How to remove an IP from the Wazuh block, even after having added it to the Whitelist?

This is an additional procedure to the article “How to add IP origins in senhasegura Whitelist?”.

If you have already added an IP to the Whitelist and after you have rebooted the senhasegura server it has blocked the IP again, you will need to perform some additional procedures. This procedure is related to the IPs of the Cluster itself and also, the IPs that need to be added to the Whitelist.


Do not change any settings or information besides what was detailed in this article.

Check the file “rules.v4” has a line to DROP OSSEC for the desired IP:

cat /etc/iptables/rules.v4

The line will be:

-A OSSEC -s [IP] -j DROP

And it will appear as in the example:


Check if the IP is the correct one and open the file for editing:

vim /etc/iptables/rules.v4

You can delete the line with DROP from OSSEC using theses steps bellow:

  • Press the key “i” to enable the file for editing and then deleting the data;

  • Or you can also go to the front of the line to be deleted and press the key “d” twice to delete it.

Then save and close the file, press “ESC” and “:wq”.

After that run the command bellow:

iptables-restore < /etc/iptables/rules.v4

Also, check if the IP is entered in the OSSEC and FORWARD chains on iptables:

iptables -nL OSSEC && iptables -nL FORWARD


If so, the whitelist will not be applied correctly. Therefore, clean the respective IP on chains:

:no_entry: Remark: The command below only clears a record of the specific IP. If there is more than one record of the same IP, the command must be executed according to this quantity.

iptables -D <CHAIN> -s <IP> -j DROP


Lastly, ensure that the IP was properly removed from the OSSEC and FORWARD chains: