store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu Apr 17, 2014 2:48 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Active Response Question
Unread postPosted: Thu Apr 21, 2011 1:37 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 122
We're running the test build of 3.0.

We recently ran into an issue with active response. We have the shun time set to 3600 seconds.

Generally has been working as expected but ran into an odd one recently:

Fri Apr 15 23:26:05 EDT 2011 /var/ossec/active-response/bin/host-deny.sh add - XX.XX.XX.XX 1302924365.189824 5706

where XX.XX.XX.XX is the user's IP.

Was expecting that ban to lift in an hour based on rule 5706 but it didn't expire until the following Wednesday:

Wed Apr 20 23:26:46 EDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - XX.XX.XX.XX 1302924365.189824 5706

Should we be looking at some related rule that may have kicked in that caused the longer ban or is that perhaps a bug?

Also, for entries like:

Tue Apr 19 10:07:45 EDT 2011 /var/ossec/active-response/bin/host-deny.sh delete apache XX.XX.XX.XX
Tue Apr 19 10:07:46 EDT 2011 /var/ossec/active-response/bin/host-deny.sh delete apache

What does the apache indicate? Assume it is related to httpd access but couldn't find any wiki entry that discusses the active-response log (may have been searching on the wrong terms so if there is documentation available, would appreciate a pointer).

Thanks!


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Thu Apr 21, 2011 9:40 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7775
Location: earth
Active response times are based on the OSSEC_SHUN_TIME variable, this is a value for how long to block an attacker in seconds. The default is 600, in addition you can disable expiration completely with: OSSEC_SHUN_ENABLE_TIMEOUT

Now if for some reason you kill ossec off instead of shutting it down correctly, then you could run into a condition where the block sticks around for as long as 24 hours. So dont ever do that. :P

There will also be a graded "repeat offender" active response, where IP's that come back will be blocked for progressively longer periods based on a multiplier. Thats not active in the version you're running.

To your latter question, there are 2 basic types of active response, those that handle network events (firewall, tcpwrappers, etc) and one that handles user events. They are both handled identically, the field you're looking at is the userid field. If that were a user event, the active response could be used to perform an action against the user like disable the account, or maybe turn on very verbose logging, or even restart/reconfigure a daemon based on some specific log event. We're looking at using that kind of capability for self-healing, or policy based security controls.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Sat Apr 23, 2011 12:10 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 122
Thanks for the response. Yes, shun is set at 3600, up from the default 600.

We haven't killed the ossec process. It only restarts normally as a part of ASL and/or a box restart. Not sure I'm reading you correctly, but even if that were the case, that would only account for a max of 24 hours for a block, correct (not the four days that we saw)?

What version is the repeat offender found in?

For the two types of active response, is it possible to enable one without the other (for example have network events on but user events off)?


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Sat Apr 23, 2011 12:41 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7775
Location: earth
Quote:
We haven't killed the ossec process. It only restarts normally as a part of ASL and/or a box restart. Not sure I'm reading you correctly, but even if that were the case, that would only account for a max of 24 hours for a block, correct (not the four days that we saw)?


Something else must be affecting it then, theres nothing in ASL that can do that. 3rd party firewall front end maybe?


Quote:
What version is the repeat offender found in?

Its in 2.9.0-0.52

Quote:
For the two types of active response, is it possible to enable one without the other (for example have network events on but user events off)?


Absolutely, you can associate active responses down to specific rules on specific machines.

And completely unrelated to this thread, but heres some new eyecandy (Reports!):
http://www.atomicrocketturtle.com/asl3-report.png


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 11:37 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 122
Yes, we are running APF. Any suggestions about what to look for in its config that might be interfering?

Will have to try out -52 on our dev box once we get the main box running (running release version on that box).

Wow, those reports look nice. :-) Looking forward to when 3.0 becomes the release version.

