So we've been installing and setting up ossec on our linux systems with no problem. ran into a funny issue on one linux system:
I have installed ossec clean and configured the server address. start the process and things are fine, I can login no problem. But as soon as I log off ossec adds my IP to the hosts.deny file. Now I've done some testing and it only seems to happen to domain users, not local users. We're seeing some odd behavior in the logs from our Centrify ssh daemon; it's showing an SSHD denied at session close and then an SSHD allowed and then the session closes. It's at that point that ossec steps in and blocks my IP.
We've tested with other domain users with the same result. If we turn off ossec the blocking stops.
Anyone else seen this behavior or have any other ideas on what else to try. We've setup close to 150 systems prior to this one with no problems and not certainly this problem.