Set up OSSEC active response to automatically block threats by configuring firewall rules, custom response scripts, and tuning response actions for real-time intrusion prevention.
Prerequisites
- Root or sudo access
- OSSEC HIDS installed
- Basic iptables knowledge
- Mail system for notifications
What this solves
OSSEC active response automatically blocks detected threats by executing predefined actions when security events trigger specific rules. Instead of just logging attacks, OSSEC can instantly block IP addresses, disable user accounts, or run custom scripts to neutralize threats in real-time.
Step-by-step configuration
Update system packages
Start by updating your package manager to ensure you have the latest security updates.
sudo apt update && sudo apt upgrade -yInstall OSSEC HIDS
Install OSSEC if not already present on your system.
sudo apt install -y ossec-hids-server
sudo systemctl enable ossec
sudo systemctl start ossecConfigure basic active response rules
Edit the main OSSEC configuration to enable active response for common threats like SSH brute force and web attacks.
<ossec_config>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712,5720</rules_id>
<timeout>600</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<rules_id>5711</rules_id>
<timeout>300</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>31151,31152,31153</rules_id>
<timeout>1800</timeout>
</active-response>
</ossec_config>Set up automated firewall blocking
Configure OSSEC to work with your system's firewall for automatic IP blocking.
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>Create custom response script for iptables
Create a custom script that integrates with iptables for more precise blocking rules.
#!/bin/bash
Custom OSSEC active response script for iptables
Author: OSSEC Team
Last modified: $(date)
ACTION=$1
USER=$2
IP=$3
ALERT_ID=$4
LOG_FILE="/var/ossec/logs/active-responses.log"
CHAIN="OSSEC_AR"
Create OSSEC chain if it doesn't exist
iptables -L $CHAIN -n >/dev/null 2>&1
if [ $? != 0 ]; then
iptables -N $CHAIN
iptables -I INPUT -j $CHAIN
fi
case "$ACTION" in
add)
# Block the IP
iptables -I $CHAIN -s $IP -j DROP
echo "$(date) - Blocked IP: $IP (Rule: $ALERT_ID)" >> $LOG_FILE
;;
delete)
# Unblock the IP
iptables -D $CHAIN -s $IP -j DROP 2>/dev/null
echo "$(date) - Unblocked IP: $IP" >> $LOG_FILE
;;
esac
exit 0Make the script executable
Set the correct permissions for the custom response script.
sudo chmod 755 /var/ossec/active-response/bin/custom-firewall-drop.sh
sudo chown root:ossec /var/ossec/active-response/bin/custom-firewall-drop.shConfigure web application attack responses
Add specific responses for web application attacks and SQL injection attempts.
<command>
<name>web-attack-block</name>
<executable>custom-firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>web-attack-block</command>
<location>local</location>
<rules_id>31103,31104,31106,31108,31109</rules_id>
<timeout>3600</timeout>
</active-response>Create notification response script
Create a script that sends email notifications when threats are blocked.
#!/bin/bash
Email notification script for OSSEC active response
ACTION=$1
USER=$2
IP=$3
ALERT_ID=$4
RULE_DESC=$5
if [ "$ACTION" = "add" ]; then
SUBJECT="OSSEC Alert: Threat Blocked - $IP"
MESSAGE="OSSEC has automatically blocked IP address $IP\n\nRule ID: $ALERT_ID\nDescription: $RULE_DESC\nTime: $(date)\n\nThis IP has been added to the firewall block list."
echo -e "$MESSAGE" | mail -s "$SUBJECT" admin@example.com
# Log the notification
echo "$(date) - Email notification sent for blocked IP: $IP" >> /var/ossec/logs/notifications.log
fiConfigure notification command
Add the email notification command to OSSEC configuration.
<command>
<name>email-alert</name>
<executable>email-notification.sh</executable>
<expect>srcip</expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>email-alert</command>
<location>local</location>
<rules_id>5712,5720,31151</rules_id>
</active-response>Set up response severity levels
Configure different response actions based on threat severity levels.
