How to block, on all WAZUH agents, an IP address already dropped on a single agent
1,845 views
Skip to first unread message
mauro....@cmcc.it
Feb 19, 2018, 11:28:41 AM2/19/18
to Wazuh mailing list
Dear Users,
some months ago, I have completed my first deploy of WAZUH v.2.8 (OSSEC HIDS) on a dedicated server.
Everything works fine: I really appreciated the power of this software.
Now, I would like to enable the active-response feature in order to use the host-deny.sh and firewalld-drop.sh commands against some service virtual machines on our DMZ.
I was able to activate it on a single test target agent: it works.
Anyway, I just noticed that each cyber attack (that is each “blacklistable” IP) try to offend the virtual machines on our DMZ respecting a sort of "round-robin attack”.
I would like to know if there is a way (the right way) to block the same offending IP address, detected on a single agent, on all DMZ agents (but not on the manager)
I will try to summarize my needs in the following and simple workflow.
Workflow example:
1) IP address “50.2.50.2" attacks virtual machine named “VM1”;
2) WAZUH active-response blocks the “50.2.50.2" IP address using firewalld-drop.sh script on “VM1”;
3) WAZUH (in such way) blocks the same “50.2.50.2” IP address using firewalld-drop.sh script on remaining virtual machines (“VM2”, “VM3”, etc…) in DMZ;
4) WAZUH send a notification (via mail) about the blacklisted IP.
Each virtual machine is based on the same linux distribution, so we can use the same script provided by WAZUH basic installation.
Thank you in advance,
Mauro
some months ago, I have completed my first deploy of WAZUH v.2.8 (OSSEC HIDS) on a dedicated server.
Everything works fine: I really appreciated the power of this software.
Now, I would like to enable the active-response feature in order to use the host-deny.sh and firewalld-drop.sh commands against some service virtual machines on our DMZ.
I was able to activate it on a single test target agent: it works.
Anyway, I just noticed that each cyber attack (that is each “blacklistable” IP) try to offend the virtual machines on our DMZ respecting a sort of "round-robin attack”.
I would like to know if there is a way (the right way) to block the same offending IP address, detected on a single agent, on all DMZ agents (but not on the manager)
I will try to summarize my needs in the following and simple workflow.
Workflow example:
1) IP address “50.2.50.2" attacks virtual machine named “VM1”;
2) WAZUH active-response blocks the “50.2.50.2" IP address using firewalld-drop.sh script on “VM1”;
3) WAZUH (in such way) blocks the same “50.2.50.2” IP address using firewalld-drop.sh script on remaining virtual machines (“VM2”, “VM3”, etc…) in DMZ;
4) WAZUH send a notification (via mail) about the blacklisted IP.
Each virtual machine is based on the same linux distribution, so we can use the same script provided by WAZUH basic installation.
Thank you in advance,
Mauro
Jose Luis Ruiz
Feb 19, 2018, 11:32:00 AM2/19/18
to mauro....@cmcc.it, Wazuh mailing list
Hi Mauro,
When you define an active response you can specify where you want to be applied:
| Default value | n/a | |
| Allowed values | local | This runs the command on the agent that generated the event. |
| server | This runs the command on the Wazuh manager. | |
| defined-agent | This runs the command on a specific agent identified by agent_id. | |
| all | This runs the command on the Wazuh manager and on all agents. Use with caution. | |
I hope it helps.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/78637e2b-4563-4707-806d-074f3daad1b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
mauro....@cmcc.it
Feb 19, 2018, 11:43:33 AM2/19/18
to Wazuh mailing list
Hi Jose,
thank you very much for your fast reaction.
Your suggestion is very interesting, but I would like to run the commands only on the agents not on the manager.
Is there a way to do it!?
Thank you,
Mauro
thank you very much for your fast reaction.
Your suggestion is very interesting, but I would like to run the commands only on the agents not on the manager.
Is there a way to do it!?
Thank you,
Mauro
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
mauro....@cmcc.it
Feb 19, 2018, 1:10:40 PM2/19/18
to Wazuh mailing list
Hi All,
I changed my ossec.conf configuration file on manager node as follows (I pasted here an extract of the file content).
I don't know if it is the right and "professional" solution, but it seems working.
Could you please validate the code?
Is there a way to receive a mail notification when the IP is dropped?
