1

Why won't ossec block connections from another server?

I installed ossec version 2.9.3 on Ubuntu 16.04. In the ossec.conf file I have these lines where x.x.x.x is the IP address of a second Linux server:

<command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>x.x.x.x</expect>
    <timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
    <command>firewall-drop</command>
    <location>all</location>
    <rules_id>5712</rules_id> 
    <timeout>1800</timeout> 
</active-response>

I restarted ossec. Running a ps -ef | grep ossec showed it was running. I have a firewall rule that allows the Linux server at x.x.x.x to SSH to the Ubuntu server with ossec. I can still SSH from the second server to the ossec server.

I changed the timeout to 20. I made sure it took me 25 seconds to type in the password. I can still SSH from the second server to the ossec server. I expected the above to block SSH connections. I tried turning off the firewall, but that did not have any effect. What am I doing wrong?

Jermoe
  • 11
  • 1

1 Answers1

1

The timeout in the OSSEC <active-response> block is after what time the response will be rolled back: in other words, after 1800 seconds (or 20 seconds, when you changed it), the IP will be allowed again.

Rule 5712 in the default configuration detects SSH brute force -- try connecting a number of times. You can also look in the file /var/ossec/logs/alerts/alerts.log to see when alerts are fired.

David
  • 15,814
  • 3
  • 48
  • 73
  • I tried connecting over 20 times with the wrong password. That alerts.log file never got written to. A password is still being requested. I can log in if I insert the correct password. What should I do? – Jermoe Jan 13 '18 at 16:51