distributed blocking
murf
but I have a particular scenario that I would like to
implement, and I'm wondering if ossec could be used--
my first impression is that with the server/agent setup,
this might be achievable... ?
Here it is:
Lets say I have N hosts in a cloud. Each runs a particular
set of servers open to public access. All hosts have their
own firewall, and all hosts reside in a common IP range (big or
small).
I've been noting that the bad guys are scanning my hosts by
IP, and usually within a few minutes, they hit each server in turn.
I have fail2ban running, and it does a fair job of picking up on the
attempts and triggering. I'm using iptables to block ip's. Sorry, I
don't
want to utter heresy ;), I'm trying to give ossec due diligence.
What I'd like to do is, if ANY machine gets attacked, I'd like to
report back to the server, and have the server set up the blocking IP
and then have it command all the other agents to block that IP also.
This way, the attacker might get a peek at one or two systems,
but will find nothing but a wall at all the other servers.
Can ossec do this easily?
murf
dan (ddp)
<location>all</location>
BP9906
you're looking for, then use ossec.conf on ossec server to trigger an
active-response either locally on the agent (web server where the log
originated) or active-response on the ossec server. We actually do
active-response on the ossec server, created a custom script that does
a bunch of stuff and then issues the agent_control -b <ip> -u <id> -f
<active-response> for the specific agent(s) involved. This can be
particularly useful when dealing with many webservers load-balanced.
murf
and try an implementation. BP9906's elaboration on how to push
the command back to the agent machine will be valuable.
murf
Peter M Abraham
RE: agent_control -b <ip> -u <id> -f <active-response>
What would the syntax be to have the above run on all agents?
Thank you.
dan (ddp)
# cd /var/ossec/bin
# ./agent_control
OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i <id> Extracts information from an agent.
-R <id> Restarts agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u <id> Runs the integrity/rootkit checking on one agent now.
-b <ip> Blocks the specified ip address.
-f <ar> Used with -b, specifies which response to run.
-L List available active responses.
-s Changes the output to CSV (comma delimited).
Peter M Abraham
By your listing the syntax options, doesn't tell me what the exact
syntax would be to run agent_control against all agents to block an IP
or ip/cidr.
Can you please be more exact?
Thank you.
dan (ddp)
Oops, didn't realize it's not in there. You can try "-u all" but I don't know for sure if that works. I'll have to play with it later to find out.
Jeff Jennings
dan (ddp)
<jjen...@zoominternet.net> wrote:
> I ran across these instructions on how to install multiple agents on a
> single server since I need to monitor multiple IP’s
>
> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/comment-page-1/#comment-1043
> I posted my problem in the comment area on this guy’s page but I guess he
> did not like the question and deleted my comment.
>
> In any event – his page refers to the following:
>
> Now, go into the <remote> section of ossec.conf in each remote instance and
> configure the <local_ip> option to point to the correct IP. Make sure each
> instance points to a unique IP.
>
> I can’t find any section in the ossec-conf file on my agent servers to place
> what is referred to above.
>
> ANY IDEAS?
>
I think the <remote> section is only available on the manager.
I don't understand why you're installing multiple copies on a single
agent though, your explanation made no sense. Any chance you could
elaborate?
> In addition his instructions go on to supply a startup script which fails as
> follows, but I think it’s failing because the additional instances on the
> agents are not bound to specific Ip addresses.
>
> Can anyone give me some help here>
>
>
>
>
> ossec-agentd not running...
> ossec-execd not running...
> [root@marine init.d]# ./ossec.sh start
> Starting OSSEC at /var/ossec6: 2012/01/08 17:44:33 ossec-syscheckd(1702):
> INFO: No directory provided for syscheck to monitor.
^^^^
syscheck isn't configured?
> /var/ossec6/bin/ossec-control: line 138: 8627 Segmentation fault
Not being configured shouldn't cause a segfault in syscheck. What
version are you using?
Jeff Jennings
running on each of the ip addresses.
-----Original Message-----
From: dan (ddp)
Sent: Sunday, January 08, 2012 11:05 PM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] multiple agents on a single server
On Sun, Jan 8, 2012 at 9:49 PM, Jeff Jennings
<jjen...@zoominternet.net> wrote:
> I ran across these instructions on how to install multiple agents on a
> single server since I need to monitor multiple IP�s
>
> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/comment-page-1/#comment-1043
> I posted my problem in the comment area on this guy�s page but I guess he
> did not like the question and deleted my comment.
>
> In any event � his page refers to the following:
>
> Now, go into the <remote> section of ossec.conf in each remote instance
> and
> configure the <local_ip> option to point to the correct IP. Make sure each
> instance points to a unique IP.
>
> I can�t find any section in the ossec-conf file on my agent servers to
> place
> what is referred to above.
>
> ANY IDEAS?
>
I think the <remote> section is only available on the manager.
I don't understand why you're installing multiple copies on a single
agent though, your explanation made no sense. Any chance you could
elaborate?
> In addition his instructions go on to supply a startup script which fails
> as
> follows, but I think it�s failing because the additional instances on the
dan (ddp)
<jjen...@zoominternet.net> wrote:
> sure - I have multiple ip addresses on one server with different websites
> running on each of the ip addresses.
>
OSSEC (mostly) monitors logs. It doesn't care much about your IP
addresses. You can configure 1 instance to look at the log files of
each website.
> -----Original Message----- From: dan (ddp)
> Sent: Sunday, January 08, 2012 11:05 PM
> To: ossec...@googlegroups.com
> Subject: Re: [ossec-list] multiple agents on a single server
>
>
> On Sun, Jan 8, 2012 at 9:49 PM, Jeff Jennings
> <jjen...@zoominternet.net> wrote:
>>
>> I ran across these instructions on how to install multiple agents on a
>> single server since I need to monitor multiple IP’s
>>
>>
>> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/comment-page-1/#comment-1043
>> I posted my problem in the comment area on this guy’s page but I guess he
>> did not like the question and deleted my comment.
>>
>> In any event – his page refers to the following:
>>
>> Now, go into the <remote> section of ossec.conf in each remote instance
>> and
>> configure the <local_ip> option to point to the correct IP. Make sure each
>> instance points to a unique IP.
>>
>> I can’t find any section in the ossec-conf file on my agent servers to
>> place
>> what is referred to above.
>>
>> ANY IDEAS?
>>
>
> I think the <remote> section is only available on the manager.
>
> I don't understand why you're installing multiple copies on a single
> agent though, your explanation made no sense. Any chance you could
> elaborate?
>
>> In addition his instructions go on to supply a startup script which fails
>> as
>> follows, but I think it’s failing because the additional instances on the