I have one outward-facing host, let's call it ssh-host, with an ssh port accessible to the WAN. I have another host inside my firewall, called engserver. I installed OSSEC on engserver as a "server" install, but without active response. I installed the "client" install on ssh-host, answering "Yes" to the active response questions. ssh-host is an OSSEC agent of engserver and I see email alerts, so I know things are working correctly. However, looking at /var/ossec/active-response/ on ssh-host, it seems that the active response stuff is not activated. I *know* this host gets a lot of scans and brute force attempts to login. Does anyone know what's going on? The /var/ossec/etc/ossec.conf on ssh-host seems very minimal and does not mention any of the stuff for host-deny or firewall-deny. Thanks! ---Kayvan -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
Attachment:
pgphmezEF0VEI.pgp
Description: PGP signature