Here is my active response config:
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>7</level>
<timeout>600</timeout>
<repeated_offenders>30,60,120,1440</repeated_offenders>
</active-response>
I also get this when restarting OSSEC:
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4)
So all appears well, however, I am seeing the same offender being unblocked after 600 seconds each time.
Thanks for any help offered.
Chris
(I don't know much about repeated_offenders, so just gathering ideas.)
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>7</level>
<timeout>600</timeout>
</active-response>
<active-response>
<repeated_offenders>30,60,120,1440</repeated_offenders>
</active-response>
Again, I'm not sure and I don't know how easy this will be for me to test.
On Mon, Dec 12, 2011 at 10:08 PM, Chris Warren
<chris....@netelligent.ca> wrote:
I tried adding the repeated_offenders list to it's own block as the documentation suggested, but then I do not see:
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 30 (for #1)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 60 (for #2)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 120 (for #3)
2011/12/12 19:39:15 ossec-execd: INFO: Adding offenders timeout: 1440 (for #4)
I will be doing some more testing as well, and will report back if I find a solution.
Even so, I repeated abused 1 single server and could not get the repeated_offenders timeout to trigger.
Anybody with a local install that can test this, or has it working?
Unfortunately the source is still a little over my head...just meaning that I don't have the time to right now to get in and learn.
But I work regularly with a couple of different ossec server/agent groups for different clients, and can definitely help to test any code patches, and/or help with any diagnostic testing.
I'd love to see this feature work, but it is by no means a deal-breaker for me.
The issue is that the repeated offenders configuration needs to be on
the *agents* ossec.conf file, and *not* in the servers ossec.conf. I
believe you could have it on both so it is used for both the server
and agent. It can't go in the agent.conf currently which would of been
nice, but it's fine for now.
For more details on this see my post on this solution here:
http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html
Regards
Jake
> Based onhttp://dcid.me/2011/02/blocking-repeated-offenders-with-ossec/
I will test this in my server/client configuration with block <location>all</location>. I'm hoping that the repeated_offenders timeouts on each agent will determine this from the active-response.log. Otherwise, I'd assume repeated_offenders would only be blocked per-agent.
I manage my config changes with puppet so it should be a quick fix :)
So to re-cap and clarify on Jake's discovery, the repeated_offenders block goes on the AGENTS' ossec.conf file. Also important is that the repeated_offenders block is NOT on the server's ossec.conf (I had repeated offenders in each active response block, and the agents were ignoring the initial timeout and going right to the first repeated_offenders value).
Also this seems to work across the whole network. I.E. if 1 machine gets a brute-force attack and the active response triggers, and later a different machine gets attacked by the same source, it will go to repeated_offenders :)
Thanks again, Jake, for the tested you did with this, and thanks Dan for updating the docs :)
----- Original Message -----
From: "Chris Warren" <chris....@netelligent.ca>
To: ossec...@googlegroups.com
Sent: Saturday, December 17, 2011 10:37:41 AM
Subject: Re: [ossec-list] Re: Repeated Offenders not triggering
GREAT news!
I will test this in my server/client configuration with block <location>all</location>. I'm hoping that the repeated_offenders timeouts on each agent will determine this from the active-response.log. Otherwise, I'd assume repeated_offenders would only be blocked per-agent.
I manage my config changes with puppet so it should be a quick fix :)
----- Original Message -----
From: "c0by" <jake...@gmail.com>
To: "ossec-list" <ossec...@googlegroups.com>
Sent: Saturday, December 17, 2011 7:46:25 AM