Atomicorp

I just lost my server for an hour from a DOS, OSSEC noted the issues but didn't shun the IP Address. Not sure what I am doing wrong but this has been happening too much lately, twice in the last 24. Any suggestions?

[edit] I should mention there was multiple FTP attempts and lots of mail attempts from the same ip

Verify that rule 40111 has active response set to enabled. (This is the default)

Grep the log file /var/ossec/logs/active-responses.log for occurrences of rule 40111 (or the IP of the attacker). All active responses are logged into this file. If it is logged here, but you are certain that the IP was not in fact shunned, something else is going wrong (firewall perhaps), ASL support might be able to help.

thanks, I checked and rule 40111 does have active response turned on, and I did a grep on that ip and it returned nothing. I should note, maybe it's related, my system isn't tracking attacks.