Page 1 of 1
Block list is staying empty
Posted: Sat Nov 29, 2008 10:17 am
by BerArt
On one of our ASL server: Linux 2.6.25.4-4.art.i686
with psa v8.6.0_build86080910.19 os_CentOS 4.2 the block list is staying empty although IP's are blocked according to OSSEC and the ASL WEBGUI, please advice how to solve this problem. I have also a support ticket running on this one.
Is this on the server you having other problems with?
Posted: Mon Dec 01, 2008 12:49 pm
by mikeshinn
Is this happening Is this on the same server you having other problems with?
Posted: Mon Dec 01, 2008 12:53 pm
by BerArt
NO!, this is an other CentOS4.2 32-bits server, ASL (stable) is running for two weeks now
Posted: Tue Dec 02, 2008 3:50 am
by BerArt
Any news on this? in de ASL WEGUI I can see there IP blocked every day like 10-30 IP's but the block list is still empty, please advice...
//edit: I just saw the same problem on another server, the block list stops at a certain data after that the list is not being filled anymore.
So one ASL server had never putt one IP in the block list
The other server did never putt something in the block list after a certain date
Both are running on CentOS4 32-bits system
Posted: Wed Dec 03, 2008 11:22 am
by BerArt
Mike, Scott any ideas on this one?
IS anything being blocked on your system?
Posted: Wed Dec 03, 2008 12:17 pm
by mikeshinn
As root run this command:
iptables -L -n | grep DROP
And do you see attacks being detected?
Also is active response turned on?
grep -i response /etc/asl/config
OSSEC_ACTIVE_RESPONSE="on"
Posted: Wed Dec 03, 2008 12:19 pm
by BerArt
iptables -L -n | grep DROP
DROP all -- 196.206.215.122 0.0.0.0/0
DROP all -- 216.246.7.234 0.0.0.0/0
DROP all -- 201.130.79.38 0.0.0.0/0
DROP all -- 195.228.156.228 0.0.0.0/0
DROP all -- 81.169.139.117 0.0.0.0/0
DROP all -- 87.90.131.75 0.0.0.0/0
DROP all -- 91.153.26.136 0.0.0.0/0
DROP all -- 91.124.86.76 0.0.0.0/0
DROP all -- 189.58.199.18 0.0.0.0/0
DROP all -- 70.86.99.34 0.0.0.0/0
DROP all -- 61.100.7.111 0.0.0.0/0
DROP all -- 118.45.190.171 0.0.0.0/0
DROP all -- 132.252.180.117 0.0.0.0/0
DROP all -- 194.63.248.42 0.0.0.0/0
DROP all -- 64.128.80.102 0.0.0.0/0
DROP all -- 82.194.86.237 0.0.0.0/0
DROP all -- 86.49.74.134 0.0.0.0/0
DROP all -- 209.216.249.194 0.0.0.0/0
DROP all -- 67.18.158.130 0.0.0.0/0
DROP all -- 85.18.253.106 0.0.0.0/0
DROP all -- 67.192.77.38 0.0.0.0/0
DROP all -- 67.18.241.90 0.0.0.0/0
DROP all -- 207.34.179.158 0.0.0.0/0
DROP all -- 117.200.208.77 0.0.0.0/0
DROP all -- 79.112.138.228 0.0.0.0/0