On an off topic note, are there any contradictions to mounting tmp, shm, etc. noexec, nosuid, etc. with ASL? We've typically done that on our other boxes but was curious if needed on an ASL box.

Thanks.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 11:54 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 635
scott wrote:
There will also be a graded "repeat offender" active response, where IP's that come back will be blocked for progressively longer periods based on a multiplier. Thats not active in the version you're running.


It would be great if this was multi box - if we had one IP that was probing multiple sites (or hitting "default") repeatedly accross several boxes (this happens to us quite a lot) then those additional boxes would also count towards their repeat offender status.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 2:43 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7775
Location: earth
It will do that by default right now if you're in a client/server configuration. The active response policy options are:
- Disabled
- Block across all clients
- Block on only the client the attack was detected on

By default, if it is enabled it will block across all clients. Repeat offenders are cumulative, meaning a linear attack against multiple servers will count against the repeat offender list if you are in "Block across all clients" mode. Otherwise the policy would only track the repeat offender in the context of the individual client.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 3:18 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 122
Just a repost JIC the prior reply got overlooked from the block posts.

Thanks.

__

Yes, we are running APF. Any suggestions about what to look for in its config that might be interfering?

Will have to try out -52 on our dev box once we get the main box running (running release version on that box).

Wow, those reports look nice. :-) Looking forward to when 3.0 becomes the release version.

On an off topic note, are there any contradictions to mounting tmp, shm, etc. noexec, nosuid, etc. with ASL? We've typically done that on our other boxes but was curious if needed on an ASL box.

Thanks.

__


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 3:33 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7775
Location: earth
No issues with the noexec/suid/etc things (although noatime helps out immensely, definitely use that!). SUID binaries are going away in modern distributions, and noexec never really did anything to start with.

Tough to say without taking apart the specific rules on the specific host, could APF effect things, sure absolutely. We use named rules in our system, so they *should* operate independently of other firewalls. You could of course always make a mistake, like an any/any INPUT rule that would make a downstream rule useless.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 3:51 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 635
if noatime is that good why would you not turn it off for big parts of your system?
/tmp /var/spool /var/cache /var/www/vhosts etc?

Quote:
Linux has a special mount option for file systems called noatime that can be added to each line that addresses one file system in the /etc/fstab file. If a file system has been mounted with this option, reading accesses to the file system will no longer result in an update to the atime information associated with the file like we have explained above. The importance of the noatime setting is that it eliminates the need by the system to make writes to the file system for files which are simply being read. Since writes can be somewhat expensive, this can result in measurable performance gains. Note that the write time information to a file will continue to be updated anytime the file is written to.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 4:22 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3545
Location: Chantilly, VA
Quote:
if noatime is that good why would you not turn it off for big parts of your system?


Agreed. For performance you would turn it off anywhere you want to speed up reads. You just lose the access time record, and for most users thats not something they would need anyway. For forensics atime might be helpful, but honestly atime records are not going to missed by most users otherwise.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 4:23 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7775
Location: earth
I mean you want to mount file systems with noatime (IE: turning atime off), thats actually the default on Fedora 14 and up. They arent kidding about it making a difference, especially on web or file servers.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 4:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 635
So then what are good directories to have this off on?

/tmp
/var/tmp
/var/www/vhosts
/var/asl/data/audit
/var/log
/var/spool
/var/cache
/var/lib/psa/dumps
/var/lib/php/session


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Tue Apr 26, 2011 6:12 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3545
Location: Chantilly, VA
Everything really. As long as you dont care about logging when a file was accessed (and you probably do not care) turn atime off. :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Active Response Question
Unread postPosted: Wed Apr 27, 2011 11:56 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 122
Scott/Mike:

Great, thanks for the comments/suggestions.

Will ASL 3 ultimately have any means to quickly set up ingress/egress filtering?

One of the reasons that we use APF, is that it makes it relatively easy to do ingress and egress from the conf file using a comma separated list of what ports we allow.

If that were in ASL, then we could ditch APF.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group