ACTIVE-RESPONSE NOT WORKING

[conm...@gmail.com]

Hi everybody

I have seen an article about configuring active-response to block SSH bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/

I have configured the direction and added some ssh related rules hoping that it will prevent the attack, but it doesn't work.

I configured the following in ossec.conf:

<command>

    <name> firewall-drop </name>

    <executable> firewall-drop.sh </executable>

    <expect> srcip </expect>

    <timeout_allowed> yes </timeout_allowed>

</command>

<active-response>

    <command> firewall-drop </command>

    <location> local </location>

    <rules_id> 5712,5716,5720 </rules_id>

    <timeout> 1800 </timeout>

</active-response>

I still find the password to login after bruteforce, I use the following command to attack:

hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh

Is there any way the active-response can prevent this

thanks everyone

[Daniel Folch]

Hello,

First, let us start with the active response configuration of the manager and agent, the configuration you shared should be used on the manager side, and for the agent you just need to set it like this:

  <active-response>
    <disabled>no</disabled>
    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

As a side note, the rule 5720 is triggered when the rule 5716 activates 8 times in a short period of time, so having both of them in the active response is not necessary.

Hydra tests the passwords in the list sequentially and it is really fast so if your list only contains few passwords it may be possible for hydra to test the correct password from the list before active response can shut down the connection form the IP, this should not happen in a real brute force attack as the list of passwords would be long enough for active response to act in time. A possibility to minimize this phenomenom would be to reduce the number of attempts needed before shutting down.

Just to verify could you share the length of the list you are using for this test, and if possible could you try running Hydra like this to verify that active response is working as intended:

hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh

This will try to test all combinations of lowercase characters, uppercase characters, and numbers with a length between 1 and 5, so it should not be able to find your password before active response triggers.

Regards,
Daniel Folch

[John Gomez]

Is there any deep dive on active response or a collection of use cases as to how people are using it?

Just seems to be such a cool capability of OSSEC that is under utilized.

Sent from my T-Mobile 4G LTE Device

-------- Original message --------

From: Daniel Folch <daniel...@wazuh.com>

Date: 9/23/20 7:21 AM (GMT-05:00)

To: ossec-list <ossec...@googlegroups.com>

Subject: [EXTERNAL MSG:][ossec-list] Re: ACTIVE-RESPONSE NOT WORKING

WARNING: This email originated from outside of Sensato. Do not click links or open attachments unless you verify by phone with the sender.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com.

[Daniel Folch]

Hello John,

Our documentation has a comprehensive guide about the capabilities of active response and how to configure it,

https://documentation.wazuh.com/3.13/user-manual/capabilities/active-response/index.html

Also, we periodically release blog posts about different topics, some of them may be of your interest, for example in this one we explain how to integrate Wazuh with Yara using active response:

https://wazuh.com/blog/how-to-integrate-yara-with-wazuh/

If you have any more questions about active-response or find any problem configuring it do not hesitate to contact us.

Regards,
Daniel Folch

To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.

[lê danh]

oh i did it and it works great, it can block me before i get my password, thank you so much

Vào Th 4, 23 thg 9, 2020 vào lúc 18:21 Daniel Folch <daniel...@wazuh.com> đã viết:

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/cy2mP6V_zl0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[Natassia S]

I don't know about stopping it completely but you can slow it substantially by using progressively larger penalty times for repeat offenders.

Natassia

You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAO7JTbF%2B3Ds6MoAp4SVr9woseQ1f%2Bj1RB7OgY3Dw%3DGvfwbp5Sw%40mail.gmail.com.

--

Software updates are like hand-washing for computers.  So simple that it doesn't seem like it could make much of a difference, but it does.