On Wed, Mar 15, 2017 at 7:25 AM, Martin <martin...@gmail.com> wrote: > Hello, > > First, i'm sorry if the question has already been asked. > > So what i'm trying to achieve is this ; > > If someone fail to log in, too many time on one of my agent, I want this ip > to be drop on all others agents and the server. > > Same goes the other way around if someone try on the server i want it to be > drop on the server and all the agents. > > I tried to edit the file ossec.conf on the server and put "all' instead of > 'local' > > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > If i want to edit the number of failed attempts ssh, which file do I have to > edit. /var/ossec/rules/sshd_rules.xml ? >
You can copy the rule you want to modify to local_rules.xml, and add: overwrite="yes" to the "<rule" line. > > Thanks for your help, > Best regards. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.