<!-- High severity: Immediate permanent block -->
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<level>12</level>
<timeout>0</timeout>
</active-response>
<!-- Medium severity: Temporary block -->
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<level>8,9,10</level>
<timeout>1800</timeout>
</active-response>
<!-- Low severity: Log only with notification -->
<active-response>
<disabled>no</disabled>
<command>email-alert</command>
<location>local</location>
<level>6,7</level>
</active-response>Configure whitelist for trusted IPs
Create a whitelist to prevent blocking of trusted IP addresses.
<global>
<white_list>127.0.0.1</white_list>
<white_list>192.168.1.0/24</white_list>
<white_list>10.0.0.0/8</white_list>
<white_list>203.0.113.10</white_list>
</global>Enable response monitoring
Configure OSSEC to monitor its own active response actions.
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/notifications.log</location>
</localfile>Restart OSSEC service
Apply the configuration changes by restarting the OSSEC service.
sudo systemctl restart ossec
sudo systemctl status ossecTest active response functionality
Create a test scenario to verify that active response is working correctly.
# Simulate a brute force attack (from another machine)
ssh root@your-server-ip (fail multiple times)
Check if the IP gets blocked
sudo iptables -L OSSEC_AR -n
Check OSSEC logs for active response triggers
sudo tail -f /var/ossec/logs/alerts/alerts.log
Check active response logs
sudo tail -f /var/ossec/logs/active-responses.logMonitor and tune response actions
Configure response statistics
Set up monitoring to track active response effectiveness.
#!/bin/bash
Generate active response statistics
LOG_FILE="/var/ossec/logs/active-responses.log"
STATS_FILE="/var/ossec/logs/response-stats.log"
echo "=== Active Response Statistics - $(date) ===" >> $STATS_FILE
echo "Total blocks today: $(grep "$(date +%Y-%m-%d)" $LOG_FILE | grep "Blocked" | wc -l)" >> $STATS_FILE
echo "Total unblocks today: $(grep "$(date +%Y-%m-%d)" $LOG_FILE | grep "Unblocked" | wc -l)" >> $STATS_FILE
echo "Most blocked IPs today:" >> $STATS_FILE
grep "$(date +%Y-%m-%d)" $LOG_FILE | grep "Blocked" | awk '{print $6}' | sort | uniq -c | sort -nr | head -10 >> $STATS_FILE
echo "" >> $STATS_FILESet up automatic statistics generation
Create a cron job to generate daily statistics reports.
sudo chmod +x /var/ossec/active-response/bin/response-stats.sh
sudo crontab -e# Generate OSSEC active response stats daily at 23:59
59 23 * /var/ossec/active-response/bin/response-stats.shConfigure response tuning parameters
Fine-tune response sensitivity and timing based on your environment.
<!-- Adjust frequency for repeated offenders -->
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712</rules_id>
<timeout>3600</timeout>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>Verify your setup
# Check OSSEC service status
sudo systemctl status ossec
Verify active response is enabled
sudo grep -A 5 -B 5 "active-response" /var/ossec/etc/ossec.conf
Check current firewall rules
sudo iptables -L OSSEC_AR -n
Test log monitoring
sudo tail -f /var/ossec/logs/ossec.log
Check active response logs
sudo ls -la /var/ossec/logs/active-responses.logCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| Active response not triggering | Disabled in configuration | Check <disabled>no</disabled> in ossec.conf |
| Script execution fails | Incorrect permissions | sudo chmod 755 /var/ossec/active-response/bin/*.sh |
| IPs not getting blocked | Firewall rules not created | Check iptables chain creation in script |
| Legitimate users blocked | Missing whitelist entries | Add trusted IPs to <white_list> section |
| Email notifications not sent | Mail system not configured | Install and configure mail system: sudo apt install mailutils |
Integration with other security tools
OSSEC active response works well with other security solutions. You can integrate it with Fail2ban for additional protection layers and enhance monitoring with centralized security monitoring using ClamAV and Elasticsearch. For comprehensive threat detection, consider implementing ModSecurity with machine learning anomaly detection alongside OSSEC.
Next steps
- Set up OSSEC multi-server deployment with agent management
- Integrate OSSEC with SIEM platforms for centralized security monitoring
- Create custom OSSEC rules for application-specific threat detection
- Configure OSSEC high availability clustering for enterprise environments