Thank you very much,
Mauro
<!-- COMMANDS DEFINITION -->
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewalld-drop</name>
<executable>firewalld-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>iptables-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>ip-ban</name>
<executable>ip2fw.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- HOST DENY ACTIONS DEFINITION -->
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>defined-agent</location>
<agent_id>005</agent_id>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>defined-agent</location>
<agent_id>006</agent_id>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>defined-agent</location>
<agent_id>009</agent_id>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>defined-agent</location>
<agent_id>011</agent_id>
<level>8</level>
<timeout>600</timeout>
</active-response>
<!-- FIREWALL DROP ACTIONS DEFINITION by M. Tridici -->
<active-response>
<disabled>no</disabled>
<command>firewalld-drop</command>
<location>defined-agent</location>
<agent_id>011</agent_id>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>iptables-drop</command>
<location>defined-agent</location>
<agent_id>005</agent_id>
<level>8</level>
<timeout>600</timeout>
</active-response>
<active-response>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>
Jose Luis Ruiz
Feb 19, 2018, 1:35:42 PM2/19/18
to mauro....@cmcc.it, Wazuh mailing list
Hi Mauro,
It depends, if you have only a few agents for example 067,068,069 maybe you can create something like the following example:
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>067</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>068</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>defined-agent</location>
<agent_id>069</agent_id>
<timeout>864000</timeout>
<rules_id>117154,31510,117159,117162</rules_id>
</active-response>
One section per agent for example…
How many agent are we talking about? more or less…
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d63a9e4f-0bcb-4724-a2e6-16445e052753%40googlegroups.com.
mauro....@cmcc.it
Feb 20, 2018, 3:52:52 AM2/20/18
to Wazuh mailing list
Hi José,
thank you again for your support.
At this moment, there are not so many agents (there are about 10 clients), but the number of agents will be increased very soon.
As you can see in my previous message, I created one section per agent because I don't need to block the "black" IP address on the manager also (the manager is on the back, on the private network not on DMZ).
It seems working, but I don't know if it is the right way to proceed.
I just realized that some agents are based on different linux distribution and then I need to customize the use of firewall (firewalld, iptables and so on).
The host-deny.sh script can be executed in the same way on all the agents, but I can't use the "all" option because the manager also will be involved.
If the implemented solution is correct, I would like to go ahead implementing a notification service in order to send a mail when an IP will be blacklisted.
Could you help me, please?
Many thanks,
Mauro
thank you again for your support.
At this moment, there are not so many agents (there are about 10 clients), but the number of agents will be increased very soon.
As you can see in my previous message, I created one section per agent because I don't need to block the "black" IP address on the manager also (the manager is on the back, on the private network not on DMZ).
It seems working, but I don't know if it is the right way to proceed.
I just realized that some agents are based on different linux distribution and then I need to customize the use of firewall (firewalld, iptables and so on).
The host-deny.sh script can be executed in the same way on all the agents, but I can't use the "all" option because the manager also will be involved.
If the implemented solution is correct, I would like to go ahead implementing a notification service in order to send a mail when an IP will be blacklisted.
Could you help me, please?
Many thanks,
Mauro
Il giorno lunedì 19 febbraio 2018 19:35:42 UTC+1, Jose Luis Ruiz ha scritto:
Hi Mauro,
It depends, if you have only a few agents for example 067,068,069 maybe you can create something like the following example:
Jose Luis Ruiz
Feb 20, 2018, 8:25:11 AM2/20/18
to mauro....@cmcc.it, Wazuh mailing list
Hi Mauro,
You can do it with the Granular email
For example:
<email_alerts>
<email_to>y...@example.com</email_to>
<rule_id>515, 516</rule_id>
<do_not_delay />
</email_alerts>
In this case one email is send every time that the rules 515 or 516 are triggered, you can do similar with the rules id’s that you are using to trigger the Active Response.
You can find more options at the following link:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/00430de2-2f39-4921-b148-452088169ae5%40googlegroups.com.
mauro....@cmcc.it
Feb 20, 2018, 9:31:54 AM2/20/18
to Wazuh mailing list
Hi José,
I just added the lines you suggested:
<email_alerts>
<email_to>mauro....@cmcc.it</email_to>
<rule_id>601,603</rule_id>
<do_not_delay />
</email_alerts>
but no mail has been sent because of the lines:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
I would like to avoid the change of the global alert level ("8"), but, in the same time, I would like to receive the notification.
Is there a workaround to do it?!
This the last question, I promise :-)
Thanks,
Mauro
I just added the lines you suggested:
<email_alerts>
<email_to>mauro....@cmcc.it</email_to>
<rule_id>601,603</rule_id>
<do_not_delay />
</email_alerts>
but no mail has been sent because of the lines:
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
I would like to avoid the change of the global alert level ("8"), but, in the same time, I would like to receive the notification.
Is there a workaround to do it?!
This the last question, I promise :-)
Thanks,
Mauro
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Dmitriy
Feb 21, 2018, 7:09:17 AM2/21/18
to Wazuh mailing list
In your example you can change level for rules 601, 603.
This is described here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
If you'll overwrite rule level "8" or higher, you'll get email alert.
Hi José,
I just added the lines you suggested:
<email_alerts>
<email_to>mauro.tridici@cmcc.it</email_to>
mauro....@cmcc.it
Feb 21, 2018, 8:49:35 AM2/21/18
to Wazuh mailing list
It' works! Thank you very much José and Dmitriy!
I really appreciated your support.
Have a great day.
Mauro
Jose Luis Ruiz
Feb 21, 2018, 10:04:10 AM2/21/18
to mauro....@cmcc.it, Wazuh mailing list
Hi Dmitry, thans for your answer,
Mauro, sorry for my late response, this can be one option to do it.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fb4e48d3-d498-40d7-a09a-0b847d4ba9cb%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages