Forums

Resolved
0 votes
Hello everyone, I read on a few posts that this issue has been addressed before, but this was a while back (2013).
https://www.clearos.com/clearfoundation/social/community/intrusion-prevention-never-shows-blocked-ips

Is there any update on this?
I installed Clear OS Community 7 a few days ago.
My old 5.2 blocked (and logged) 10-20 IPs daily.
The new 7 hasnt blocked any offender, it seems unlikely that there was no attempts within a week.

Should I modify anything on the system, after installing Intrusion Detection and Intrusion Prefention?
Both are running ofcourse.
Should I add any other apps?
Should I add some paid apps from the Marketplace?

Marcin
Sunday, May 08 2016, 01:57 AM
Share this post:
Responses (7)
  • Accepted Answer

    Mel Lusk
    Mel Lusk
    Offline
    Thursday, December 06 2018, 04:51 PM - #Permalink
    Resolved
    0 votes
    Thanks for the response Dave. My ClearOS box is exposed to the Internet with a public IP and is operating in Gateway mode. Snort is detecting plenty of attacks, but SnortSam isn't doing anything about it.

    Dave Loper wrote:

    Does your ClearOS server have a public IP (not an RFC 1918 address)?

    If it uses a private schema, a lot of common attacks will be conducted against your frontend router instead of your ClearOS server. You would only see activity typically on open ports or if your defenses on your ISP head-end router fail.

    Also, make sure the services are running in the Prevention and Detection modules.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 06 2018, 04:06 PM - #Permalink
    Resolved
    0 votes
    Does your ClearOS server have a public IP (not an RFC 1918 address)?

    If it uses a private schema, a lot of common attacks will be conducted against your frontend router instead of your ClearOS server. You would only see activity typically on open ports or if your defenses on your ISP head-end router fail.

    Also, make sure the services are running in the Prevention and Detection modules.
    The reply is currently minimized Show
  • Accepted Answer

    Mel Lusk
    Mel Lusk
    Offline
    Thursday, December 06 2018, 03:23 PM - #Permalink
    Resolved
    0 votes
    What was the solution for this? I'm having the same issue.....IDS is working fine, but the IPS/SnortSam never blocks anything. I'm using the IDS Signatures subscription.

    I have ClearOS 7.5 kernel 3.10.0-862.11.6.v7.x86_64
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 09 2016, 04:08 PM - #Permalink
    Resolved
    0 votes
    Peter Baldwin wrote:

    Hi Marcin,

    Please feel free to submit a support ticket if the IDS Signatures are not working. If your system is connected directly to the Internet, you should see at least a dozen IPs in the block list.


    Thanks Peter, I just did that (post a ticket).
    Definitely something is strange, because there is still nothing blocked, 36 hours after installing and restarting ofcourse.
    The reply is currently minimized Show
  • Accepted Answer

    PeterB
    PeterB
    Offline
    Monday, May 09 2016, 12:59 PM - #Permalink
    Resolved
    0 votes
    Hi Marcin,

    Please feel free to submit a support ticket if the IDS Signatures are not working. If your system is connected directly to the Internet, you should see at least a dozen IPs in the block list.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, May 08 2016, 02:25 PM - #Permalink
    Resolved
    0 votes
    Its been 12 hours, and still there is nothing reported as blocked, despite installing the additional IDS Signatures.
    https://firewallhost... /app/intrusion_protection_updates reports "Nothing to report" (in the Logs section on the bottom of the page)
    while https://firewallhost... /app/intrusion_prevention reports: "No data available in table" (in the Blocked List on the bottom of the page).

    In 5.2, as I wrote before, 10-20 IPs were being reported daily.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, May 08 2016, 04:46 AM - #Permalink
    Resolved
    0 votes
    I read on one of the posts, that its the signatures that need to be upgraded to the commercial version.
    I just did that ($100/yr), will see if I have some blocked IPs in a few hours.
    The reply is currently minimized Show
Your Reply