Block list is staying empty

[BerArt]

On one of our ASL server: Linux 2.6.25.4-4.art.i686
with psa v8.6.0_build86080910.19 os_CentOS 4.2 the block list is staying empty although IP's are blocked according to OSSEC and the ASL WEBGUI, please advice how to solve this problem. I have also a support ticket running on this one.

[mikeshinn]

Is this happening Is this on the same server you having other problems with?

[BerArt]

NO!, this is an other CentOS4.2 32-bits server, ASL (stable) is running for two weeks now

[BerArt]

Any news on this? in de ASL WEGUI I can see there IP blocked every day like 10-30 IP's but the block list is still empty, please advice...

//edit: I just saw the same problem on another server, the block list stops at a certain data after that the list is not being filled anymore.

So one ASL server had never putt one IP in the block list
The other server did never putt something in the block list after a certain date

Both are running on CentOS4 32-bits system

[BerArt]

Mike, Scott any ideas on this one?

[mikeshinn]

As root run this command:

iptables -L -n | grep DROP

And do you see attacks being detected?

Also is active response turned on?

grep -i response /etc/asl/config

OSSEC_ACTIVE_RESPONSE="on"

[BerArt]

iptables -L -n | grep DROP

DROP all -- 196.206.215.122 0.0.0.0/0
DROP all -- 216.246.7.234 0.0.0.0/0
DROP all -- 201.130.79.38 0.0.0.0/0
DROP all -- 195.228.156.228 0.0.0.0/0
DROP all -- 81.169.139.117 0.0.0.0/0
DROP all -- 87.90.131.75 0.0.0.0/0
DROP all -- 91.153.26.136 0.0.0.0/0
DROP all -- 91.124.86.76 0.0.0.0/0
DROP all -- 189.58.199.18 0.0.0.0/0
DROP all -- 70.86.99.34 0.0.0.0/0
DROP all -- 61.100.7.111 0.0.0.0/0
DROP all -- 118.45.190.171 0.0.0.0/0
DROP all -- 132.252.180.117 0.0.0.0/0
DROP all -- 194.63.248.42 0.0.0.0/0
DROP all -- 64.128.80.102 0.0.0.0/0
DROP all -- 82.194.86.237 0.0.0.0/0
DROP all -- 86.49.74.134 0.0.0.0/0
DROP all -- 209.216.249.194 0.0.0.0/0
DROP all -- 67.18.158.130 0.0.0.0/0
DROP all -- 85.18.253.106 0.0.0.0/0
DROP all -- 67.192.77.38 0.0.0.0/0
DROP all -- 67.18.241.90 0.0.0.0/0
DROP all -- 207.34.179.158 0.0.0.0/0
DROP all -- 117.200.208.77 0.0.0.0/0
DROP all -- 79.112.138.228 0.0.0.0/0
DROP all -- 124.106.120.154 0.0.0.0/0
DROP all -- 69.20.61.23 0.0.0.0/0
DROP all -- 72.51.46.202 0.0.0.0/0
DROP all -- 151.67.111.191 0.0.0.0/0
DROP all -- 88.84.145.165 0.0.0.0/0
DROP all -- 83.96.139.60 0.0.0.0/0
