Home / server / Questions / 356729
Accepted
Lucas Kauffman
Asked: 2012-02-04 14:32:54 +0800 CST

OSSEC: Unblock an IP and increase tresshold

  • 772

I just set up OSSEC, but I accidentally shut myself out already from my home ip.

So does OSSEC have a function to unblock an IP after it is blocked or do I need to do this manually in iptables ?

Also does OSSEC provide a way to temporary ban IP's ?

debian ossec

2 Answers

  1. Best Answer

    To manually unblock them you need to change the ‘add’ to ‘delete’, so to the delete the previous rules it would be:

    /var/ossec/active-response/bin/host-deny.sh delete - 188.163.238.252 1328614852.61546 5712
/var/ossec/active-response/bin/firewall-drop.sh delete - 188.163.238.252 1328614852.61546 5712

    Sometimes rules are to strict or not strict enough. You might want to change something or add something yourself. This can be done in local_rules.xml file. Suggest we want to increase the tresshold of failed login on http auth for apache2. If we look at the apache_rules.xml we see a number of rules. The interesting one is:

     <rule id="30119" level="12" frequency="6" timeframe="120">
    <if_matched_sid>30118</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts blocked by Mod Security.</description>
    <group>access_denied,</group>
  </rule>

    To change the frequency from 6 to 10, we need to copy the rule and paste it in local_rules.xml. Then we add a parameter overwrite=”yes” to tell OSSEC it needs to overwrite the rule defined in apache_rules.xml and instead use the one defined in local_rules.xml. The rule would look like this:

     <rule id="30119" level="12" frequency="10" timeframe="120" overwrite="yes">
    <if_matched_sid>30118</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts blocked by Mod Security.</description>
    <group>access_denied,</group>
  </rule>

    If we want to completely ignore this rule as it is not relevant for us, we just change the level to 0:

     <rule id="30119" level="0" frequency="10" timeframe="120" overwrite="yes">
    <if_matched_sid>30118</if_matched_sid>
    <same_source_ip />
    <description>Multiple attempts blocked by Mod Security.</description>
    <group>access_denied,</group>
  </rule>

    Excerpt from my blog answers this question.

    • 2

  2. An I-need-to-unblock-IP-quickly approach (replace 1.2.3.4 with your IP):

    $ iptables -L | grep 1.2.3.4
$ grep 1.2.3.4 /etc/hosts.deny

    If the IP is found in iptables's DROP rule, then run:

    /var/ossec/active-response/bin/firewall-drop.sh delete - 1.2.3.4

    If the IP is found in /etc/hosts.deny, then run 

    /var/ossec/active-response/bin/host-deny.sh delete - 1.2.3.4
    • -1