Atomicorp

I received two false positive messages on one of our servers that did block two customer IP numbers and put them in the hosts.deny (all)

I put them both in the ASL white list and removed them from hosts.deny (I double checked this) than I runned asl –f and I could see that the IP’s (fixed) in the ASL white list. Still my customers cannot access Plesk nor can see there site so they are still fully blocked. What am I missing? Why are they still blocked? (I aslo did send a support ticket to Scott)

Thx!

Do you have the ASL GUI for Plesk installed? If so, go in there and click on the block list and see if they're still listed.

If they're not, try a manual restart of OSSEC

Yes, I can see them in the block list but behind the IP is the text "Whitelisted" and I can also see them in the Whitelist section. I had this problem before, and then a Whitelist and removal from hosts.deny solved the problem. Now it doesn’t anymore still the two IP are blocked completely.

I can see the two IP are still listed in IPtables, I thought if you remove it from hosts.deny and whitelist it on ASL it also would be removed from IPtables? Is it posible that this is the problem?

the correct way to remove them would be to use the gui, or run asl --unblock <IP>

Do I have to run asl -s -f after the --unblock?

//edit I guess not problem is solved, Thx! Scott

No, you dont need to run -s -f after that. --unblock <IP> is exactly what the GUI calls when you unblock something. Its more efficient than -s -f since it just removes the shuns from the shun database, and then extracts them from firewall policy. It would also get around any high-load issues caused by an OSSEC restarts.

--whitelist is different, it requires an OSSEC and Denyhosts restart which would spawn hundreds (or thousands) of configuration events, and that would mean high load until its done.

Ok clear, so I use --unblock in the future