DROP all -- 212.239.212.249 0.0.0.0/0
DROP all -- 200.203.122.236 0.0.0.0/0
DROP all -- 82.77.11.177 0.0.0.0/0
DROP all -- 85.25.86.64 0.0.0.0/0
DROP all -- 218.239.223.69 0.0.0.0/0
DROP all -- 68.42.213.193 0.0.0.0/0
DROP all -- 91.121.111.194 0.0.0.0/0
DROP all -- 85.203.33.18 0.0.0.0/0
DROP all -- 80.58.205.32 0.0.0.0/0
DROP all -- 125.161.178.137 0.0.0.0/0
DROP all -- 83.205.224.235 0.0.0.0/0
DROP all -- 123.19.213.78 0.0.0.0/0
DROP all -- 67.19.120.178 0.0.0.0/0
DROP all -- 205.134.252.194 0.0.0.0/0
DROP all -- 89.123.180.150 0.0.0.0/0
DROP all -- 81.169.172.12 0.0.0.0/0
DROP all -- 83.172.144.57 0.0.0.0/0
DROP all -- 62.39.87.184 0.0.0.0/0
DROP all -- 59.94.251.192 0.0.0.0/0
DROP all -- 80.32.194.164 0.0.0.0/0
DROP all -- 124.217.85.58 0.0.0.0/0
DROP all -- 60.54.24.94 0.0.0.0/0
DROP all -- 195.85.146.66 0.0.0.0/0
DROP all -- 213.203.223.25 0.0.0.0/0
DROP all -- 222.127.223.69 0.0.0.0/0
DROP all -- 196.40.71.237 0.0.0.0/0
DROP all -- 222.127.223.71 0.0.0.0/0
DROP all -- 74.200.207.18 0.0.0.0/0
DROP all -- 74.55.19.242 0.0.0.0/0
DROP all -- 201.130.79.132 0.0.0.0/0
DROP all -- 195.83.194.6 0.0.0.0/0
DROP all -- 85.126.82.162 0.0.0.0/0
DROP all -- 81.208.83.249 0.0.0.0/0
DROP all -- 58.69.172.67 0.0.0.0/0
DROP all -- 74.53.137.18 0.0.0.0/0
DROP all -- 205.234.109.50 0.0.0.0/0
DROP all -- 217.110.54.240 0.0.0.0/0
DROP all -- 193.64.244.176 0.0.0.0/0
DROP all -- 67.201.13.98 0.0.0.0/0
DROP all -- 82.194.70.92 0.0.0.0/0
DROP all -- 64.38.22.250 0.0.0.0/0
DROP all -- 209.200.228.231 0.0.0.0/0
DROP all -- 209.59.155.2 0.0.0.0/0
DROP all -- 69.89.21.97 0.0.0.0/0
DROP all -- 74.53.98.146 0.0.0.0/0
DROP all -- 85.119.245.16 0.0.0.0/0
DROP all -- 193.242.108.55 0.0.0.0/0
DROP all -- 208.110.72.66 0.0.0.0/0
DROP all -- 83.145.198.52 0.0.0.0/0
DROP all -- 217.67.237.142 0.0.0.0/0
DROP all -- 204.15.10.22 0.0.0.0/0
DROP all -- 216.239.91.165 0.0.0.0/0
DROP all -- 71.184.148.197 0.0.0.0/0
DROP all -- 72.29.64.215 0.0.0.0/0
DROP all -- 74.208.16.96 0.0.0.0/0
DROP all -- 83.150.87.148 0.0.0.0/0
DROP all -- 67.205.96.205 0.0.0.0/0
DROP all -- 82.227.89.160 0.0.0.0/0
DROP all -- 72.145.40.33 0.0.0.0/0
DROP all -- 201.130.79.61 0.0.0.0/0
DROP all -- 65.254.63.25 0.0.0.0/0
DROP all -- 81.208.83.248 0.0.0.0/0
DROP all -- 80.187.124.2 0.0.0.0/0
DROP all -- 84.246.21.79 0.0.0.0/0
DROP all -- 64.15.129.23 0.0.0.0/0
DROP all -- 65.98.70.18 0.0.0.0/0
DROP all -- 70.86.134.34 0.0.0.0/0
DROP all -- 212.61.10.21 0.0.0.0/0
