh-host seems very minimal and does not mention any of the
> > stuff for host-deny or firewall-deny.
> >
> > Thanks!
> > 			---Kayvan
>
> Am 08.08.2006 um 22:52 schrieb Dimitri Yioulos:
> > Hello to all.
> >
> > First, congratulations to the development team on an exellent
> > piece of software (recognized by SANS, no less)!  It was easy to
> > install, and tweaking to one's own specifications is
> > straightforward.  I very much look forward to future releases.
> >
> > Apologies if this is completely lame, but one tweak that I'd like
> > some help on is firewalling.  I have installed ossec-hids on a
> > separate server, and added the agent piece to other server which
> > mainly sit in a DMZ.  I have iptables/router on yet another box
> > that has been serving my organization admirabley (I'd also like
> > to monitor this box with ossec-hids).
> >
> > What I'd like to do use the iptables/router box to be the
> > recipient of ip addresses added to the deny list, rather than the
> > ossec-hids server.  I'm thinking that this should be possible,
> > but don't know how to do it.  Can someone help?
> >
> > Many thanks, and best wishes.
> >
> > Dimitri
> >
> > --

Lars,

Thanks for your response.  I'm bottom-posting here as I don't know the 
ettiquet of the list.

So, in the following directive, I should use "defined-agent" (the 
agent_id of the iptables/router box, of course) as the location!

<active-response>
      <!-- Firewall Drop response. Block the IP for
          - 600 seconds on the firewall (iptables,
          - ipfilter, etc).
         -->
       <command>firewall-drop</command>
       <location>defined-agent id</location>
       <level>6</level>
       <timeout>600</timeout>
     </active-response>

Ok, clear enough.  I guess I didn't grasp a simple concept.

Are there any firewall rules I need to add to the iptables/router box 
in order for this to work?

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

References:
- [ossec-list] Active response - firewall
  - From: Dimitri Yioulos
- [ossec-list] Re: Active response - firewall
  - From: Lars Scheithauer

Prev by Date: [ossec-list] Re: Active response - firewall
Next by Date: [ossec-list] Re: Active response - firewall
Previous by thread: [ossec-list] Re: Active response - firewall
Next by thread: [ossec-list] Re: Active response - firewall
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.