DROP all -- 124.106.120.154 0.0.0.0/0
DROP all -- 69.20.61.23 0.0.0.0/0
DROP all -- 72.51.46.202 0.0.0.0/0
DROP all -- 151.67.111.191 0.0.0.0/0
DROP all -- 88.84.145.165 0.0.0.0/0
DROP all -- 83.96.139.60 0.0.0.0/0
DROP all -- 212.239.212.249 0.0.0.0/0
DROP all -- 200.203.122.236 0.0.0.0/0
DROP all -- 82.77.11.177 0.0.0.0/0
DROP all -- 85.25.86.64 0.0.0.0/0
DROP all -- 218.239.223.69 0.0.0.0/0
DROP all -- 68.42.213.193 0.0.0.0/0
DROP all -- 91.121.111.194 0.0.0.0/0
DROP all -- 85.203.33.18 0.0.0.0/0
DROP all -- 80.58.205.32 0.0.0.0/0
DROP all -- 125.161.178.137 0.0.0.0/0
DROP all -- 83.205.224.235 0.0.0.0/0
DROP all -- 123.19.213.78 0.0.0.0/0
DROP all -- 67.19.120.178 0.0.0.0/0
DROP all -- 205.134.252.194 0.0.0.0/0
DROP all -- 89.123.180.150 0.0.0.0/0
DROP all -- 81.169.172.12 0.0.0.0/0
DROP all -- 83.172.144.57 0.0.0.0/0
DROP all -- 62.39.87.184 0.0.0.0/0
DROP all -- 59.94.251.192 0.0.0.0/0
DROP all -- 80.32.194.164 0.0.0.0/0
DROP all -- 124.217.85.58 0.0.0.0/0
DROP all -- 60.54.24.94 0.0.0.0/0
DROP all -- 195.85.146.66 0.0.0.0/0
DROP all -- 213.203.223.25 0.0.0.0/0
DROP all -- 222.127.223.69 0.0.0.0/0
DROP all -- 196.40.71.237 0.0.0.0/0
DROP all -- 222.127.223.71 0.0.0.0/0
DROP all -- 74.200.207.18 0.0.0.0/0
DROP all -- 74.55.19.242 0.0.0.0/0
DROP all -- 201.130.79.132 0.0.0.0/0
DROP all -- 195.83.194.6 0.0.0.0/0
DROP all -- 85.126.82.162 0.0.0.0/0
DROP all -- 81.208.83.249 0.0.0.0/0
DROP all -- 58.69.172.67 0.0.0.0/0
DROP all -- 74.53.137.18 0.0.0.0/0
DROP all -- 205.234.109.50 0.0.0.0/0
DROP all -- 217.110.54.240 0.0.0.0/0
DROP all -- 193.64.244.176 0.0.0.0/0
DROP all -- 67.201.13.98 0.0.0.0/0
DROP all -- 82.194.70.92 0.0.0.0/0
DROP all -- 64.38.22.250 0.0.0.0/0
DROP all -- 209.200.228.231 0.0.0.0/0
DROP all -- 209.59.155.2 0.0.0.0/0
DROP all -- 69.89.21.97 0.0.0.0/0
DROP all -- 74.53.98.146 0.0.0.0/0
DROP all -- 85.119.245.16 0.0.0.0/0
DROP all -- 193.242.108.55 0.0.0.0/0
DROP all -- 208.110.72.66 0.0.0.0/0
DROP all -- 83.145.198.52 0.0.0.0/0
DROP all -- 217.67.237.142 0.0.0.0/0
DROP all -- 204.15.10.22 0.0.0.0/0
DROP all -- 216.239.91.165 0.0.0.0/0
DROP all -- 71.184.148.197 0.0.0.0/0
DROP all -- 72.29.64.215 0.0.0.0/0
DROP all -- 74.208.16.96 0.0.0.0/0
DROP all -- 83.150.87.148 0.0.0.0/0
DROP all -- 67.205.96.205 0.0.0.0/0
DROP all -- 82.227.89.160 0.0.0.0/0
DROP all -- 72.145.40.33 0.0.0.0/0
DROP all -- 201.130.79.61 0.0.0.0/0
DROP all -- 65.254.63.25 0.0.0.0/0
DROP all -- 81.208.83.248 0.0.0.0/0
DROP all -- 80.187.124.2 0.0.0.0/0
DROP all -- 84.246.21.79 0.0.0.0/0
