Fastest way to remove an IP address blocked permanently by firewalld service
mauro....@cmcc.it
Julia Magán Rodríguez
Hello,
If your active response has the option <timeout>, when the Wazuh agent is restarted on a given system, the intended behavior to cancel any stateful active responses that have not yet timed out. On Windows systems if the service is restarted externally (i.e. System reboot) while an active response null routing block is in place, has the undesirable effect of making the block permanent such that it will not be cleared automatically. In that case it it necessary to clear the orphaned null route with a route delete N.N.N.N command where N.N.N.N is the null routed IP.
There are two options to restart the agents from the manager:
- Via API :
curl -k -X PUT "https://localhost:55000/agents/restart?agents_list=<AGENT_ID>" -H "Authorization: Bearer $TOKEN"
- Executing:
/var/ossec/bin/agent_control -R -u <AGENT_ID>
or, to restart all of them:
/var/ossec/bin/agent_control -R -a
If you don’t have a timeout set in your active response, according to the active response you are using the action to unblock the IP could be different. For example, if you are using firewall-drop, you will need to run the command that deletes the IP from iptables. You could run it on your agent, or create a custom active response to run it for you from the manager.
Finally, you can add the option in the global section ossec.conf of the manager with IP addresses that should never be blocked by the active response. For example:
<global>
<white_list>10.0.0.6</white_list>
</global>
Mauro Tridici
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7DujEuwScAo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d4a268ac-795c-4780-a648-720cc8c7f7c9n%40googlegroups.com.
Julia Magán Rodríguez
Hello,
Sorry for the late response, it took some time to find a solution to this. You could run an active response from the manager using the API. To do this you should follow the next steps:
1. Create a custom active response that just deletes an IP from iptables. I’ve done it for Wazuh version 4.2.x, since these versions use binaries, I’ll attach the binary.
2. Add the script of the active response in the agent
3. Configure the active response in the manager
4. Get the TOKEN for the API:
TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
5. Execute the active response from the API:
curl -k -X PUT "https://localhost:55000/active-response?agents_list=<AGENT_ID>&wait_for_complete=true" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"command\":\"default-firewall-drop-del0\",\"alert\":{\"data\":{\"srcip\":\"10.0.10.13\"}}}"
AGENT_ID: List of agent IDs (separated by comma), all agents selected by default if not specified
I’ve also tried to use a custom bash script for versions lower than 4.2.x, but it didn’t work for me and I opened this issue. A workaround if you have a lower version, would be to create a custom wpk package with the same version as your agents and the command you need to run to delete the IP from iptables. Then, you could “upgrade” (it is going to be upgraded to the same version) your agents from the manager, and the upgrade will execute the command. If you have problems with the wpk package don’t hesitate to ask again or send me your agent OS and wazuh version and I’ll do the wpk package for you.
Mauro Tridici
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5b01fef9-c582-405b-8a44-aaa599951fa4n%40googlegroups.com.
<default-firewall-drop-del>
