Hello, First, i'm sorry if the question has already been asked.
So what i'm trying to achieve is this ; If someone fail to log in, too many time on one of my agent, I want this ip to be drop on all others agents and the server. Same goes the other way around if someone try on the server i want it to be drop on the server and all the agents. I tried to edit the file ossec.conf on the server and put "*all*' instead of 'l*ocal*' <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>all</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>all</location> <level>6</level> <timeout>600</timeout> </active-response> If i want to edit the number of failed attempts ssh, which file do I have to edit. /var/ossec/rules/sshd_rules.xml ? Thanks for your help, Best regards. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.