DROP all -- 64.15.129.23 0.0.0.0/0
DROP all -- 65.98.70.18 0.0.0.0/0
DROP all -- 70.86.134.34 0.0.0.0/0
DROP all -- 212.61.10.21 0.0.0.0/0
DROP all -- 208.75.225.10 0.0.0.0/0
DROP all -- 67.15.205.17 0.0.0.0/0
DROP all -- 75.125.162.210 0.0.0.0/0
DROP all -- 79.25.189.13 0.0.0.0/0
DROP all -- 83.172.129.75 0.0.0.0/0
DROP all -- 203.177.57.170 0.0.0.0/0
DROP all -- 209.159.55.66 0.0.0.0/0
DROP all -- 75.207.92.255 0.0.0.0/0
DROP all -- 90.184.231.181 0.0.0.0/0
DROP all -- 72.55.156.181 0.0.0.0/0
DROP all -- 81.29.229.105 0.0.0.0/0
DROP all -- 212.83.213.66 0.0.0.0/0
DROP all -- 62.140.19.142 0.0.0.0/0
DROP all -- 70.84.27.98 0.0.0.0/0
DROP all -- 212.9.93.30 0.0.0.0/0
DROP all -- 72.55.137.228 0.0.0.0/0
DROP all -- 84.246.225.183 0.0.0.0/0
DROP all -- 83.98.156.151 0.0.0.0/0
DROP all -- 213.238.52.121 0.0.0.0/0
DROP all -- 124.170.44.16 0.0.0.0/0
DROP all -- 212.34.140.130 0.0.0.0/0
DROP all -- 213.203.223.45 0.0.0.0/0
DROP all -- 195.5.163.212 0.0.0.0/0
DROP all -- 99.236.6.221 0.0.0.0/0
DROP all -- 69.3.4.200 0.0.0.0/0
DROP all -- 64.128.80.13 0.0.0.0/0
DROP all -- 209.183.34.45 0.0.0.0/0
DROP all -- 66.98.154.72 0.0.0.0/0
DROP all -- 77.91.228.57 0.0.0.0/0
DROP all -- 91.105.77.247 0.0.0.0/0
DROP all -- 195.238.0.90 0.0.0.0/0
DROP all -- 78.110.165.77 0.0.0.0/0
DROP all -- 207.44.230.63 0.0.0.0/0
DROP all -- 67.215.231.90 0.0.0.0/0
DROP all -- 24.203.163.229 0.0.0.0/0
DROP all -- 61.172.193.245 0.0.0.0/0
DROP all -- 217.129.72.52 0.0.0.0/0
DROP all -- 218.69.105.250 0.0.0.0/0
DROP all -- 99.237.45.137 0.0.0.0/0
DROP all -- 66.240.182.203 0.0.0.0/0
DROP all -- 87.239.10.63 0.0.0.0/0
DROP all -- 213.195.72.156 0.0.0.0/0
DROP all -- 205.188.117.75 0.0.0.0/0
DROP all -- 217.70.144.89 0.0.0.0/0
DROP all -- 82.165.180.214 0.0.0.0/0
DROP all -- 207.44.240.91 0.0.0.0/0
DROP all -- 216.246.99.64 0.0.0.0/0
DROP all -- 59.98.124.24 0.0.0.0/0
DROP all -- 74.50.5.131 0.0.0.0/0
DROP all -- 195.93.21.2 0.0.0.0/0
DROP all -- 98.212.149.150 0.0.0.0/0
DROP all -- 193.0.253.140 0.0.0.0/0
DROP all -- 209.51.132.170 0.0.0.0/0
DROP all -- 216.246.28.26 0.0.0.0/0
DROP all -- 67.205.74.45 0.0.0.0/0
DROP all -- 83.137.192.222 0.0.0.0/0
DROP all -- 87.3.241.214 0.0.0.0/0
DROP all -- 24.240.193.11 0.0.0.0/0
DROP all -- 67.15.113.15 0.0.0.0/0
DROP all -- 80.252.104.58 0.0.0.0/0
DROP all -- 84.245.35.203 0.0.0.0/0
DROP all -- 209.200.238.98 0.0.0.0/0
DROP all -- 24.69.202.91 0.0.0.0/0
DROP all -- 62.2.100.138 0.0.0.0/0
DROP all -- 193.137.179.65 0.0.0.0/0
DROP all -- 87.230.10.251 0.0.0.0/0
DROP all -- 72.47.204.44 0.0.0.0/0
