We have OSSEC installed on some web servers running behind Amazon ELB. The problem is that when the active response triggers it blocks the IP address of the load balancer. Is there any way to use the active response to block clients sending suspect requests when OSSEC is behind a load balancer?
Thanks
You can add the IP(s) to the white list in ossec.conf. That file is typically in /var/ossec/etc/ossec.conf.
<global>
<white_list>ip goes here</white_list>
...
</global>
Then restart ossec with /etc/init.d/ossec restart.
Adding the load balancer IP to the <white_list> directive would do you no good in terms of attaining your goal, which is for OSSEC to block the actual offending IP (end-user IP logged in web servers).
Your load balancer would have to be adjusted to handle X-Forwarded-For headers, and your web server or application stack would need to be adjusted to record the X-Forwarded-For IP to the logs.
Then OSSEC would work as you intended, because its active-response feature will identify the correct offending IP in the logs.