DROP all -- 208.75.225.10 0.0.0.0/0
DROP all -- 67.15.205.17 0.0.0.0/0
DROP all -- 75.125.162.210 0.0.0.0/0
DROP all -- 79.25.189.13 0.0.0.0/0
DROP all -- 83.172.129.75 0.0.0.0/0
DROP all -- 203.177.57.170 0.0.0.0/0
DROP all -- 209.159.55.66 0.0.0.0/0
DROP all -- 75.207.92.255 0.0.0.0/0
DROP all -- 90.184.231.181 0.0.0.0/0
DROP all -- 72.55.156.181 0.0.0.0/0
DROP all -- 81.29.229.105 0.0.0.0/0
DROP all -- 212.83.213.66 0.0.0.0/0
DROP all -- 62.140.19.142 0.0.0.0/0
DROP all -- 70.84.27.98 0.0.0.0/0
DROP all -- 212.9.93.30 0.0.0.0/0
DROP all -- 72.55.137.228 0.0.0.0/0
DROP all -- 84.246.225.183 0.0.0.0/0
DROP all -- 83.98.156.151 0.0.0.0/0
DROP all -- 213.238.52.121 0.0.0.0/0
DROP all -- 124.170.44.16 0.0.0.0/0
DROP all -- 212.34.140.130 0.0.0.0/0
DROP all -- 213.203.223.45 0.0.0.0/0
DROP all -- 195.5.163.212 0.0.0.0/0
DROP all -- 99.236.6.221 0.0.0.0/0
DROP all -- 69.3.4.200 0.0.0.0/0
DROP all -- 64.128.80.13 0.0.0.0/0
DROP all -- 209.183.34.45 0.0.0.0/0
DROP all -- 66.98.154.72 0.0.0.0/0
DROP all -- 77.91.228.57 0.0.0.0/0
DROP all -- 91.105.77.247 0.0.0.0/0
DROP all -- 195.238.0.90 0.0.0.0/0
DROP all -- 78.110.165.77 0.0.0.0/0
DROP all -- 207.44.230.63 0.0.0.0/0
DROP all -- 67.215.231.90 0.0.0.0/0
DROP all -- 24.203.163.229 0.0.0.0/0
DROP all -- 61.172.193.245 0.0.0.0/0
DROP all -- 217.129.72.52 0.0.0.0/0
DROP all -- 218.69.105.250 0.0.0.0/0
DROP all -- 99.237.45.137 0.0.0.0/0
DROP all -- 66.240.182.203 0.0.0.0/0
DROP all -- 87.239.10.63 0.0.0.0/0
DROP all -- 213.195.72.156 0.0.0.0/0
DROP all -- 205.188.117.75 0.0.0.0/0
DROP all -- 217.70.144.89 0.0.0.0/0
DROP all -- 82.165.180.214 0.0.0.0/0
DROP all -- 207.44.240.91 0.0.0.0/0
DROP all -- 216.246.99.64 0.0.0.0/0
DROP all -- 59.98.124.24 0.0.0.0/0
DROP all -- 74.50.5.131 0.0.0.0/0
DROP all -- 195.93.21.2 0.0.0.0/0
DROP all -- 98.212.149.150 0.0.0.0/0
DROP all -- 193.0.253.140 0.0.0.0/0
DROP all -- 209.51.132.170 0.0.0.0/0
DROP all -- 216.246.28.26 0.0.0.0/0
DROP all -- 67.205.74.45 0.0.0.0/0
DROP all -- 83.137.192.222 0.0.0.0/0
DROP all -- 87.3.241.214 0.0.0.0/0
DROP all -- 24.240.193.11 0.0.0.0/0
DROP all -- 67.15.113.15 0.0.0.0/0
DROP all -- 80.252.104.58 0.0.0.0/0
DROP all -- 84.245.35.203 0.0.0.0/0
DROP all -- 209.200.238.98 0.0.0.0/0
DROP all -- 24.69.202.91 0.0.0.0/0
DROP all -- 62.2.100.138 0.0.0.0/0
DROP all -- 193.137.179.65 0.0.0.0/0
DROP all -- 87.230.10.251 0.0.0.0/0
DROP all -- 72.47.204.44 0.0.0.0/0
