OSSEC active responce replaces hosts.deny and iptables

[H.Merijn Brand]

Something changed in ossec-hids between version 2.8.0 and 2.8.1 and I

cannot put my finger on it

I have a rather large list of denied IP ranges, mostly from China.

I use iptables to deny hosts, form like

-A INPUT -s 58.218.1.1/11 -j DROP

-A INPUT -s 182.96.1.1/11 -j DROP

-A INPUT -s 222.208.1.1/12 -j DROP

-A INPUT -s 61.174.48.1/13 -j DROP

-A INPUT -s 115.112.1.1/13 -j DROP

-A INPUT -s 61.140.1.1/14 -j DROP

+

-A FORWARD -s 58.218.1.1/11 -j DROP

-A FORWARD -s 182.96.1.1/11 -j DROP

-A FORWARD -s 222.208.1.1/12 -j DROP

-A FORWARD -s 61.174.48.1/13 -j DROP

-A FORWARD -s 115.112.1.1/13 -j DROP

-A FORWARD -s 61.140.1.1/14 -j DROP

plus a lot more

I *also* have the same list in /etc/hosts.deny

ALL:58.218.1.1/255.224.0.0

ALL:182.96.1.1/255.224.0.0

ALL:222.208.1.1/255.240.0.0

ALL:61.174.48.1/255.248.0.0

ALL:115.112.1.1/255.248.0.0

ALL:61.140.1.1/255.252.0.0

and I observe that /etc/hosts.deny is overwritten by ossec with what

ossec blocks for that moment and does not restore the original content

causing many many mail reports of "attacks" by IP's that are already in

my block list.

likewise for iptables

I *like* OSSEC's active response, and the result of it is used to

detect if I want/need to add ranges to my list.

I used to only

update my iptables control file and I noted that adding IP's to its

deny did not "stick".

Then I followed OSSEC's active response and found that it

uses /etc/hosts.deny, so I thought to move all blocks from iptables

to /etc/hosts.deny only to discover that hosts.deny is overwritten

instead of appended to and restored afterwards. So now I have - as temp

solution - a cronjob that does

1,6,11,16,21,26,31,36,41,46,51,56 * * * * grep -q ALL:103.41.124. /etc/hosts.deny || cat /etc/hosts.deny.ok >> /etc/hosts.deny

How do I set up a *permanent* list of IP ranges to be blocked *also* by

ossec?

[dan (ddp)]

I don't see anything in host-deny.sh that should be replacing the
file. Try running it manually (maybe with /bin/sh -x) to see if you
can spot where the replacement happens.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[H.Merijn Brand]

Op maandag 9 maart 2015 16:15:41 UTC+1 schreef dan (ddpbsd):

I don't see anything in host-deny.sh that should be replacing the
file. Try running it manually (maybe with /bin/sh -x) to see if you
can spot where the replacement happens.

I could do so. What would be the syntax? Just invoke that shell with an IP? like

# sh -x  /var/ossec/active-response/bin/host-deny.sh 202.120.50.131

?

[dan (ddp)]

Looking at the script, it seems you need:
host-deny.sh add - 10.10.10.10