Atomicorp

I have ASL, but with Ensim and therefore I do not have a gui interface. I am somewhat familier with ssh and it seems that will be the only way to really see what is going on.

I am currently trying to check on an issue regarding hotlinked images being blocked (I have an affiliate program and I allow hotlinking). But I can't see if it's ASL until I am able to get in and review.

Does anyone have a useful list of ssh commands? I have some, compliments of Scott:

To scan the system, you can run:
asl -s

To fix, you'd run:
asl -s -f

And log files to watch are:
/var/log/httpd/audit_log

and
/var/ossec/logs/alerts/alerts.log

If anyone has anymore I would greatly appreciate it - thanks

[root@www ~]# asl --help
Atomic Secured Linux
asl [-cfhprtu]

--blacklist <ip> Add <ip> to Blacklist
--config | -c Configure ASL settings
--check | -ck Show list of updates
--disable-rule <id> Disable modsec rule by signature ID
--domain-blacklist <domain> Add <domain> to spam blacklist
--enable-rule <id> Re-enable modsec rule by signature ID
--fix | -f Fix and Repair mode
--list | -l List modules
--module | -m <module> Run a specific module
--help | -h Help message
--malware-blacklist <domain> Add <domain> to malware blacklist
--nocolor | -nc Disable color
--permissions-check Check/Fix permissions on ASL dirs/files
--remove-blacklist <ip> Remove <ip> from Blacklist
--remove-domain-blacklist <domain>
Remove <domain> from spam Blacklist
--remove-malware-blacklist <domain>
Remove <domain> from malware Blacklist
--remove-whitelist <ip> Remove <ip> from Whitelist
--report-false-positive <path>Report false positive on <path>
--return |-r Prompt to continue
--scan | -s Scan mode
--show-alert <path> Read an alert using <path>
--update | -u Check for rule updates
--unblock <ip> | -ub <IP> Unblock <ip> from active-response system
--version | -v | -V Show version
--whitelist <ip> | -wl <IP> Add <ip> to Whitelist

Also all of the reports of blocked stuff goes into /var/asl/data/audit and is listed by date and time, you can easily grep things (such as domain name) out of those logs to see if you are getting blocked or you run accross a false positive, which you can then report by using the " --report-false-positive <path>Report false positive on <path> " asl switch

Is there a way to see a list of ip's that have been blacklisted?

I would like to run a ssh command to see which ip's are blocked rather than having to go into the gui each time.

iptables -v -n -L | less

This will give you a list of the IPs in your firewall, including those that ASL is temporarily blocking (top of the list) and any that you might have manually added to your blacklist.