DROP all -- 85.234.133.173 0.0.0.0/0
DROP all -- 76.76.8.197 0.0.0.0/0
DROP all -- 211.236.177.197 0.0.0.0/0
DROP all -- 211.115.110.116 0.0.0.0/0
DROP all -- 211.234.98.113 0.0.0.0/0
DROP all -- 74.86.153.130 0.0.0.0/0
DROP all -- 74.54.21.66 0.0.0.0/0
DROP all -- 163.27.70.33 0.0.0.0/0
DROP all -- 124.217.76.3 0.0.0.0/0
DROP all -- 218.93.12.173 0.0.0.0/0
DROP all -- 216.246.124.184 0.0.0.0/0
DROP all -- 68.101.123.15 0.0.0.0/0
DROP all -- 66.80.93.168 0.0.0.0/0
DROP all -- 212.25.170.52 0.0.0.0/0
DROP all -- 24.75.62.12 0.0.0.0/0
DROP all -- 62.73.5.237 0.0.0.0/0
DROP all -- 70.86.234.234 0.0.0.0/0
DROP all -- 193.91.48.90 0.0.0.0/0
DROP all -- 72.29.70.187 0.0.0.0/0
DROP all -- 72.29.77.203 0.0.0.0/0
DROP all -- 77.75.108.192 0.0.0.0/0
DROP all -- 76.217.63.175 0.0.0.0/0
DROP all -- 67.225.142.146 0.0.0.0/0
DROP all -- 67.19.74.194 0.0.0.0/0
DROP all -- 200.49.145.16 0.0.0.0/0
DROP all -- 216.195.42.191 0.0.0.0/0
DROP all -- 90.217.211.153 0.0.0.0/0
DROP all -- 72.15.200.252 0.0.0.0/0
DROP all -- 205.234.215.105 0.0.0.0/0
DROP all -- 74.53.240.146 0.0.0.0/0
DROP all -- 62.140.137.30 0.0.0.0/0
DROP all -- 67.19.130.218 0.0.0.0/0
DROP all -- 207.58.140.62 0.0.0.0/0
DROP all -- 89.129.177.214 0.0.0.0/0
DROP all -- 216.117.140.139 0.0.0.0/0
DROP all -- 71.62.32.176 0.0.0.0/0
DROP all -- 201.141.91.115 0.0.0.0/0
DROP all -- 213.140.17.106 0.0.0.0/0
DROP all -- 212.41.157.237 0.0.0.0/0
DROP all -- 203.88.114.169 0.0.0.0/0
DROP all -- 83.86.218.183 0.0.0.0/0
DROP all -- 58.24.148.17 0.0.0.0/0
DROP all -- 69.57.150.97 0.0.0.0/0
DROP all -- 90.30.227.157 0.0.0.0/0
DROP all -- 66.63.181.14 0.0.0.0/0
DROP all -- 83.218.191.173 0.0.0.0/0
DROP all -- 203.81.238.110 0.0.0.0/0
DROP all -- 62.13.173.80 0.0.0.0/0
DROP all -- 84.34.147.92 0.0.0.0/0
DROP all -- 58.69.207.123 0.0.0.0/0
DROP all -- 213.218.137.40 0.0.0.0/0
DROP all -- 87.101.4.49 0.0.0.0/0
DROP all -- 192.128.3.228 0.0.0.0/0
DROP all -- 60.52.28.72 0.0.0.0/0
DROP all -- 24.35.84.60 0.0.0.0/0
DROP all -- 72.3.135.55 0.0.0.0/0
DROP all -- 207.218.234.146 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Yes active response is on

[scott]

You have to use asl-web-gui 1.0 or above to read the sqlite db. Sounds like you're not updated to the latest to me.

[BerArt]

I just did and this helped at least on one server, but I have a bigger problem now, I send you this in my support mail a minute ago

//edit: on both servers the block-list is filled again