wazuh-主动拉黑

拉黑命令

cd /var/ossec/active-response/bin
ls

default-firewall-drop firewall-drop ipfw npf restart-wazuh disable-account host-deny kaspersky pf route-null firewalld-drop ip-customblock kaspersky.py restart.sh wazuh-slack

sudo /var/ossec/bin/agent_control -L

Wazuh agent_control. Available active responses: Response name: firewall-drop60, command: firewall-drop60

拉黑测试

-u agentid
-b ip
-f 命令

sudo /var/ossec/bin/agent_control -u 001 -b 172.16.2.136 -f firewall-drop60 # 拉黑 sudo /var/ossec/bin/agent_control -u 001 -r -b 172.16.2.136 -f firewall-drop60 # 解除

拦截配置

更多配置查看 https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/active-response.html

vi /var/ossec/etc/ossec.conf
在 ossec_config中

<command> <name>firewall-drop</name> <executable>firewall-drop</executable> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <disabled>no</disabled> <!-- 启用此主动响应 --> <command>firewall-drop</command> <!-- 使用防火墙阻止命令 --> <location>local</location> <!-- 被攻击主机拦截 --> <rules_id>110001</rules_id> <!-- 关联的规则ID --> <timeout>60</timeout> <!-- 阻止持续60秒 --> </active-response>

查看日志

在agent主机上查看
cat /var/ossec/logs/active-responses.log
报错 找不到srcip字段

2026/01/06 11:40:21 active-response/bin/firewall-drop: Cannot read 'srcip' from data

修改decoder

将原来的client改为srcip字段

<decoder name="modsec-core-fields"> <parent>apache-errorlog</parent> <prematch>\.+ModSecurity</prematch> <regex>client (\d+.\d+.\d+.\d+):\.+file "/etc/httpd/modsecurity.d/activated_rules/(\.+).conf"\.+id "(\d+)"\.+msg "(\.+)"</regex> <order>srcip,file,id,msg</order> </decoder>

修改rule

更多语法 https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
将原来的相同ip修改为same_source_ip

<group name="modsec,"> <rule id="110001" level="12" frequency="5" timeframe="60"> <if_matched_sid>30411</if_matched_sid> <!--<same_field>data.srcip</same_field>--> <same_source_ip /> <description>同ip 60秒 5次 拦截</description> </rule> </group>

systemctl restart wazuh-manager

验证

已经拉黑 持续转圈圈
ssh也动不了了