On Thu, Mar 16, 2017 at 7:11 AM, Martin <martin...@gmail.com> wrote: > Hello, > > Thank you for your answer. > > I modified the Active-Response in the file /var/ossec/etc/ossec.conf to look > like this; > > <!-- Active Response Config --> > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 600 seconds on the firewall (iptables, > - ipfilter, etc). > --> > <command>firewall-drop</command> > <location>all</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > Then i added the following in /var/ossec/rules/local_rules.xml > > <group name="syslog,sshd,"> > > > <rule id="5712" level="10" frequency="3" timeframe="120" ignore="60" > overwrite="yes"> > <if_matched_sid>5710</if_matched_sid> > <description>SSHD brute force trying to get access to </description> > <description>the system.</description> > <same_source_ip /> > <group>authentication_failures,</group> > </rule> > > > <rule id="5720" level="10" frequency="3" overwrite="yes"> > <if_matched_sid>5716</if_matched_sid> > <same_source_ip /> > <description>Multiple SSHD authentication failures.</description> > <group>authentication_failures,</group> > </rule> > > > </group> > > and finally restarted ossec-control, but it ain't working. I can still try > to log after 6 attempts .. >
Do 5712 and 5720 trigger? Are there any related logs in active-response.log on an agent? Is ossec-execd running on that agent? If you run firewall-drop manually, does it work? > Le mercredi 15 mars 2017 19:01:37 UTC+1, dan (ddpbsd) a écrit : >> >> On Wed, Mar 15, 2017 at 7:25 AM, Martin <mart...@gmail.com> wrote: >> > Hello, >> > >> > First, i'm sorry if the question has already been asked. >> > >> > So what i'm trying to achieve is this ; >> > >> > If someone fail to log in, too many time on one of my agent, I want this >> > ip >> > to be drop on all others agents and the server. >> > >> > Same goes the other way around if someone try on the server i want it to >> > be >> > drop on the server and all the agents. >> > >> > I tried to edit the file ossec.conf on the server and put "all' instead >> > of >> > 'local' >> > >> > >> > <!-- Active Response Config --> >> > <active-response> >> > <!-- This response is going to execute the host-deny >> > - command for every event that fires a rule with >> > - level (severity) >= 6. >> > - The IP is going to be blocked for 600 seconds. >> > --> >> > <command>host-deny</command> >> > <location>all</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > </active-response> >> > >> > >> > <active-response> >> > <!-- Firewall Drop response. Block the IP for >> > - 600 seconds on the firewall (iptables, >> > - ipfilter, etc). >> > --> >> > <command>firewall-drop</command> >> > <location>all</location> >> > <level>6</level> >> > <timeout>600</timeout> >> > </active-response> >> > >> > If i want to edit the number of failed attempts ssh, which file do I >> > have to >> > edit. /var/ossec/rules/sshd_rules.xml ? >> > >> >> You can copy the rule you want to modify to local_rules.xml, and add: >> overwrite="yes" >> to the "<rule" line. >> >> > >> > Thanks for your help, >> > Best regards. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
