Questions on Repeat Offenders & OSSEC in general

[Ossec User]

Hello,

I have been getting an ongoing attack from a set range of IPs on my wordpress sites about every 10 minutes. This happens every day, and every time OSSEC just gives these IPs 503 responses for 600 seconds as default. On a side note, I see hardly any sort of blacklisting for these set of IPs by major providers/blacklisters.  I would really like to increase the limits and have OSSEC deal with these repeat offenders more severely.  Here are options I'm considering or have questions about:

1) Repeat Offenders Response

I heard of the repeat offenders response I can add to ossec but so far I haven't been very good at getting it set up. I tried adding rules to OSSEC but both times I had configuration errors result. At one point the error was so bad I had to restore a back up of my server. Simply deleting  what I added to these files didn't seem to do the trick.

a) To block repeat offenders, I tried to add this to the active response section of ossec.conf. Without the # symbols of course.

##<active-response>
##<repeated_offenders>30,60,120</repeated_offenders>
##</active-response>

b) And to block access to the readme.html file in Wordpress tried to add the following to local_rules.xml  I found this at at hackertarget.com. 

<rule id="100040" level="6">
   <if_sid>31100</if_sid>
   <match>readme.html</match>
   <description>WordPress Recon - /readme.html accessed.</description>
</rule>

2) Permanent Blocking

Other than the fact that at some point some other party other than offender might use the IP in question why is the response 600 seconds so short?  What is the actual concern over permanent or semi-permanent blocks?

3) Increase default response substantially

If permanently blocking isn't a good idea,  What if I changed the default 600s response to 10,000s or more..... would it hurt anything? I really don't want to see any responses for a while from this set of IPs. In fact I'd love to send an FU message along with that LOL but I'm sure your response would be that it would put a strain on my server.

4) OTHER QUESTIONS:

I use ManageWP to manage my wordpress sites. Even though I have whitelisted those IPs and my own IP address OSSEC still sends me error messages about too many POST requests. Some at level 8 or more. Sometimes these types of errors even quote my IP or even my servers own IP address. Is this something I should worry about? 

Please forgive my noobness and all my own questions all of this. I have had OSSEC installed for 2 years but only recently discovered that it wasn't set up correctly (I did not have NGINX logs or my wordpress logs added to the files. I have been reading various sections of the OSSEC documentation but a lot of it doesn't make sense to me. I really appreciate any advice you can give.  Thank you!

INFO:

I'm using the latest version of OSSEC 2.7.1

On LEMP server/Ubuntu with quite a number of wordpress websites

[Joshua Garnett]

1.  The repeat offenders setting works really well for me, here are my settings for the firewall-drop

  <active-response>

    <command>firewall-drop</command>

    <location>all</location>

    <level>6</level>

    <timeout>900</timeout>

    <repeated_offenders>30,60,720,1440,2880</repeated_offenders>

  </active-response>  

2.  If they are attacking you from a shared address you could lose viewers.  If the percentage is low enough you may not care.  That said, for most determined attackers, it'll be easy for them to get another ip address to attack you from.

3. False positives could ruin the experience for regular users

4. All whitelisting does is prevent an active response from triggering.  You'll still be alerted.

--Josh

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ossec User]

Ok thank you for helping me to understand more of this. Just one question, where exactly is it safe to put the repeat offenders code? Which file? local_rules.xml?  last time I played with local_rules and ossec.conf I got configuration errors that I couldn't recover from.

[Joshua Garnett]

It goes in your ossec.conf file within the root ossec_config tag.  I've run into ordering issues with the rules files before, not sure if that happens with ossec.conf also, but to be safe, place it after specifying the command.

<ossec_config>

  <!-- bunch of other stuff -->

  <command>

    <name>firewall-drop</name>

    <executable>firewall-drop.sh</executable>

    <expect>srcip</expect>

    <timeout_allowed>yes</timeout_allowed>

  </command>

  <active-response>

    <command>firewall-drop</command>

    <location>all</location>

    <level>6</level>

    <timeout>900</timeout>

    <repeated_offenders>30,60,720,1440,2880</repeated_offenders>

  </active-response>

  <!-- some more stuff -->

</ossec_config>

If things break, send an e-mail with the error and a copy of your ossec.conf file

--Josh

[Ossec User]

Ok will do thank you so much!

[dan (ddp)]

On Thu, May 22, 2014 at 7:53 PM, Joshua Garnett <josh.g...@gmail.com> wrote:
> It goes in your ossec.conf file within the root ossec_config tag. I've run
> into ordering issues with the rules files before, not sure if that happens
> with ossec.conf also, but to be safe, place it after specifying the command.
>
> <ossec_config>
>
> <!-- bunch of other stuff -->
>
> <command>
> <name>firewall-drop</name>
> <executable>firewall-drop.sh</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <active-response>
> <command>firewall-drop</command>
> <location>all</location>
> <level>6</level>
> <timeout>900</timeout>
> <repeated_offenders>30,60,720,1440,2880</repeated_offenders>

I don't use it, so I could be wrong. But I thought the repeat
offenders thing had to go in the agent's ossec.conf.