OSSEC flushed all the iptables rules

[Zeal Vora]

Hi

We installed OSSEC in our production machines yesterday and today we saw that all the iptables rules in all the machines were flushed. Something similar to iptables -F

Any idea on what can cause this ? I am aware that OSSEC active-response can add or remove entries from iptables but have never knew about flushing entire iptables rules.

Any help will be appreciated.! 

[dan (ddp)]

Which version of OSSEC? Is active response enabled?

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Zeal Vora]

I'm using the latest version of OSSEC ( 2.8 ) and yes active response is enabled.

So currently OSSEC clients are actively blocking attacks but due to some reason they have also flushed all the iptables rules from memory ( like iptables -F )

[dan (ddp)]

On Tue, Jun 14, 2016 at 9:01 AM, Zeal Vora <sunze...@gmail.com> wrote:
> I'm using the latest version of OSSEC ( 2.8 ) and yes active response is
> enabled.
>

The latest version is 2.8.3.

> So currently OSSEC clients are actively blocking attacks but due to some
> reason they have also flushed all the iptables rules from memory ( like
> iptables -F )
>

Are there any entries in the activeresponse log file that might shed a clue?

[Zeal Vora]

Yes. In the active-response I do see various entries of adding IP's to host-deny.sh 

/var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X 1465234313.25970854 5720.

However I am not sure on what caused OSSEC to flush all the iptables rules. We installed it yesterday and in all the machines it flushed the iptables rules.

[dan (ddp)]

On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora <sunze...@gmail.com> wrote:
> Yes. In the active-response I do see various entries of adding IP's to
> host-deny.sh
>
> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X
> 1465234313.25970854 5720.
>
> However I am not sure on what caused OSSEC to flush all the iptables rules.
> We installed it yesterday and in all the machines it flushed the iptables
> rules.
>

Did it flush during installation, or after at some point? I've just
installed from the master repo and it didn't flush the firewall rules.
I don't have any active responses setup on these machines though.

[dan (ddp)]

On Tue, Jun 14, 2016 at 9:42 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Jun 14, 2016 at 9:13 AM, Zeal Vora <sunze...@gmail.com> wrote:
>> Yes. In the active-response I do see various entries of adding IP's to
>> host-deny.sh
>>
>> /var/ossec/active-response/bin/host-deny.sh delete - X.X.X.X
>> 1465234313.25970854 5720.
>>

Also, host-deny.sh only deals with the hosts.deny file, so that entry
should be unrelated.
The script that deals with the firewall is firewall-drop.sh, I believe.

[Zeal Vora]

Indeed. I went through the machine logs and there are 2 entries ( many of them with different IP ):-

/var/ossec/active-response/bin/firewall-drop.sh add - X.X.X.X 1465898743.25694869 5706

/var/ossec/active-response/bin/host-deny.sh delete X.X.X.X *

Is there any way to figure out on what exactly happened ? I checked the active-responses.log in that client but cannot find any relevant entries.

[dan (ddp)]

On Tue, Jun 14, 2016 at 9:53 AM, Zeal Vora <sunze...@gmail.com> wrote:
> Indeed. I went through the machine logs and there are 2 entries ( many of
> them with different IP ):-
>
> /var/ossec/active-response/bin/firewall-drop.sh add - X.X.X.X
> 1465898743.25694869 5706
> /var/ossec/active-response/bin/host-deny.sh delete X.X.X.X *
>
> Is there any way to figure out on what exactly happened ? I checked the
> active-responses.log in that client but cannot find any relevant entries.
>

Go through the installation on a new agent, verify the iptables
ruleset at various steps.
I didn't see anything in the installation scripts, but I'm not using
2.8 either (although I see even fewer references to the binary in
2.8.2 sources)..

[Antonio Querubin]

Normally, if an ossec client is stopped, it will remove all active
response entries added to the firewall rules and /etc/hosts.deny from the
time ossec was started before exiting. Is this what you're seeing or are
the entire iptables rules completely gone?

Antonio Querubin
e-mail: to...@lavanauts.org
xmpp: antonio...@gmail.com

[Doug Burks]

Perhaps related to the Active Response bug mentioned in the comments here?

https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135

Doug Burks

[Antonio Querubin]

On Tue, 14 Jun 2016, Doug Burks wrote:

> Perhaps related to the Active Response bug mentioned in the comments here?
>
> https://web.archive.org/web/20150803131317/http://www.ossec.net/?p=1135

No that's a bug in the host-deny.sh script. It has nothing to do with
iptables.

[Zeal Vora]

We had deployed OSSEC Client across all our servers in the evening and next day morning we find that all iptables rules were flushed. It were for around 50+ machines. OSSEC client were running. We then had stop OSSEC client for investigation and load iptables rules again.

[Ryan Schulze]

Are you sure it was OSSEC? I just had a look at https://github.com/ossec/ossec-hids/blob/master/active-response/firewall-drop.sh The only iptables commands it does are the following four, and I can't see how they would flush an entire table/chain.

iptables -I INPUT -s ${IP} -j DROP
iptables -I FORWARD -s ${IP} -j DROP
iptables -D INPUT -s ${IP} -j DROP
iptables -D FORWARD -s ${IP} -j DROP

Do you have any other scripts running to manage your iptables that may conflict with the ossec active response script?

--