Manually Unblock IP that was blacklisted by active-response

[Clarence Miranda]

Hello I was conducting a test when I was following the Blocking SSH brute-force attack with active response documentation when I suddenly removed the timeout and blocked myself. So I was wondering if how I can remove my IP from the blacklist.

[Sebastian Dario Bustos]

Hello Clarence,

Thank you for using Wazuh!!!

Have you set an environment just like the documentation (2 endpoints and the manager)?   if so, you may still open an ssh session jumping from the manager to the target's ip, if you can manage to connect, you can use the iptable commands to remove the ip from the block list (like " iptables -D INPUT -s IP-ADDRESS -j DROP"), or "iptables -F" to flush the entire list.

Wazuh doesn't keeps a separate list of blocked ip's on the agent, it uses the standard tools like iptables, so, you can use, depending on the platform, the local commands to restore access, just make sure you correct the active response.

You also may remove the active response and restart the manager service to take the changes, also restart the agent service from the manager by using the command `/var/ossec/bin/agent_control -R -u ID` (replacing ID by the agent's id).

Let me know if this is your case.

Regards.

[Clarence Miranda]

hello I used  iptables -D INPUT -s IP-ADDRESS -j DROP but I cant access the wazuh server

[Clarence Miranda]

Can someone help me, I already remove the IP from the iptables but it still does not work.

[Sebastian Dario Bustos]

Hi Clarence,

You can't access to the Dashboard console but can access to the server's CLI correct?     Also, you have an all-in-one installation?

You may attempt to add your ip (in this example 192.168.0.5/24) to the trusted firewald's zone by using this:

firewall-cmd --zone=trusted --add-source=192.168.0.5/24

Then attempt again the connection.

Let me know.