OSSEC: Unblock an IP and increase tresshold

Question

I just set up OSSEC, but I accidentally shut myself out already from my home ip.

So does OSSEC have a function to unblock an IP after it is blocked or do I need to do this manually in iptables ?

Also does OSSEC provide a way to temporary ban IP's ?

score 2 · Accepted Answer · answered Mar 27 '12 at 21:12

To manually unblock them you need to change the ‘add’ to ‘delete’, so to the delete the previous rules it would be:

/var/ossec/active-response/bin/host-deny.sh delete - 188.163.238.252 1328614852.61546 5712
/var/ossec/active-response/bin/firewall-drop.sh delete - 188.163.238.252 1328614852.61546 5712

Sometimes rules are to strict or not strict enough. You might want to change something or add something yourself. This can be done in local_rules.xml file. Suggest we want to increase the tresshold of failed login on http auth for apache2. If we look at the apache_rules.xml we see a number of rules. The interesting one is:

 <rule id="30119" level="12" frequency="6" timeframe="120">
    <if_matched_sid>30118</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts blocked by Mod Security.</description>
    <group>access_denied,</group>
  </rule>

To change the frequency from 6 to 10, we need to copy the rule and paste it in local_rules.xml. Then we add a parameter overwrite=”yes” to tell OSSEC it needs to overwrite the rule defined in apache_rules.xml and instead use the one defined in local_rules.xml. The rule would look like this:

 <rule id="30119" level="12" frequency="10" timeframe="120" overwrite="yes">
    <if_matched_sid>30118</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts blocked by Mod Security.</description>
    <group>access_denied,</group>
  </rule>

If we want to completely ignore this rule as it is not relevant for us, we just change the level to 0:

 <rule id="30119" level="0" frequency="10" timeframe="120" overwrite="yes">
    <if_matched_sid>30118</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts blocked by Mod Security.</description>
    <group>access_denied,</group>
  </rule>

Excerpt from my blog answers this question.

score -1 · Answer 2 · answered Dec 07 '18 at 11:03

An I-need-to-unblock-IP-quickly approach (replace 1.2.3.4 with your IP):

$ iptables -L | grep 1.2.3.4
$ grep 1.2.3.4 /etc/hosts.deny

If the IP is found in iptables's DROP rule, then run:

/var/ossec/active-response/bin/firewall-drop.sh delete - 1.2.3.4

If the IP is found in /etc/hosts.deny, then run

/var/ossec/active-response/bin/host-deny.sh delete - 1.2.3.4

OSSEC: Unblock an IP and increase tresshold

2 Answers2