Can you please provide the rule i am also having the same issue i need to block the user after failed attempts. Please help
On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote: > > Hi all, > > Forgive me if this has been covered somewhere, but I haven't come > across it. > > > Is there a way to have OSSEC Active Response block a particular user > from logging in? I don't care about thresholds or # of attempts. If I > see, 'root' for instance, attempting to logon to a server at all, can > OSSEC match on that and drop that username and source IP immediately? > > > Additionally, one question on timeouts. Is the <timeout> flag in > seconds or in minutes? If so, I tried setting "<timeout>1</timeout>" > but it took 54 seconds to delete from the firewall-drop.sh script. If > it is in fact in minutes, how would I set it up to unblock in seconds? > Otherwise, if the flag should be seconds, is there a reason why it > would take 54 seconds to respond when I set the timeout to 1 second. I > know this doesn't make much sense (in terms of setting to 1 second) > but I tested with 5 and even 30 seconds and it still took a minute to > unblock. > > Thanks in advance! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
