All connections to mail are shunned

[kram]

Hello,

Over the past couple of days i have been receiving calls from 100's of clients complaining that they can't connect to the mail server.
After a little digging I found that their IP's are been added to the ASL block list as soon they send and receive.

I have to run asl -ub <ip> or remove it from the GUI

ASL Reports that rule id 533 has been tripped at Level 7

I then disabled the rule and turned off active-response but the rule keeps blocking.
I went as far as removing the rule and all references from /var/ossec/etc/rules.d and restarted ossec
Sadly the IP's are still blocked.

Port 25 on my server is totally blocked only 587 is allowed.
One thing i notice is that there is no mention of 587 in the asl-port-check below and each time it logs.

Code: Select all

ossec: output: `/var/ossec/active-response/bin/asl-port-check`:
Process User Port
couriertc root 110
couriertc root 143
couriertc root 993
couriertc root 995
httpd apache 7080
httpd apache 7081
httpd root 7080
httpd root 7081
mysqld mysql 3306
named named 53
nginx nginx 443
nginx nginx 80
nginx root 443
nginx root 80
sshd root 9022
sw-cp-ser root 8443
sw-cp-ser root 8880
sw-cp-ser sw-cp-server 8443

netstat -nltp | grep LISTEN | egrep -v "127.0.0.1|\[1-9][0-9][0-9][0-9].*(ftp|-)" | awk -f /var/asl/lib/ports.awk

Code: Select all

Protocol	IP:port			Process Name
tcp		0.0.0.0:3306			
tcp		197.221.19.229:80			
tcp		197.221.19.228:80			
tcp		197.221.19.227:80			
tcp		197.221.19.226:80			
tcp		0.0.0.0:8880			
tcp		197.221.19.229:53			
tcp		197.221.19.228:53			
tcp		197.221.19.227:53			
tcp		197.221.19.226:53			
tcp		197.221.19.229:443			
tcp		197.221.19.228:443			
tcp		197.221.19.227:443			
tcp		197.221.19.226:443			
tcp		0.0.0.0:8443			
tcp		0.0.0.0:9022			
tcp		:::7080			
tcp		:::7081			
tcp		:::106			
tcp		:::587			
tcp		:::110			
tcp		:::143			
tcp		:::30000			
tcp		:::8880			
tcp		:::465			
tcp		:::21			
tcp		:::53			
tcp		:::25			
tcp		:::8443			
tcp		:::9022			
tcp		:::993			
tcp		:::995		

I have had to resort to disabling active response

Any suggestions would be greatly appreciated.

[mikeshinn]

For the IPs that are shunned, can you provide the entries from this log file:

/var/ossec/logs/active-responses.log

And this file:

/etc/asl/rules

[kram]

Hello mikeshinn,

/var/ossec/logs/active-responses.log is full of these entries

Code: Select all

Tue Jan 28 09:08:24 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl add - 196.215.82.236 1390892903.870252 40111
Tue Jan 28 09:08:24 SAST 2014 /var/ossec/active-response/bin/host-deny.sh add - 196.215.82.236 1390892903.870252 40111
Tue Jan 28 09:08:24 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl add - 178.239.85.91 1390892903.870252 40111
Tue Jan 28 09:08:24 SAST 2014 /var/ossec/active-response/bin/host-deny.sh add - 178.239.85.91 1390892903.870252 40111
Tue Jan 28 09:08:24 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl add - 41.132.115.190 1390892903.870252 40111
Tue Jan 28 09:08:24 SAST 2014 /var/ossec/active-response/bin/host-deny.sh add - 41.132.115.190 1390892903.870252 40111
Tue Jan 28 09:08:25 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl add - 105.224.235.230 1390892903.870252 40111
Tue Jan 28 09:08:25 SAST 2014 /var/ossec/active-response/bin/host-deny.sh add - 105.224.235.230 1390892903.870252 40111
Tue Jan 28 09:08:25 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl add - 105.237.69.186 1390892903.870252 40111
Tue Jan 28 09:08:25 SAST 2014 /var/ossec/active-response/bin/host-deny.sh add - 105.237.69.186 1390892903.870252 40111
Tue Jan 28 09:08:25 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl add - 105.226.30.99 1390892904.870252 40111

Code: Select all

Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl delete - 178.239.85.91 1390892903.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/host-deny.sh delete - 178.239.85.91 1390892903.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl delete - 41.132.115.190 1390892903.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/host-deny.sh delete - 41.132.115.190 1390892903.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl delete - 105.237.69.186 1390892903.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/host-deny.sh delete - 105.237.69.186 1390892903.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/asl-shun.pl delete - 196.210.211.215 1390892904.870252 40111
Tue Jan 28 09:09:26 SAST 2014 /var/ossec/active-response/bin/host-deny.sh delete - 196.210.211.215 1390892904.870252 40111

/etc/asl/rules

Code: Select all

# Configuration for WAF and HIDS rules
G,hids,533,yes,7,no,yes,,Listening ports status has changed (new port opened or closed).
G,hids,1002,yes,2,no,no,
G,hids,3901,no,3,no,no,
G,hids,3902,yes,4,no,no,
G,hids,3904,yes,3,no,no,
G,hids,4151,yes,12,yes,yes,,Multiple Firewall drop events from same source.
G,hids,5551,yes,10,yes,yes,
G,hids,5712,no,10,yes,no,
G,hids,11251,yes,15,yes,yes,
G,hids,11252,yes,7,yes,yes,
G,hids,11254,yes,12,yes,yes,
G,hids,11256,yes,10,yes,yes,,Attempt to log in to a forbidden account.
G,hids,20100,yes,8,no,yes,
G,hids,20101,yes,7,no,no,
G,hids,40111,no,10,yes,no,
G,hids,50106,yes,9,yes,no,,Database authentication failure.
G,hids,52502,yes,8,no,yes,
G,hids,60128,yes,5,no,no,
G,hids,60816,yes,5,no,yes,,Internal Server Error.  The server encountered an unexpected condition which prevented it from fulfilling the request.
G,hids,60901,yes,1,no,no,
G,hids,60902,no,1,no,no,
G,hids,60903,yes,5,no,no,
G,hids,60908,yes,10,yes,yes,
G,hids,60910,no,10,yes,no,
G,hids,60921,no,4,no,no,
G,hids,70901,no,1,no,no,
G,waf,533,,yes,no,0,no,no,
G,waf,300009,,no,no,7,yes,no,
G,waf,300032,,no,no,7,yes,no,
G,waf,300051,,no,no,7,yes,no,
G,waf,300061,,no,no,7,yes,no,
G,waf,300079,,no,no,7,yes,no,
G,waf,301311,,no,no,10,yes,yes,
G,waf,303800,,no,yes,7,yes,no,
G,waf,303801,,no,yes,7,yes,no,
G,waf,303808,,no,yes,7,yes,no,
G,waf,303937,,no,yes,7,yes,no,
G,waf,318812,,no,yes,10,yes,yes,,
G,waf,330056,,no,yes,10,yes,yes,
G,waf,330082,,no,yes,15,yes,no,,
G,waf,330790,,no,yes,7,yes,no,
G,waf,331215,,no,yes,15,yes,no,,
G,waf,333514,,no,no,10,yes,yes,
G,waf,340148,,no,yes,10,yes,yes,
G,waf,377304,,no,yes,15,yes,yes,,
G,waf,377360,,no,yes,13,yes,yes,,
G,waf,380019,,no,yes,10,yes,yes,
G,waf,390145,,no,yes,15,yes,yes,
G,waf,390610,,no,yes,10,yes,yes,
V,waf,52502,www.xxxxx.co.za,yes,no,0,no,no,
V,waf,310716,www.xxxx.co.za,yes,no,0,no,no,
V,waf,310717,www.xxxx.co.za,yes,no,0,no,no,
V,waf,336141,xxxx.org,yes,,,,,
V,waf,336142,xxxx.org,yes,,,,,
V,waf,340008,xxxx.co.za,yes,no,0,no,no,
V,waf,340149,xxxx.co.za,yes,,,,,
V,waf,340162,xxxx.co.za,yes,no,0,no,no,
V,waf,340162,xxxx.co.za,yes,,,,,
V,waf,340163,xxxx.co.za,yes,no,0,no,no,
V,waf,340163,xxxx.com,yes,,,,,
V,waf,340165,schoolguide.co.za,yes,no,0,no,no,
V,waf,341245,2large.co.za,yes,,,,,
V,waf,341245,dev.ethele.co.za,yes,,,,,
V,waf,341245,dev.genesismedical.co.za,yes,,,,,
V,waf,341245,genesismedical.co.za,yes,,,,,
V,waf,361022,movingintoaction.co.za,yes,,,,,
V,waf,390632,www.2large.co.za,yes,no,0,no,no,
V,waf,390804,2large.co.za,no,,,,,

[mikeshinn]

I see your problem, remove this line:

G,waf,533,,yes,no,0,no,no,

From

/etc/asl/rules

And run:

asl -s -f

[kram]

@mikeshinn,

removed the line, ran asl -s -f
enabled active response in GUI
tried to get mail, one mail came in and then i was shunned again

[mikeshinn]

Can you restart ossec:

service ossec-hids restart

I suspect your rule changes didnt get loaded.

[kram]

@mikeshinn,

Looks my subscription expired
Will this be reason that things are not playing nice?

Does not matter waht i do, i just keep hitting a brick wall.

Willre-visit this in the morning.

Thanks fro your help thus far!

[mikeshinn]

Yes, if your license isnt up to date, then ASL isnt going to work right. You need a valid license for it work correctly.

[zyza]

I have valid license and have no mail since ASL 4 installed .

cat /etc/asl/rules
ArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArrayArray# Configuration for WAF and HIDS rules
G,waf,361022,,yes,yes,10,yes,yes,,
G,waf,350147,,no,yes,9,yes,yes,,

This does not look good .

How do I turn off ASL until Atomic fix their product

[mikeshinn]

Somehow that files gotten corrupted on your system, just remove it with this command:

rm /etc/asl/rules

And run these commands as root:

aum -uf

asl -s -f

[zyza]

I have done that and still no mail .. and /etc/asl/rules in not recreated

[mikeshinn]

I just logged into your system, you had configured your system to only allow connections to ports 22,80, 443, 25, 465, 8443, 8080. You configured ASL to block everything else, so it was blocking ports 110, 143, 993 and 995 (the IMAP and POP3 mail service ports). I added those ports to the list of ports you configured to allow.

That was causing your blocks. ASL does not block any ports by default, it only blocks what you tell it to block.

[zyza]

As I said I had ASL3 working with mail.

All i did was upgrade and say yes to default and then no mail.

Clearly this is something that happened in the upgrade process.

[mikeshinn]

During the upgrade, ASL will ask what ports you want to allow in, any port not included in that list will be blocked.