Can't SSH into sensor

589 views
Skip to first unread message

Terry Bradley

unread,
Mar 16, 2017, 10:43:39 AM3/16/17
to security-onion
Within the last two weeks something happened to one of my sensors and I can no longer SSH into it. I've checked the UFW configuration and my IP address is on the "allow in" list, but whenever I try to SSH in, I get "Network is unreachable" on the SSH client and I see a corresponding "Connection blocked by Tcp Wrappers" alert in Squert. I don't think it's a router (at the network level) issue since my SSH connections are causing Squert alerts.

Kevin Branch

unread,
Mar 16, 2017, 1:24:45 PM3/16/17
to securit...@googlegroups.com
You might have a look for your IP in /var/ossec/logs/active-responses.log on the sensor.  Maybe active response is blocking you.

Kevin

On Thu, Mar 16, 2017 at 10:43 AM, Terry Bradley <terry....@gmail.com> wrote:
Within the last two weeks something happened to one of my sensors and I can no longer SSH into it. I've checked the UFW configuration and my IP address is on the "allow in" list, but whenever I try to SSH in, I get "Network is unreachable" on the SSH client and I see a corresponding "Connection blocked by Tcp Wrappers" alert in Squert. I don't think it's a router (at the network level) issue since my SSH connections are causing Squert alerts.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Terry Bradley

unread,
Mar 16, 2017, 1:32:03 PM3/16/17
to security-onion
Kevin,

You're spot on! I see my attempts to SSH in in the active-responses.log file. So, how do I make it stop doing that? I would like to be able to SSH in.

-Terry

Wes

unread,
Mar 16, 2017, 2:29:24 PM3/16/17
to security-onion
Terry,

You could either wait for the timeout, or try something like the following:

Ex.
/var/ossec/active-response/bin/host-deny.sh delete - <IP> <Timestamp> <Rule #>
/var/ossec/active-response/bin/firewall-drop.sh delete - <IP> <Timestamp> <Rule #>

You can find this information in /var/ossec/logs/active-responses.log.

Thanks,
Wes

Terry Bradley

unread,
Mar 16, 2017, 10:13:27 PM3/16/17
to security-onion
That did the trick--thank you!

I am not clear, though, on why it dropped me in the first place...perhaps I had too many failed login attempts? (I haven't changed the default rules)

-Terry

Kevin Branch

unread,
Mar 17, 2017, 9:30:00 AM3/17/17
to securit...@googlegroups.com
Terry,

I have had this happen to me from time to time.  Grep for your locked-out IP address in /var/ossec/logs/alerts/alert.log to see what high-severity rule you tripped.  Also consider using the <whitelist> option in ossec.conf to ensure your personal workstation IP never gets locked out again even if it trips a rule like that.

Kevin

tr...@yahoo.com

unread,
Jun 12, 2017, 11:37:45 AM6/12/17
to security-onion
On Thursday, March 16, 2017 at 10:43:39 AM UTC-4, Terry Bradley wrote:
> Within the last two weeks something happened to one of my sensors and I can no longer SSH into it. I've checked the UFW configuration and my IP address is on the "allow in" list, but whenever I try to SSH in, I get "Network is unreachable" on the SSH client and I see a corresponding "Connection blocked by Tcp Wrappers" alert in Squert. I don't think it's a router (at the network level) issue since my SSH connections are causing Squert alerts.

Hi Terry:
I got the similar issue, where I can connect to SO Server with any IP address but mine. I followed your instructions and found my IP address in "/var/ossec/logs/active-responses.log".

I removed my address from this log file. I also added my IP in OSSEC white list.

But I guess I am making some mistake, its not a log file where I should be removing my IP from? Can you please help? where is this IP address and how to remove from that block list?

Terry Bradley

unread,
Jun 12, 2017, 4:41:56 PM6/12/17
to security-onion

The way I solved my problem (and I recognize this was the caveman approach) was to add a couple cron jobs that reboot the sensor twice daily.

Josh

unread,
May 9, 2018, 11:07:25 AM5/9/18
to security-onion
I'm getting the same thing. When adding a sensor and tailing the active-responses.log file I see this continuously. I've added the sensor IP to the whitelist although I don't know if the syntax was correct.
Wed May 9 15:00:15 UTC 2018 /var/ossec/active-response/bin/host-deny.sh add - 10.x.x.x 1525878015.322652 5720
Wed May 9 15:00:15 UTC 2018 /var/ossec/active-response/bin/firewall-drop.sh add - 10.x.x.x 1525878015.322652 5720

The server is a fresh install of the latest (14.04.5.13) SO ISO (not an addon to a base ubuntu install). The sensor is also a fresh install of the SO ISO.

Josh

Josh

unread,
May 10, 2018, 6:19:46 PM5/10/18
to security-onion
On Thursday, March 16, 2017 at 9:43:39 AM UTC-5, Terry Bradley wrote:
> Within the last two weeks something happened to one of my sensors and I can no longer SSH into it. I've checked the UFW configuration and my IP address is on the "allow in" list, but whenever I try to SSH in, I get "Network is unreachable" on the SSH client and I see a corresponding "Connection blocked by Tcp Wrappers" alert in Squert. I don't think it's a router (at the network level) issue since my SSH connections are causing Squert alerts.

I ended up having to whitelist each of my sensors in the /var/ossec/etc/ossec.conf file even though I had already added them using so-allow. I still don't understand why this would be necessary and haven't seen mention of this in documentation that I've looked at. Here's an example of the syntax for the white_list section of the file.

<!--Sensor addresses added 10 May 2018 by me-->
<global>
<white_list>10.x.x.x</white_list>
</global>
<global>
<white_list>10.x.x.x</white_list>
</global>
<global>
<white_list>10.x.x.x</white_list>
</global>
<global>
<white_list>10.x.x.x</white_list>
</global>
</ossec_config> ## This is the closing tag for the file itself. New whitelist entries go above that.

I tried entering IP addresses in a single, comma-separated entry but that did not work. I did notice, however, that the IP addresses for the analyst consoles that I allowed via so-allow already appeared as whitelist entries in this file but the sensors did not. Maybe there is a bug in the so-allow script? Maybe it is designed that way on purpose?

Josh

Wes Lambert

unread,
May 11, 2018, 3:03:38 PM5/11/18
to securit...@googlegroups.com
Josh,

Please start a new thread instead of replying to an old one.  Have you tried taking a look at the alerts generated by OSSEC to determine why the sensor's are getting blocked?  Please include your response in the new thread.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.



--
Reply all
Reply to author
Forward
0 new messages