You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The firewall-drop active response stops working shortly after its activated. The first IP gets banned (but never unbanned), and after that, banning doesn't work at all. logs/active-responses.log:
Here's the permissions of the active-response/bin folder:
root@xxx:/var/ossec# ls -la active-response/bin/
total 193
drwxr-x--- 3 root wazuh 18 May 3 15:04 .
drwxr-x--- 3 root wazuh 3 Apr 19 09:23 ..
-rwxr-x--- 1 root wazuh 21352 Feb 29 14:04 default-firewall-drop
-rwxr-x--- 1 root wazuh 19304 Feb 29 14:04 disable-account
-rwxr-x--- 1 root wazuh 19304 Feb 29 14:04 firewalld-drop
-rwxr-x--- 1 root wazuh 21352 Feb 29 14:04 firewall-drop
d---r-x--- 2 root wazuh 3 May 3 15:04 fw-drop !!!!!!!!!!!!!!!!!!!!!!!!!!
-rwxr-x--- 1 root wazuh 19328 Feb 29 14:04 host-deny
-rwxr-x--- 1 root wazuh 17360 Feb 29 14:04 ip-customblock
-rwxr-x--- 1 root wazuh 17992 Feb 29 14:04 ipfw
-rwxr-x--- 1 root wazuh 16840 Feb 29 14:04 kaspersky
-rwxr-x--- 1 root wazuh 14429 Feb 29 14:04 kaspersky.py
-rwxr-x--- 1 root wazuh 17744 Feb 29 14:04 npf
-rwxr-x--- 1 root wazuh 19312 Feb 29 14:04 pf
-rwxr-x--- 1 root wazuh 695 Feb 29 14:04 restart.sh
-rwxr-x--- 1 root wazuh 16360 Feb 29 14:04 restart-wazuh
-rwxr-x--- 1 root wazuh 17120 Feb 29 14:04 route-null
-rwxr-x--- 1 root wazuh 19272 Feb 29 14:04 wazuh-slack
root@xxx:/var/ossec# ls -la active-response/bin/fw-drop/
total 10
d---r-x--- 2 root wazuh 3 May 3 15:04 .
drwxr-x--- 3 root wazuh 18 May 3 15:04 ..
-rw-r--r-- 1 root wazuh 6 May 3 15:04 pid
These permissions of the lock folder are 050, I guess that might be the reason the deletion of the folder fails.
I tried deleting the folder, but the active response seems to recreate it with the same permissions.
The system is an unprivileged LXC container. The root user can't delete/modify arbitrary files, it can only delete/modify files it has permissions for, like a regular user.
The text was updated successfully, but these errors were encountered:
The firewall-drop active response stops working shortly after its activated. The first IP gets banned (but never unbanned), and after that, banning doesn't work at all.
logs/active-responses.log
:Here's the permissions of the
active-response/bin
folder:These permissions of the lock folder are 050, I guess that might be the reason the deletion of the folder fails.
I tried deleting the folder, but the active response seems to recreate it with the same permissions.
The system is an unprivileged LXC container. The root user can't delete/modify arbitrary files, it can only delete/modify files it has permissions for, like a regular user.
The text was updated successfully, but these errors were encountered: