I just set up OSSEC, but I accidentally shut myself out already from my home ip.
So does OSSEC have a function to unblock an IP after it is blocked or do I need to do this manually in iptables ?
Also does OSSEC provide a way to temporary ban IP's ?
Best Answer
To manually unblock them you need to change the ‘add’ to ‘delete’, so to the delete the previous rules it would be:
Sometimes rules are to strict or not strict enough. You might want to change something or add something yourself. This can be done in local_rules.xml file. Suggest we want to increase the tresshold of failed login on http auth for apache2. If we look at the apache_rules.xml we see a number of rules. The interesting one is:
To change the frequency from 6 to 10, we need to copy the rule and paste it in local_rules.xml. Then we add a parameter overwrite=”yes” to tell OSSEC it needs to overwrite the rule defined in apache_rules.xml and instead use the one defined in local_rules.xml. The rule would look like this:
If we want to completely ignore this rule as it is not relevant for us, we just change the level to 0:
Excerpt from my blog answers this question.