DROP all -- 85.234.133.173 0.0.0.0/0
DROP all -- 76.76.8.197 0.0.0.0/0
DROP all -- 211.236.177.197 0.0.0.0/0
DROP all -- 211.115.110.116 0.0.0.0/0
DROP all -- 211.234.98.113 0.0.0.0/0
DROP all -- 74.86.153.130 0.0.0.0/0
DROP all -- 74.54.21.66 0.0.0.0/0
DROP all -- 163.27.70.33 0.0.0.0/0
DROP all -- 124.217.76.3 0.0.0.0/0
DROP all -- 218.93.12.173 0.0.0.0/0
DROP all -- 216.246.124.184 0.0.0.0/0
DROP all -- 68.101.123.15 0.0.0.0/0
DROP all -- 66.80.93.168 0.0.0.0/0
DROP all -- 212.25.170.52 0.0.0.0/0
DROP all -- 24.75.62.12 0.0.0.0/0
DROP all -- 62.73.5.237 0.0.0.0/0
DROP all -- 70.86.234.234 0.0.0.0/0
DROP all -- 193.91.48.90 0.0.0.0/0
DROP all -- 72.29.70.187 0.0.0.0/0
DROP all -- 72.29.77.203 0.0.0.0/0
DROP all -- 77.75.108.192 0.0.0.0/0
DROP all -- 76.217.63.175 0.0.0.0/0
DROP all -- 67.225.142.146 0.0.0.0/0
DROP all -- 67.19.74.194 0.0.0.0/0
DROP all -- 200.49.145.16 0.0.0.0/0
DROP all -- 216.195.42.191 0.0.0.0/0
DROP all -- 90.217.211.153 0.0.0.0/0
DROP all -- 72.15.200.252 0.0.0.0/0
DROP all -- 205.234.215.105 0.0.0.0/0
DROP all -- 74.53.240.146 0.0.0.0/0
DROP all -- 62.140.137.30 0.0.0.0/0
DROP all -- 67.19.130.218 0.0.0.0/0
DROP all -- 207.58.140.62 0.0.0.0/0
DROP all -- 89.129.177.214 0.0.0.0/0
DROP all -- 216.117.140.139 0.0.0.0/0
DROP all -- 71.62.32.176 0.0.0.0/0
DROP all -- 201.141.91.115 0.0.0.0/0
DROP all -- 213.140.17.106 0.0.0.0/0
DROP all -- 212.41.157.237 0.0.0.0/0
DROP all -- 203.88.114.169 0.0.0.0/0
DROP all -- 83.86.218.183 0.0.0.0/0
DROP all -- 58.24.148.17 0.0.0.0/0
DROP all -- 69.57.150.97 0.0.0.0/0
DROP all -- 90.30.227.157 0.0.0.0/0
DROP all -- 66.63.181.14 0.0.0.0/0
DROP all -- 83.218.191.173 0.0.0.0/0
DROP all -- 203.81.238.110 0.0.0.0/0
DROP all -- 62.13.173.80 0.0.0.0/0
DROP all -- 84.34.147.92 0.0.0.0/0
DROP all -- 58.69.207.123 0.0.0.0/0
DROP all -- 213.218.137.40 0.0.0.0/0
DROP all -- 87.101.4.49 0.0.0.0/0
DROP all -- 192.128.3.228 0.0.0.0/0
DROP all -- 60.52.28.72 0.0.0.0/0
DROP all -- 24.35.84.60 0.0.0.0/0
DROP all -- 72.3.135.55 0.0.0.0/0
DROP all -- 207.218.234.146 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Yes active response is on
Posted: Wed Dec 03, 2008 3:29 pm
by scott
You have to use asl-web-gui 1.0 or above to read the sqlite db. Sounds like you're not updated to the latest to me.
Posted: Wed Dec 03, 2008 3:31 pm
by BerArt
I just did and this helped at least on one server, but I have a bigger problem now, I send you this in my support mail a minute ago
//edit: on both servers the block-list is filled again
