Solved [Solved] OSSEC jails and PF firewall

Hello,

I want to install OSSEC server to a FreeBSD jail..
My question is :
How can I send the OSSec information from the jail to the host so that I can have a table in PF like:
Code:
table <ossec_fwtable> persist
block in log on $ext_if from <ossec_fwtable>

Is it possible?
Is it better to install it on the FreeBSD host?

Thank you
 
Re: OSSEC jails and PF firwall

Hi guys,

Any advise on how this matter would be greatly appreciated.

Thank you

Fred
 
Re: OSSEC jails and PF firwall

You can install OSSEC on the FreeBSD host and watch the jail directories and have easy access to pf.

Pros:
- one OSSEC setup
- intruder in jail doesn't "see" OSSEC

Cons:
- Intruder might find a bug in OSSEC log parsing and escape from jail.


Or you can install OSSEC only inside jails

Pros:
- easy setup

Cons:
- more OSSEC instances
- Intruder can kill OSSEC easily


You can also install OSSEC on both host and jail and send the logs to the ossec-hids-server on the host (over network).

Pros:
- ?

Cons:
- more OSSEC instances + 1
- Intruder can kill OSSEC instance in jail easily
- Intruder might find a bug in OSSEC log parsing and escape from jail (if logs are also analysed on host).
 
Re: OSSEC jails and PF firewall

Thank you @Nukama!

Your input is greatly appreciated
 
Last edited by a moderator:
Back
Top