# ossec 2.81 bug: IPs permanently added to /etc/hosts.allow!



## mecano (Sep 20, 2014)

Hello,

while running 2.81 security/ossec-hids-client and security/ossec-hids-server I came upon a very disgraceful behaviour concerning auto unbanning of IPs in the /usr/local/ossec-hids/active-response/bin/host-deny.sh active response script, making IPs forever banned where they should be deleted from /etc/hosts.allow once a timeout. 2.81 introduces a "security" fix on this script to randomize the temporary file name.

The problem lies in the fact that the new /usr/local/ossec-hids/active-response/bin/host-deny.sh script insists on creating temporary files in /var/ossec/ (which clearly doesn't exist, version 2.8 was creating temporary files in /tmp where they should be).

I proposed the following bug fix to the ossec dev list, and thought it would be a good idea to warn the FreeBSD community as well because it is not heavily noticeable (logs are not reporting the error) and could be the source of troubles in the future.

In /usr/local/ossec-hids/active-response/bin/host-deny.sh at line 114 replace

```
TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
```
with

```
if [ "X$UNAME" = "XFreeBSD" ]; then                                                                                                                                           
TMP_FILE = `mktemp /tmp/ossec-hosts.XXXXXXXXXX`                                                                                                                             
else                                                                                                                                                                          
TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`                                                                                                                       
fi
```


----------

